DevicePolicyManager
open class DevicePolicyManager
kotlin.Any | |
↳ | android.app.admin.DevicePolicyManager |
Manages device policy and restrictions applied to the user of the device or apps running on the device.
This class contains three types of methods:
- Those aimed at managing apps
- Those aimed at the Device Policy Management Role Holder
- Those aimed at apps which wish to respect device policy
The intended caller for each API is indicated in its Javadoc.
Managing Apps
Apps can be made capable of setting device policy ("Managing Apps") either by being set as a Device Administrator, being set as a Device Policy Controller, or by holding the appropriate Permissions.
A Device Administrator is an app which is able to enforce device policies that it has declared in its device admin XML file. An app can prompt the user to give it device administator privileges using the ACTION_ADD_DEVICE_ADMIN
action.
For more information about Device Administration, read the Device Administration developer guide.
Device Administrator apps can also be recognised as Device Policy Controllers. Device Policy Controllers can be one of two types:
- A Device Owner, which only ever exists on the
System User
or Main User, is the most powerful type of Device Policy Controller and can affect policy across the device. - A Profile Owner, which can exist on any user, can affect policy on the user it is on, and when it is running on
a profile
has limited ability to affect policy on its parent.
Additional capabilities can be provided to Device Policy Controllers in the following circumstances:
- A Profile Owner on an organization owned device has access to additional abilities, both affecting policy on the profile's parent and also the profile itself.
- A Profile Owner running on the
System User
has access to additional capabilities which affect theSystem User
and also the whole device. - A Profile Owner running on an affiliated user has capabilities similar to that of a Device Owner
For more information, see Building a Device Policy Controller.
Permissions are generally only given to apps fulfilling particular key roles on the device (such as managing device locks
).
Device Policy Management Role Holder
One app on the device fulfills the Device Policy Management Role and is trusted with managing the overall state of Device Policy. This has access to much more powerful methods than managing apps.
Querying Device Policy
In most cases, regular apps do not need to concern themselves with device policy, and restrictions will be enforced automatically. There are some cases where an app may wish to query device policy to provide a better user experience. Only a small number of policies allow apps to query them directly. These APIs will typically have no special required permissions.
Managed Provisioning
Managed Provisioning is the process of recognising an app as a Device Owner or Profile Owner. It involves presenting education and consent screens to the user to ensure they are aware of the capabilities this grants the Device Policy Controller
For more information on provisioning, see Building a Device Policy Controller.
A Managed Profile enables data separation. For example to use a device both for personal and corporate usage. The managed profile and its parent share a launcher.
Affiliation
Using the setAffiliationIds
method, a Device Owner can set a list of affiliation ids for the System User
. Any Profile Owner on the same device can also call setAffiliationIds
to set affiliation ids for the user
it is on. When there is the same ID present in both lists, the user is said to be "affiliated" and we can refer to the Profile Owner as a "profile owner on an affiliated user" or an "affiliated profile owner". Becoming affiliated grants the Profile Owner capabilities similar to that of the Device Owner. It also allows use of the #bindDeviceAdminServiceAsUser APIs for direct communication between the Device Owner and affiliated Profile Owners.
Organization Owned
An organization owned device is one which is not owned by the person making use of the device and is instead owned by an organization such as their employer or education provider. These devices are recognised as being organization owned either by the presence of a device owner or of aprofile which has a profile owner is marked
.
Profile owners running on an organization owned device can exercise additional capabilities using the getParentProfileInstance(android.content.ComponentName)
API which apply to the parent user. Each API will indicate if it is usable in this way.
Android Automotive
On "Android Automotive builds"
, some methods can throw "an exception"
if an action is unsafe (for example, if the vehicle is moving). Callers running on "Android Automotive builds"
should always check for this exception.
Requires the PackageManager#FEATURE_DEVICE_ADMIN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Summary
Nested classes | |
---|---|
abstract |
Callback used in |
abstract |
Callback used in |
Constants | |
---|---|
static String |
Activity action: ask the user to add a new device administrator to the system. |
static String |
Activity action: Starts the administrator to show policy compliance for the provisioning. |
static String |
Broadcast Action: Sent after application delegation scopes are changed. |
static String |
Activity action: launch the DPC to check policy compliance. |
static String |
Service action: Action for a service that device owner and profile owner can optionally own. |
static String |
Broadcast Action: Broadcast sent to indicate that the device financing state has changed. |
static String |
Broadcast action: sent when the device owner is set, changed or cleared. |
static String |
Broadcast action: notify system apps (e.g. settings, SysUI, etc) that the device management resources with IDs |
static String |
Activity action: Starts the administrator to get the mode for the provisioning. |
static String |
Broadcast Action: This broadcast is sent to indicate that provisioning of a managed profile has completed successfully. |
static String |
Broadcast action: sent when the profile owner is set, changed or cleared. |
static String |
Activity action: This activity action is sent to indicate that provisioning of a managed profile or managed device has completed successfully. |
static String |
Activity action: Starts the provisioning flow which sets up a managed device. |
static String |
Activity action: Starts the provisioning flow which sets up a managed profile. |
static String |
Activity action: have the user enter a new password for the parent profile. |
static String |
Activity action: have the user enter a new password. |
static String |
Activity action: begin the process of encrypting data on the device. |
static String |
Broadcast action: notify that a new local system update policy has been set by the device owner. |
static Int |
Indicates that content protection is controlled and disabled by a policy (default). |
static Int |
Indicates that content protection is controlled and enabled by a policy. |
static Int |
Indicates that content protection is not controlled by policy, allowing user to choose. |
static String |
Delegation of application restrictions management. |
static String |
Delegation of application uninstall block. |
static String |
Delegation of certificate installation and management. |
static String |
Grants access to selection of KeyChain certificates on behalf of requesting apps. |
static String |
Delegation for enabling system apps. |
static String |
Delegation for installing existing packages. |
static String |
Delegation of management of uninstalled packages. |
static String |
Grants access to |
static String |
Delegation of package access state. |
static String |
Delegation of permission policy and permission grant state. |
static String |
Grants access to |
static Int |
Result code for |
static Int |
Result code for |
static Int |
Result code for |
static Int |
Result code for |
static Int |
Result code for |
static Int |
Result code for |
static String |
An optional CharSequence providing additional explanation for why the admin is being added. |
static String |
An |
static String |
The ComponentName of the administrator component. |
static String |
A boolean extra for |
static String |
An integer indicating the complexity level of the new password an app would like the user to set when launching the action |
static String |
An |
static String |
A |
static String |
An |
static String |
A boolean extra indicating whether offline provisioning should be used. |
static String |
A ComponentName extra indicating the |
static String |
An int extra holding a minimum required version code for the device admin package. |
static String |
A String extra holding the URL-safe base64 encoded SHA-256 hash of the file at download location specified in |
static String |
A String extra holding a http cookie header which should be used in the http request to the url specified in |
static String |
A String extra holding a url that specifies the download location of the device admin package. |
static String |
A String extra holding the package name of the application that will be set as Device Policy Controller. |
static String |
A String extra holding the URL-safe base64 encoded SHA-256 checksum of any signature of the android package archive at the download location specified in |
static String |
A |
static String |
A |
static String |
A String extra of localized disclaimer header. |
static String | |
static String |
A string extra holding the IMEI (International Mobile Equipment Identity) of the device. |
static String |
Boolean extra to indicate that the |
static String |
A |
static String |
A Boolean extra that can be used by the mobile device management application to skip the disabling of system apps during provisioning when set to |
static String |
A String extra holding the |
static String |
A Long extra holding the wall clock time (in milliseconds) to be set on the device's |
static String |
A |
static String |
A integer extra indicating the predominant color to show during the provisioning. |
static String |
An intent extra holding the provisioning mode returned by the administrator. |
static String |
A boolean extra indicating the admin of a fully-managed device opts out of controlling permission grants for sensor-related permissions, see |
static String |
A string extra holding the serial number of the device. |
static String |
A boolean extra that determines whether the provisioning flow should launch the resulting launch intent, if one is supplied by the device policy management role holder via |
static String |
A boolean extra indicating if the education screens from the provisioning flow should be skipped. |
static String |
A boolean extra indicating whether device encryption can be skipped as part of provisioning. |
static String |
A boolean extra indicating if the user consent steps from the provisioning flow should be skipped. |
static String |
A String extra holding the time zone |
static String |
A boolean extra indicating if mobile data should be used during the provisioning flow for downloading the admin app. |
static String |
The anonymous identity of the wifi network in |
static String |
The CA certificate of the wifi network in |
static String |
The domain of the wifi network in |
static String |
The EAP method of the wifi network in |
static String |
A boolean extra indicating whether the wifi network in |
static String |
The identity of the wifi network in |
static String |
A String extra holding the proxy auto-config (PAC) URL for the wifi network in |
static String |
A String extra holding the password of the wifi network in |
static String |
The phase 2 authentication of the wifi network in |
static String |
A String extra holding the proxy bypass for the wifi network in |
static String |
A String extra holding the proxy host for the wifi network in |
static String |
An int extra holding the proxy port for the wifi network in |
static String |
A String extra indicating the security type of the wifi network in |
static String |
A String extra holding the ssid of the wifi network that should be used during nfc device owner provisioning for downloading the mobile device management application. |
static String |
The user certificate of the wifi network in |
static String |
An integer array extra for |
static String |
An |
static Int |
A |
static Int |
A |
static String |
An |
static Int |
Flag for |
static Int |
Flag used by |
static Int |
Flag used by |
static Int |
Specifies that the device should attest its manufacturer details. |
static Int |
Specifies that the device should attest its IMEI. |
static Int |
Specifies that the device should attest using an individual attestation certificate. |
static Int |
Specifies that the device should attest its MEID. |
static Int |
Specifies that the device should attest its serial number. |
static Int |
Specifies that the calling app should be granted access to the installed credentials immediately. |
static Int |
Specifies that a user can select the key via the Certificate Selection prompt. |
static Int |
Disable all biometric authentication on keyguard secure screens (e.g. PIN/Pattern/Password). |
static Int |
Disable face authentication on keyguard secure screens (e.g. PIN/Pattern/Password). |
static Int |
Disable all current and future keyguard customizations. |
static Int |
Widgets are enabled in keyguard |
static Int |
Disable fingerprint authentication on keyguard secure screens (e.g. PIN/Pattern/Password). |
static Int |
Disable iris authentication on keyguard secure screens (e.g. PIN/Pattern/Password). |
static Int |
Disable text entry into notifications on secure keyguard screens (e.g. PIN/Pattern/Password). |
static Int |
Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password) |
static Int |
Disable showing all notifications on secure keyguard screens (e.g. PIN/Pattern/Password) |
static Int |
Disable all keyguard shortcuts. |
static Int |
Disable trust agents on secure keyguard screens (e.g. PIN/Pattern/Password). |
static Int |
Only allow redacted notifications on secure keyguard screens (e.g. PIN/Pattern/Password) |
static Int |
Disable all keyguard widgets. |
static Int |
Flag used by |
static Int |
Enable blocking of non-allowlisted activities from being started into a locked task. |
static Int |
Enable the global actions dialog during LockTask mode. |
static Int |
Enable the Home button during LockTask mode. |
static Int |
Enable the keyguard during LockTask mode. |
static Int |
Disable all configurable SystemUI features during LockTask mode. |
static Int |
Enable notifications during LockTask mode. |
static Int |
Enable the Overview button and the Overview screen during LockTask mode. |
static Int |
Enable the system info area in the status bar during LockTask mode. |
static Int |
Flag used by |
static String |
This MIME type is used for starting the device owner provisioning. |
static Int |
Require that MTE be disabled on the device. |
static Int |
Require that MTE be enabled on the device, if supported. |
static Int |
Allow the user to choose whether to enable MTE on the device. |
static Int |
Indicates that nearby streaming is disabled. |
static Int |
Indicates that nearby streaming is enabled. |
static Int |
Indicates that nearby streaming is not controlled by policy, which means nearby streaming is allowed. |
static Int |
Indicates that nearby streaming is enabled only to devices offering a comparable level of security, with the same authenticated managed account. |
static Int |
Indicates that a |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Runtime permission state: The user can manage the permission through the UI. |
static Int |
Runtime permission state: The permission is denied to the app and the user cannot manage the permission through the UI. |
static Int |
Runtime permission state: The permission is granted to the app and the user cannot manage the permission through the UI. |
static Int |
Permission policy to always deny new permission requests for runtime permissions. |
static Int |
Permission policy to always grant new permission requests for runtime permissions. |
static Int |
Permission policy to prompt user for new permission requests for runtime permissions. |
static Int |
Return value for |
static Int |
Flag for |
static Int |
Flag for |
static String |
Constant to indicate the feature of disabling the camera. |
static String |
Constant to indicate the feature of disabling screen captures. |
static Int |
Specifies that Private DNS was turned off completely. |
static Int |
Specifies that the device owner requested opportunistic DNS over TLS |
static Int |
Specifies that the device owner configured a specific host to use for Private DNS. |
static Int |
Specifies that the Private DNS setting is in an unknown state. |
static Int |
General failure to set the Private DNS mode, not due to one of the reasons listed above. |
static Int |
If the |
static Int |
The selected mode has been set successfully. |
static Int |
The provisioning mode for fully managed device. |
static Int |
The provisioning mode for managed profile. |
static Int |
The provisioning mode for a managed profile on a personal device. |
static Int |
Flag for |
static Int |
Flag for |
static Int |
Flag used by |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Constant for |
static Int |
Flag for |
static Int |
Flag for |
static Int |
Flag for |
static Int |
Flag for |
Public methods | |
---|---|
open Unit |
Called by a profile owner of an organization-owned managed profile to acknowledge that the device is compliant and the user can turn the profile off if needed according to the maximum time off policy. |
open Unit |
addCrossProfileIntentFilter(admin: ComponentName?, filter: IntentFilter!, flags: Int) Called by the profile owner of a managed profile so that some intents sent in the managed profile can also be resolved in the parent, or vice versa. |
open Boolean |
addCrossProfileWidgetProvider(admin: ComponentName?, packageName: String!) Called by the profile owner of a managed profile or a holder of the permission |
open Int |
addOverrideApn(admin: ComponentName, apnSetting: ApnSetting) Called by device owner or managed profile owner to add an override APN. |
open Unit |
addPersistentPreferredActivity(admin: ComponentName?, filter: IntentFilter!, activity: ComponentName) Called by a profile owner or device owner or holder of the permission |
open Unit |
addUserRestriction(admin: ComponentName, key: String!) Called by a profile owner, device owner or a holder of any permission that is associated with a user restriction to set a user restriction specified by the key. |
open Unit |
Called by a profile owner, device owner or a holder of any permission that is associated with a user restriction to set a user restriction specified by the provided |
open Boolean |
bindDeviceAdminServiceAsUser(admin: ComponentName, serviceIntent: Intent, conn: ServiceConnection, flags: Context.BindServiceFlags, targetUser: UserHandle) |
open Boolean |
bindDeviceAdminServiceAsUser(admin: ComponentName, serviceIntent: Intent, conn: ServiceConnection, flags: Int, targetUser: UserHandle) Called by a device owner to bind to a service from a secondary managed user or vice versa. |
open Boolean |
Returns true if the caller is running on a device where an admin can grant permissions related to device sensors. |
open Boolean |
Returns whether enabling or disabling USB data signaling is supported on the device. |
open Unit |
clearApplicationUserData(admin: ComponentName, packageName: String, executor: Executor, listener: DevicePolicyManager.OnClearApplicationUserDataListener) Called by the device owner or profile owner to clear application user data of a given package. |
open Unit |
Called by a profile owner of a managed profile to remove the cross-profile intent filters that go from the managed profile to the parent, or from the parent to the managed profile. |
open Unit |
clearDeviceOwnerApp(packageName: String!) Clears the current device owner. |
open Unit |
clearPackagePersistentPreferredActivities(admin: ComponentName?, packageName: String!) Called by a profile owner or device owner or holder of the permission |
open Unit |
clearProfileOwner(admin: ComponentName) Clears the active profile owner. |
open Boolean |
clearResetPasswordToken(admin: ComponentName?) Called by a profile, device owner or holder of the permission |
open Unit |
clearUserRestriction(admin: ComponentName, key: String!) Called by a profile owner, device owner or a holder of any permission that is associated with a user restriction to clear a user restriction specified by the key. |
open Intent! |
createAdminSupportIntent(restriction: String) Called by any app to display a support dialog when a feature was disabled by an admin. |
open UserHandle? |
createAndManageUser(admin: ComponentName, name: String, profileOwner: ComponentName, adminExtras: PersistableBundle?, flags: Int) Called by a device owner to create a user with the specified name and a given component of the calling package as profile owner. |
open Int |
enableSystemApp(admin: ComponentName, intent: Intent!) Re-enable system apps by intent that were disabled by default when the user was initialized. |
open Unit |
enableSystemApp(admin: ComponentName, packageName: String!) Re-enable a system app that was disabled by default when the user was initialized. |
open AttestedKeyPair! |
generateKeyPair(admin: ComponentName?, algorithm: String, keySpec: KeyGenParameterSpec, idAttestationFlags: Int) This API can be called by the following to generate a new private/public key pair:
|
open Array<String!>? |
Gets the array of accounts for which account management is disabled by the profile owner or device owner. |
open MutableList<ComponentName!>? |
Return a list of all currently active device administrators' component names. |
open MutableSet<String!> |
getAffiliationIds(admin: ComponentName) Returns the set of affiliation ids previously set via |
open MutableSet<String!>? |
Called by device or profile owner to query the set of packages that are allowed to access the network directly when always-on VPN is in lockdown mode but not connected. |
open String? |
getAlwaysOnVpnPackage(admin: ComponentName) Called by a device or profile owner to read the name of the package administering an always-on VPN connection for the current user. |
open Bundle |
getApplicationRestrictions(admin: ComponentName?, packageName: String!) Retrieves the application restrictions for a given target application running in the calling user. |
open String? |
Called by a profile owner or device owner to retrieve the application restrictions managing package for the current user, or |
open Boolean |
getAutoTimeEnabled(admin: ComponentName?) Returns true if auto time is enabled on the device. |
open Boolean | |
open Boolean |
getAutoTimeZoneEnabled(admin: ComponentName?) Returns true if auto time zone is enabled on the device. |
open MutableList<UserHandle!> |
Returns the list of target users that the calling device owner or owner of secondary user can use when calling #bindDeviceAdminServiceAsUser. |
open Boolean |
Called by a profile owner of a managed profile to determine whether or not Bluetooth devices cannot access enterprise contacts. |
open Boolean |
getCameraDisabled(admin: ComponentName?) Determine whether or not the device's cameras have been disabled for this user, either by the calling admin, if specified, or all admins. |
open String? |
getCertInstallerPackage(admin: ComponentName) Called by a profile owner or device owner to retrieve the certificate installer for the user, or |
open Int |
getContentProtectionPolicy(admin: ComponentName?) Returns the current content protection policy. |
open PackagePolicy? |
Called by a device owner or profile owner of a managed profile to retrieve the credential manager policy. |
open MutableSet<String!>? |
Gets a set of package names that are allowed to access cross-profile calendar APIs. |
open Boolean |
Called by a profile owner of a managed profile to determine whether or not caller-Id information has been disabled. |
open Boolean |
Called by a profile owner of a managed profile to determine whether or not contacts search has been disabled. |
open MutableSet<String!> |
getCrossProfilePackages(admin: ComponentName) Returns the set of package names that the admin has previously set as allowed to request user consent for cross-profile communication, via |
open MutableList<String!> |
Called by the profile owner of a managed profile or a holder of the permission |
open Int |
Retrieve the number of times the user has failed at entering a password since that last successful password entry. |
open MutableList<String!>? |
getDelegatePackages(admin: ComponentName, delegationScope: String) Called by a profile owner or device owner to retrieve a list of delegate packages that were granted a delegation scope. |
open MutableList<String!> |
getDelegatedScopes(admin: ComponentName?, delegatedPackage: String) Called by a profile owner or device owner to retrieve a list of the scopes given to a delegate package. |
open CharSequence! | |
open String? |
Returns the package name of the device policy management role holder. |
open CharSequence! |
Returns the user session end message. |
open String |
Returns an enrollment-specific identifier of this device, which is guaranteed to be the same value for the same device, enrolled into the same organization by the same managing app. |
open FactoryResetProtectionPolicy? |
Callable by device owner or profile owner of an organization-owned device, to retrieve the current factory reset protection (FRP) policy set previously by |
open String? |
getGlobalPrivateDnsHost(admin: ComponentName) Returns the system-wide Private DNS host. |
open Int |
getGlobalPrivateDnsMode(admin: ComponentName) Returns the system-wide Private DNS mode. |
open MutableList<ByteArray!> |
getInstalledCaCerts(admin: ComponentName?) Returns all CA certificates that are currently trusted, excluding system CA certificates. |
open MutableList<String!>? |
getKeepUninstalledPackages(admin: ComponentName?) Get the list of apps to keep around as APKs even if no user has currently installed it. |
open MutableMap<Int!, MutableSet<String!>!> |
getKeyPairGrants(alias: String) Called by a device or profile owner, or delegated certificate chooser (an app that has been delegated the |
open Int |
getKeyguardDisabledFeatures(admin: ComponentName?) Determine whether or not features have been disabled in keyguard either by the calling admin, if specified, or all admins that set restrictions on this user and its participating profiles. |
open Int |
getLockTaskFeatures(admin: ComponentName?) Gets which system features are enabled for LockTask mode. |
open Array<String!> |
getLockTaskPackages(admin: ComponentName?) Returns the list of packages allowed to start the lock task mode. |
open CharSequence? |
getLongSupportMessage(admin: ComponentName) Called by a device admin to get the long support message. |
open PackagePolicy? |
Called by a profile owner of a managed profile to retrieve the caller id policy. |
open PackagePolicy? |
Called by a profile owner of a managed profile to determine the current policy applied to managed profile contacts. |
open Long |
Called by a profile owner of an organization-owned managed profile to get maximum time the profile is allowed to be turned off. |
open ManagedSubscriptionsPolicy |
Returns the current |
open Int |
Retrieve the current maximum number of login attempts that are allowed before the device or profile is wiped, for a particular admin or all admins that set restrictions on this user and its participating profiles. |
open Long |
getMaximumTimeToLock(admin: ComponentName?) Retrieve the current maximum time to unlock for a particular admin or all admins that set restrictions on this user and its participating profiles. |
open MutableList<String!> |
Called by a device or profile owner to retrieve the list of packages which are restricted by the admin from using metered data. |
open Int |
Returns the current Wi-Fi minimum security level. |
open Int |
Called by a device owner, profile owner of an organization-owned device to get the Memory Tagging Extension (MTE) policy Learn more about MTE |
open Int |
Returns the current runtime nearby app streaming policy set by the device or profile owner. |
open Int |
Returns the current runtime nearby notification streaming policy set by the device or profile owner. |
open Int |
getOrganizationColor(admin: ComponentName) Called by a profile owner of a managed profile to retrieve the color used for customization. |
open CharSequence? |
getOrganizationName(admin: ComponentName?) Called by the device owner (since API 26) or profile owner (since API 24) or holders of the permission |
open MutableList<ApnSetting!>! |
getOverrideApns(admin: ComponentName) Called by device owner or managed profile owner to get all override APNs inserted by device owner or managed profile owner previously using |
open DevicePolicyManager |
Called by the profile owner of a managed profile to obtain a |
open Int |
Returns how complex the current user's screen lock is. |
open Long |
getPasswordExpiration(admin: ComponentName?) Get the current password expiration time for a particular admin or all admins that set restrictions on this user and its participating profiles. |
open Long |
Get the password expiration timeout for the given admin. |
open Int |
getPasswordHistoryLength(admin: ComponentName?) Retrieve the current password history length for a particular admin or all admins that set restrictions on this user and its participating profiles. |
open Int |
getPasswordMaximumLength(quality: Int) Return the maximum password length that the device supports for a particular password quality. |
open Int |
getPasswordMinimumLength(admin: ComponentName?) Retrieve the current minimum password length for a particular admin or all admins that set restrictions on this user and its participating profiles. |
open Int |
getPasswordMinimumLetters(admin: ComponentName?) Retrieve the current number of letters required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. |
open Int |
getPasswordMinimumLowerCase(admin: ComponentName?) Retrieve the current number of lower case letters required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. |
open Int |
getPasswordMinimumNonLetter(admin: ComponentName?) Retrieve the current number of non-letter characters required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. |
open Int |
getPasswordMinimumNumeric(admin: ComponentName?) Retrieve the current number of numerical digits required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. |
open Int |
getPasswordMinimumSymbols(admin: ComponentName?) Retrieve the current number of symbols required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. |
open Int |
getPasswordMinimumUpperCase(admin: ComponentName?) Retrieve the current number of upper case letters required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. |
open Int |
getPasswordQuality(admin: ComponentName?) Retrieve the current minimum password quality for a particular admin or all admins that set restrictions on this user and its participating profiles. |
open SystemUpdateInfo? |
getPendingSystemUpdate(admin: ComponentName?) Get information about a pending system update. |
open Int |
getPermissionGrantState(admin: ComponentName?, packageName: String, permission: String) Returns the current grant state of a runtime permission for a specific application. |
open Int |
getPermissionPolicy(admin: ComponentName!) Returns the current runtime permission policy set by the device or profile owner. |
open MutableList<String!>? |
Returns the list of permitted accessibility services set by this device or profile owner. |
open MutableList<String!>? |
Returns the list of packages installed on the primary user that allowed to use a |
open MutableList<String!>? |
getPermittedInputMethods(admin: ComponentName?) Returns the list of permitted input methods set by this device or profile owner. |
open Int |
Called by profile owner of an organization-owned managed profile to check whether personal apps are suspended. |
open MutableList<PreferentialNetworkServiceConfig!> |
Get preferential network configuration {@see PreferentialNetworkServiceConfig} |
open Int |
Gets the password complexity requirement set by |
open Long |
Determine for how long the user will be able to use secondary, non strong auth for authentication, since last strong method authentication (password, pin or pattern) was used. |
open DevicePolicyResourcesManager |
Returns a |
open Boolean |
getScreenCaptureDisabled(admin: ComponentName?) Determine whether or not screen capture has been disabled by the calling admin, if specified, or all admins. |
open MutableList<UserHandle!>! |
getSecondaryUsers(admin: ComponentName) Called by a device owner to list all secondary users on the device. |
open CharSequence! |
getShortSupportMessage(admin: ComponentName?) Called by a device admin or holder of the permission |
open CharSequence! |
Returns the user session start message. |
open Boolean |
getStorageEncryption(admin: ComponentName?) |
open Int |
Called by an application that is administering the device to determine the current encryption status of the device. |
open MutableSet<Int!> |
Returns the subscription ids of all subscriptions which were downloaded by the calling admin. |
open SystemUpdatePolicy? |
Retrieve a local system update policy set previously by |
open PersistableBundle? |
Returns the data passed from the current administrator to the new administrator during an ownership transfer. |
open MutableList<PersistableBundle!>? |
getTrustAgentConfiguration(admin: ComponentName?, agent: ComponentName) Gets configuration for the given trust agent based on aggregating all calls to |
open MutableList<String!> |
Returns the list of packages over which user control is disabled by a device or profile owner or holders of the permission |
open Bundle |
getUserRestrictions(admin: ComponentName) Called by an admin to get user restrictions set by themselves with |
open Bundle |
Called by a profile or device owner to get global user restrictions set with |
open String? |
getWifiMacAddress(admin: ComponentName?) Called by a device owner or profile owner on organization-owned device to get the MAC address of the Wi-Fi device. |
open WifiSsidPolicy? |
Returns the current Wi-Fi SSID policy. |
open Boolean |
grantKeyPairToApp(admin: ComponentName?, alias: String, packageName: String) Called by a device or profile owner, or delegated certificate chooser (an app that has been delegated the |
open Boolean |
grantKeyPairToWifiAuth(alias: String) Called by a device or profile owner, or delegated certificate chooser (an app that has been delegated the |
open Boolean |
hasCaCertInstalled(admin: ComponentName?, certBuffer: ByteArray!) Returns whether this certificate is installed as a trusted CA. |
open Boolean |
hasGrantedPolicy(admin: ComponentName, usesPolicy: Int) Returns true if an administrator has been granted a particular device policy. |
open Boolean |
hasKeyPair(alias: String) This API can be called by the following to query whether a certificate and private key are installed under a given alias:
android.security.AppUriAuthenticationPolicy .
|
open Boolean |
Called by a device owner or a profile owner of an organization-owned managed profile to determine whether the user is prevented from modifying networks configured by the admin. |
open Boolean |
installCaCert(admin: ComponentName?, certBuffer: ByteArray!) Installs the given certificate as a user CA. |
open Boolean |
installExistingPackage(admin: ComponentName, packageName: String!) Install an existing package that has been installed in another user, or has been kept after removal via |
open Boolean |
installKeyPair(admin: ComponentName?, privKey: PrivateKey, cert: Certificate, alias: String) This API can be called by the following to install a certificate and corresponding private key:
|
open Boolean |
installKeyPair(admin: ComponentName?, privKey: PrivateKey, certs: Array<Certificate!>, alias: String, requestAccess: Boolean) This API can be called by the following to install a certificate chain and corresponding private key for the leaf certificate:
|
open Boolean |
installKeyPair(admin: ComponentName?, privKey: PrivateKey, certs: Array<Certificate!>, alias: String, flags: Int) This API can be called by the following to install a certificate chain and corresponding private key for the leaf certificate:
|
open Unit |
installSystemUpdate(admin: ComponentName?, updateFilePath: Uri, executor: Executor, callback: DevicePolicyManager.InstallSystemUpdateCallback) Called by device owner or profile owner of an organization-owned managed profile to install a system update from the given file. |
open Boolean |
Determines whether the calling user's current password meets policy requirements (e.g. quality, minimum length). |
open Boolean |
Called by profile owner of a managed profile to determine whether the current device password meets policy requirements set explicitly device-wide. |
open Boolean |
isAdminActive(admin: ComponentName) Return true if the given administrator component is currently active (enabled) in the system. |
open Boolean |
Returns whether this user is affiliated with the device. |
open Boolean |
Called by device or profile owner to query whether current always-on VPN is configured in lockdown mode. |
open Boolean |
isApplicationHidden(admin: ComponentName?, packageName: String!) Determine if a package is hidden. |
open Boolean |
isBackupServiceEnabled(admin: ComponentName) Return whether the backup service is enabled by the device owner or profile owner for the current user, as previously set by |
open Boolean |
Called by any application to find out whether it has been granted permission via |
open Boolean |
isCommonCriteriaModeEnabled(admin: ComponentName?) Returns whether Common Criteria mode is currently enabled. |
open Boolean |
Called by a profile owner of an organization-owned managed profile to query whether it needs to acknowledge device compliance to allow the user to turn the profile off if needed according to the maximum profile time off policy. |
open Boolean |
Returns |
open Boolean |
Returns |
open Boolean |
isDeviceOwnerApp(packageName: String!) Used to determine if a particular package has been registered as a Device Owner app. |
open Boolean |
isEphemeralUser(admin: ComponentName) Checks if the profile owner is running in an ephemeral user. |
open Boolean |
isKeyPairGrantedToWifiAuth(alias: String) Called by a device or profile owner, or delegated certificate chooser (an app that has been delegated the |
open Boolean |
isLockTaskPermitted(pkg: String!) This function lets the caller know whether the given component is allowed to start the lock task mode. |
open Boolean |
Returns whether logout is enabled by a device owner. |
open Boolean |
isManagedProfile(admin: ComponentName) Return if this user is a managed profile of another user. |
open Boolean |
isMasterVolumeMuted(admin: ComponentName) Called by profile or device owners to check whether the global volume mute is on or off. |
open static Boolean |
Get the current MTE state of the device. |
open Boolean |
isNetworkLoggingEnabled(admin: ComponentName?) Return whether network logging is enabled by a device owner or profile owner of a managed profile. |
open Boolean |
Apps can use this method to find out if the device was provisioned as organization-owend device with a managed profile. |
open Boolean |
isOverrideApnEnabled(admin: ComponentName) Called by device owner to check if override APNs are currently enabled. |
open Boolean |
isPackageSuspended(admin: ComponentName?, packageName: String!) Determine if a package is suspended. |
open Boolean |
Indicates whether preferential network service is enabled. |
open Boolean |
isProfileOwnerApp(packageName: String!) Used to determine if a particular package is registered as the profile owner for the user. |
open Boolean |
isProvisioningAllowed(action: String) Returns whether it is possible for the caller to initiate provisioning of a managed profile or device, setting itself as the device or profile owner. |
open Boolean |
isResetPasswordTokenActive(admin: ComponentName?) Called by a profile, device owner or a holder of the permission |
open Boolean |
isSafeOperation(reason: Int) Checks if it's safe to run operations that can be affected by the given |
open Boolean |
isSecurityLoggingEnabled(admin: ComponentName?) Return whether security logging is enabled or not by the admin. |
open Boolean |
Returns whether the status bar is disabled/enabled, see |
open Boolean |
isUninstallBlocked(admin: ComponentName?, packageName: String!) Check whether the user has been blocked by device policy from uninstalling a package. |
open Boolean |
Returns |
open Boolean |
Returns whether USB data signaling is currently enabled. |
open Boolean |
isUsingUnifiedPassword(admin: ComponentName) When called by a profile owner of a managed profile returns true if the profile uses unified challenge with its parent user. |
open MutableList<UserHandle!> |
Gets the list of |
open Unit |
lockNow() Make the device lock immediately, as if the lock screen timeout has expired at the point of this call. |
open Unit |
Make the device lock immediately, as if the lock screen timeout has expired at the point of this call. |
open Int |
logoutUser(admin: ComponentName) Called by a profile owner of secondary user that is affiliated with the device to stop the calling user and switch back to primary user (when the user was |
open Unit |
reboot(admin: ComponentName) Called by device owner to reboot the device. |
open Unit |
removeActiveAdmin(admin: ComponentName) Remove a current administration component. |
open Boolean |
removeCrossProfileWidgetProvider(admin: ComponentName?, packageName: String!) Called by the profile owner of a managed profile or a holder of the permission |
open Boolean |
removeKeyPair(admin: ComponentName?, alias: String) This API can be called by the following to remove a certificate and private key pair installed under a given alias:
|
open Boolean |
removeOverrideApn(admin: ComponentName, apnId: Int) Called by device owner or managed profile owner to remove an override APN. |
open Boolean |
removeUser(admin: ComponentName, userHandle: UserHandle) Called by a device owner to remove a user/profile and all associated data. |
open Boolean |
requestBugreport(admin: ComponentName) Called by a device owner to request a bugreport. |
open Boolean |
resetPassword(password: String!, flags: Int) Force a new password for device unlock (the password needed to access the entire device) or the work profile challenge on the current user. |
open Boolean |
resetPasswordWithToken(admin: ComponentName?, password: String!, token: ByteArray!, flags: Int) Called by device or profile owner to force set a new device unlock password or a managed profile challenge on current user. |
open MutableList<NetworkEvent!>? |
retrieveNetworkLogs(admin: ComponentName?, batchToken: Long) Called by device owner, profile owner of a managed profile or delegated app with |
open MutableList<SecurityLog.SecurityEvent!>? |
Called by device owner or profile owner of an organization-owned managed profile to retrieve device logs from before the device's last reboot. |
open MutableList<SecurityLog.SecurityEvent!>? |
retrieveSecurityLogs(admin: ComponentName?) Called by device owner or profile owner of an organization-owned managed profile to retrieve all new security logging entries since the last call to this API after device boots. |
open Boolean |
revokeKeyPairFromApp(admin: ComponentName?, alias: String, packageName: String) Called by a device or profile owner, or delegated certificate chooser (an app that has been delegated the |
open Boolean |
revokeKeyPairFromWifiAuth(alias: String) Called by a device or profile owner, or delegated certificate chooser (an app that has been delegated the |
open Unit |
setAccountManagementDisabled(admin: ComponentName?, accountType: String!, disabled: Boolean) Called by a device owner or profile owner to disable account management for a specific type of account. |
open Unit |
setAffiliationIds(admin: ComponentName, ids: MutableSet<String!>) Indicates the entity that controls the device. |
open Unit |
setAlwaysOnVpnPackage(admin: ComponentName, vpnPackage: String?, lockdownEnabled: Boolean) Called by a device or profile owner to configure an always-on VPN connection through a specific application for the current user. |
open Unit |
setAlwaysOnVpnPackage(admin: ComponentName, vpnPackage: String?, lockdownEnabled: Boolean, lockdownAllowlist: MutableSet<String!>?) A version of |
open Boolean |
setApplicationHidden(admin: ComponentName?, packageName: String!, : Boolean) Hide or unhide packages. |
open Unit |
setApplicationRestrictions(admin: ComponentName?, packageName: String!, settings: Bundle!) Sets the application restrictions for a given target application running in the calling user. |
open Unit |
setApplicationRestrictionsManagingPackage(admin: ComponentName, packageName: String?) Called by a profile owner or device owner to grant permission to a package to manage application restrictions for the calling user via |
open Unit |
setAutoTimeEnabled(admin: ComponentName?, enabled: Boolean) Called by a device owner, a profile owner for the primary user or a profile owner of an organization-owned managed profile to turn auto time on and off. |
open Unit |
setAutoTimeRequired(admin: ComponentName, required: Boolean) Called by a device owner, or alternatively a profile owner from Android 8. |
open Unit |
setAutoTimeZoneEnabled(admin: ComponentName?, enabled: Boolean) Called by a device owner, a profile owner for the primary user or a profile owner of an organization-owned managed profile to turn auto time zone on and off. |
open Unit |
setBackupServiceEnabled(admin: ComponentName, enabled: Boolean) Allows the device owner or profile owner to enable or disable the backup service. |
open Unit |
setBluetoothContactSharingDisabled(admin: ComponentName, disabled: Boolean) Called by a profile owner of a managed profile to set whether bluetooth devices can access enterprise contacts. |
open Unit |
setCameraDisabled(admin: ComponentName?, disabled: Boolean) Called by an application that is administering the device to disable all cameras on the device, for this user. |
open Unit |
setCertInstallerPackage(admin: ComponentName, installerPackage: String?) Called by a profile owner or device owner to grant access to privileged certificate manipulation APIs to a third-party certificate installer app. |
open Unit |
setCommonCriteriaModeEnabled(admin: ComponentName?, enabled: Boolean) Called by device owner or profile owner of an organization-owned managed profile to toggle Common Criteria mode for the device. |
open Unit |
setConfiguredNetworksLockdownState(admin: ComponentName?, lockdown: Boolean) Called by a device owner or a profile owner of an organization-owned managed profile to control whether the user can change networks configured by the admin. |
open Unit |
setContentProtectionPolicy(admin: ComponentName?, policy: Int) Sets the content protection policy which controls scanning for deceptive apps. |
open Unit |
setCredentialManagerPolicy(policy: PackagePolicy?) Called by a device owner or profile owner of a managed profile to set the credential manager policy. |
open Unit |
setCrossProfileCalendarPackages(admin: ComponentName, packageNames: MutableSet<String!>?) Allows a set of packages to access cross-profile calendar APIs. |
open Unit |
setCrossProfileCallerIdDisabled(admin: ComponentName, disabled: Boolean) Called by a profile owner of a managed profile to set whether caller-Id information from the managed profile will be shown in the parent profile, for incoming calls. |
open Unit |
setCrossProfileContactsSearchDisabled(admin: ComponentName, disabled: Boolean) Called by a profile owner of a managed profile to set whether contacts search from the managed profile will be shown in the parent profile, for incoming calls. |
open Unit |
setCrossProfilePackages(admin: ComponentName, packageNames: MutableSet<String!>) Sets the set of admin-allowlisted package names that are allowed to request user consent for cross-profile communication. |
open Unit |
setDefaultDialerApplication(packageName: String) Must be called by a device owner or a profile owner of an organization-owned managed profile to set the default dialer application for the calling user. |
open Unit |
setDefaultSmsApplication(admin: ComponentName?, packageName: String) Must be called by a device owner or a profile owner of an organization-owned managed profile to set the default SMS application. |
open Unit |
setDelegatedScopes(admin: ComponentName, delegatePackage: String, scopes: MutableList<String!>) Called by a profile owner or device owner to grant access to privileged APIs to another app. |
open Unit |
setDeviceOwnerLockScreenInfo(admin: ComponentName, info: CharSequence!) Sets the device owner information to be shown on the lock screen. |
open Unit |
setEndUserSessionMessage(admin: ComponentName, endUserSessionMessage: CharSequence?) Called by a device owner to specify the user session end message. |
open Unit |
setFactoryResetProtectionPolicy(admin: ComponentName?, policy: FactoryResetProtectionPolicy?) Callable by device owner or profile owner of an organization-owned device, to set a factory reset protection (FRP) policy. |
open Int |
Sets the global Private DNS mode to opportunistic. |
open Int |
setGlobalPrivateDnsModeSpecifiedHost(admin: ComponentName, privateDnsHost: String) Sets the global Private DNS host to be used. |
open Unit |
setGlobalSetting(admin: ComponentName, setting: String!, value: String!) This method is mostly deprecated. |
open Unit |
setKeepUninstalledPackages(admin: ComponentName?, packageNames: MutableList<String!>) Set a list of apps to keep around as APKs even if no user has currently installed it. |
open Boolean |
setKeyPairCertificate(admin: ComponentName?, alias: String, certs: MutableList<Certificate!>, isUserSelectable: Boolean) This API can be called by the following to associate certificates with a key pair that was generated using
|
open Boolean |
setKeyguardDisabled(admin: ComponentName, disabled: Boolean) Called by a device owner or profile owner of secondary users that is affiliated with the device to disable the keyguard altogether. |
open Unit |
setKeyguardDisabledFeatures(admin: ComponentName?, which: Int) Called by an application that is administering the device to disable keyguard customizations, such as widgets. |
open Unit |
setLocationEnabled(admin: ComponentName, locationEnabled: Boolean) Called by device owners to set the user's global location setting. |
open Unit |
setLockTaskFeatures(admin: ComponentName?, flags: Int) Sets which system features are enabled when the device runs in lock task mode. |
open Unit |
setLockTaskPackages(admin: ComponentName?, packages: Array<String!>) Sets which packages may enter lock task mode. |
open Unit |
setLogoutEnabled(admin: ComponentName, enabled: Boolean) Called by a device owner to specify whether logout is enabled for all secondary users. |
open Unit |
setLongSupportMessage(admin: ComponentName, message: CharSequence?) Called by a device admin to set the long support message. |
open Unit |
Called by a profile owner of a managed profile to set the packages that are allowed to lookup contacts in the managed profile based on caller id information. |
open Unit |
Called by a profile owner of a managed profile to set the packages that are allowed access to the managed profile contacts from the parent user. |
open Unit |
setManagedProfileMaximumTimeOff(admin: ComponentName, timeoutMillis: Long) Called by a profile owner of an organization-owned managed profile to set maximum time the profile is allowed to be turned off. |
open Unit |
Called by a profile owner of an organization-owned device to specify |
open Unit |
setMasterVolumeMuted(admin: ComponentName, on: Boolean) Called by profile or device owners to set the global volume mute on or off. |
open Unit |
setMaximumFailedPasswordsForWipe(admin: ComponentName?, num: Int) Setting this to a value greater than zero enables a policy that will perform a device or profile wipe after too many incorrect device-unlock passwords have been entered. |
open Unit |
setMaximumTimeToLock(admin: ComponentName?, timeMs: Long) Called by an application that is administering the device to set the maximum time for user activity until the device will lock. |
open MutableList<String!> |
setMeteredDataDisabledPackages(admin: ComponentName, packageNames: MutableList<String!>) Called by a device or profile owner to restrict packages from using metered data. |
open Unit |
Called by device owner or profile owner of an organization-owned managed profile to specify the minimum security level required for Wi-Fi networks. |
open Unit |
setMtePolicy(policy: Int) Called by a device owner, profile owner of an organization-owned device, to set the Memory Tagging Extension (MTE) policy. |
open Unit |
setNearbyAppStreamingPolicy(policy: Int) Called by a device/profile owner to set nearby app streaming policy. |
open Unit |
setNearbyNotificationStreamingPolicy(policy: Int) Called by a device/profile owner to set nearby notification streaming policy. |
open Unit |
setNetworkLoggingEnabled(admin: ComponentName?, enabled: Boolean) Called by a device owner, profile owner of a managed profile or delegated app with |
open Unit |
setOrganizationColor(admin: ComponentName, color: Int) Called by a profile owner of a managed profile to set the color used for customization. |
open Unit |
setOrganizationId(enterpriseId: String) Sets the Enterprise ID for the work profile or managed device. |
open Unit |
setOrganizationName(admin: ComponentName?, title: CharSequence?) Called by the device owner (since API 26) or profile owner (since API 24) to set the name of the organization under management. |
open Unit |
setOverrideApnsEnabled(admin: ComponentName, enabled: Boolean) Called by device owner to set if override APNs should be enabled. |
open Array<String!> |
setPackagesSuspended(admin: ComponentName?, packageNames: Array<String!>, suspended: Boolean) Called by device or profile owners to suspend packages for this user. |
open Unit |
setPasswordExpirationTimeout(admin: ComponentName?, timeout: Long) Called by a device admin to set the password expiration timeout. |
open Unit |
setPasswordHistoryLength(admin: ComponentName, length: Int) Called by an application that is administering the device to set the length of the password history. |
open Unit |
setPasswordMinimumLength(admin: ComponentName, length: Int) Called by an application that is administering the device to set the minimum allowed password length. |
open Unit |
setPasswordMinimumLetters(admin: ComponentName, length: Int) Called by an application that is administering the device to set the minimum number of letters required in the password. |
open Unit |
setPasswordMinimumLowerCase(admin: ComponentName, length: Int) Called by an application that is administering the device to set the minimum number of lower case letters required in the password. |
open Unit |
setPasswordMinimumNonLetter(admin: ComponentName, length: Int) Called by an application that is administering the device to set the minimum number of non-letter characters (numerical digits or symbols) required in the password. |
open Unit |
setPasswordMinimumNumeric(admin: ComponentName, length: Int) Called by an application that is administering the device to set the minimum number of numerical digits required in the password. |
open Unit |
setPasswordMinimumSymbols(admin: ComponentName, length: Int) Called by an application that is administering the device to set the minimum number of symbols required in the password. |
open Unit |
setPasswordMinimumUpperCase(admin: ComponentName, length: Int) Called by an application that is administering the device to set the minimum number of upper case letters required in the password. |
open Unit |
setPasswordQuality(admin: ComponentName, quality: Int) Called by an application that is administering the device to set the password restrictions it is imposing. |
open Boolean |
setPermissionGrantState(admin: ComponentName?, packageName: String, permission: String, grantState: Int) Sets the grant state of a runtime permission for a specific application. |
open Unit |
setPermissionPolicy(admin: ComponentName, policy: Int) Set the default response for future runtime permission requests by applications. |
open Boolean |
setPermittedAccessibilityServices(admin: ComponentName, packageNames: MutableList<String!>!) Called by a profile or device owner to set the permitted |
open Boolean |
setPermittedCrossProfileNotificationListeners(admin: ComponentName, packageList: MutableList<String!>?) Called by a profile owner of a managed profile to set the packages that are allowed to use a |
open Boolean |
setPermittedInputMethods(admin: ComponentName?, packageNames: MutableList<String!>!) Called by a profile or device owner or holder of the |
open Unit |
setPersonalAppsSuspended(admin: ComponentName, suspended: Boolean) Called by a profile owner of an organization-owned managed profile to suspend personal apps on the device. |
open Unit |
setPreferentialNetworkServiceConfigs(preferentialNetworkServiceConfigs: MutableList<PreferentialNetworkServiceConfig!>) Sets preferential network configurations. |
open Unit |
setPreferentialNetworkServiceEnabled(enabled: Boolean) Sets whether preferential network service is enabled. |
open Unit |
setProfileEnabled(admin: ComponentName) Sets the enabled state of the profile. |
open Unit |
setProfileName(admin: ComponentName, profileName: String!) Sets the name of the profile. |
open Unit |
setRecommendedGlobalProxy(admin: ComponentName, proxyInfo: ProxyInfo?) Set a network-independent global HTTP proxy. |
open Unit |
setRequiredPasswordComplexity(passwordComplexity: Int) Sets a minimum password complexity requirement for the user's screen lock. |
open Unit |
setRequiredStrongAuthTimeout(admin: ComponentName?, timeoutMs: Long) Called by a device/profile owner to set the timeout after which unlocking with secondary, non strong auth (e.g. fingerprint, face, trust agents) times out, i. |
open Boolean |
setResetPasswordToken(admin: ComponentName?, token: ByteArray!) Called by a profile or device owner to provision a token which can later be used to reset the device lockscreen password (if called by device owner), or managed profile challenge (if called by profile owner), via |
open Unit |
setRestrictionsProvider(admin: ComponentName, provider: ComponentName?) Designates a specific service component as the provider for making permission requests of a local or remote administrator of the user. |
open Unit |
setScreenCaptureDisabled(admin: ComponentName?, disabled: Boolean) Called by a device/profile owner to set whether the screen capture is disabled. |
open Unit |
setSecureSetting(admin: ComponentName, setting: String!, value: String!) This method is mostly deprecated. |
open Unit |
setSecurityLoggingEnabled(admin: ComponentName?, enabled: Boolean) Called by device owner or a profile owner of an organization-owned managed profile to control the security logging feature. |
open Unit |
setShortSupportMessage(admin: ComponentName?, message: CharSequence?) Called by a device admin to set the short support message. |
open Unit |
setStartUserSessionMessage(admin: ComponentName, startUserSessionMessage: CharSequence?) Called by a device owner to specify the user session start message. |
open Boolean |
setStatusBarDisabled(admin: ComponentName?, disabled: Boolean) Called by device owner or profile owner of secondary users that is affiliated with the device to disable the status bar. |
open Int |
setStorageEncryption(admin: ComponentName, encrypt: Boolean) |
open Unit |
setSystemSetting(admin: ComponentName, setting: String, value: String!) Called by a device or profile owner to update |
open Unit |
setSystemUpdatePolicy(admin: ComponentName, policy: SystemUpdatePolicy!) Called by device owners or profile owners of an organization-owned managed profile to set a local system update policy. |
open Boolean |
setTime(admin: ComponentName?, millis: Long) Called by a device owner or a profile owner of an organization-owned managed profile to set the system wall clock time. |
open Boolean |
setTimeZone(admin: ComponentName?, timeZone: String!) Called by a device owner or a profile owner of an organization-owned managed profile to set the system's persistent default time zone. |
open Unit |
setTrustAgentConfiguration(admin: ComponentName?, target: ComponentName, configuration: PersistableBundle!) Sets a list of configuration features to enable for a trust agent component. |
open Unit |
setUninstallBlocked(admin: ComponentName?, packageName: String!, uninstallBlocked: Boolean) Change whether a user can uninstall a package. |
open Unit |
setUsbDataSignalingEnabled(enabled: Boolean) Called by a device owner or profile owner of an organization-owned managed profile to enable or disable USB data signaling for the device. |
open Unit |
setUserControlDisabledPackages(admin: ComponentName?, packages: MutableList<String!>) Called by a device owner or a profile owner or holder of the permission |
open Unit |
setUserIcon(admin: ComponentName, icon: Bitmap!) Called by profile or device owners to set the user's photo. |
open Unit |
setWifiSsidPolicy(policy: WifiSsidPolicy?) Called by device owner or profile owner of an organization-owned managed profile to specify the Wi-Fi SSID policy ( |
open Int |
startUserInBackground(admin: ComponentName, userHandle: UserHandle) Called by a device owner to start the specified secondary user in background. |
open Int |
stopUser(admin: ComponentName, userHandle: UserHandle) Called by a device owner to stop the specified secondary user. |
open Boolean |
switchUser(admin: ComponentName, userHandle: UserHandle?) Called by a device owner to switch the specified secondary user to the foreground. |
open Unit |
transferOwnership(admin: ComponentName, target: ComponentName, bundle: PersistableBundle?) Changes the current administrator to another one. |
open Unit |
uninstallAllUserCaCerts(admin: ComponentName?) Uninstalls all custom trusted CA certificates from the profile. |
open Unit |
uninstallCaCert(admin: ComponentName?, certBuffer: ByteArray!) Uninstalls the given certificate from trusted user CAs, if present. |
open Boolean |
updateOverrideApn(admin: ComponentName, apnId: Int, apnSetting: ApnSetting) Called by device owner or managed profile owner to update an override APN. |
open Unit | |
open Unit |
wipeData(flags: Int, reason: CharSequence) Ask that all user data be wiped. |
open Unit |
wipeDevice(flags: Int) Ask that the device be wiped and factory reset. |
Constants
ACTION_ADD_DEVICE_ADMIN
static val ACTION_ADD_DEVICE_ADMIN: String
Activity action: ask the user to add a new device administrator to the system. The desired policy is the ComponentName of the policy in the EXTRA_DEVICE_ADMIN
extra field. This will invoke a UI to bring the user through adding the device administrator to the system (or allowing them to reject it).
You can optionally include the EXTRA_ADD_EXPLANATION
field to provide the user with additional explanation (in addition to your component's description) about what is being added.
If your administrator is already active, this will ordinarily return immediately (without user intervention). However, if your administrator has been updated and is requesting additional uses-policy flags, the user will be presented with the new list. New policies will not be available to the updated administrator until the user has accepted the new list.
Value: "android.app.action.ADD_DEVICE_ADMIN"
ACTION_ADMIN_POLICY_COMPLIANCE
static val ACTION_ADMIN_POLICY_COMPLIANCE: String
Activity action: Starts the administrator to show policy compliance for the provisioning. This action is used any time that the administrator has an opportunity to show policy compliance before the end of setup wizard. This could happen as part of the admin-integrated provisioning flow (in which case this gets sent after ACTION_GET_PROVISIONING_MODE
), or it could happen during provisioning finalization if the administrator supports finalization during setup wizard.
Intents with this action may also be supplied with the EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
extra.
Value: "android.app.action.ADMIN_POLICY_COMPLIANCE"
See Also
ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED
static val ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED: String
Broadcast Action: Sent after application delegation scopes are changed. The new delegation scopes will be sent in an ArrayList<String>
extra identified by the EXTRA_DELEGATION_SCOPES
key.
Note: This is a protected intent that can only be sent by the system.
Value: "android.app.action.APPLICATION_DELEGATION_SCOPES_CHANGED"
ACTION_CHECK_POLICY_COMPLIANCE
static val ACTION_CHECK_POLICY_COMPLIANCE: String
Activity action: launch the DPC to check policy compliance. This intent is launched when the user taps on the notification about personal apps suspension. When handling this intent the DPC must check if personal apps should still be suspended and either unsuspend them or instruct the user on how to resolve the noncompliance causing the suspension.
Value: "android.app.action.CHECK_POLICY_COMPLIANCE"
See Also
ACTION_DEVICE_ADMIN_SERVICE
static val ACTION_DEVICE_ADMIN_SERVICE: String
Service action: Action for a service that device owner and profile owner can optionally own. If a device owner or a profile owner has such a service, the system tries to keep a bound connection to it, in order to keep their process always running. The service must be protected with the android.Manifest.permission#BIND_DEVICE_ADMIN
permission.
Value: "android.app.action.DEVICE_ADMIN_SERVICE"
ACTION_DEVICE_FINANCING_STATE_CHANGED
static val ACTION_DEVICE_FINANCING_STATE_CHANGED: String
Broadcast Action: Broadcast sent to indicate that the device financing state has changed.
This occurs when, for example, a financing kiosk app has been added or removed.
To query the current device financing state see isDeviceFinanced
.
This will be delivered to the following apps if they include a receiver for this action in their manifest:
- Device owner admins.
- Organization-owned profile owner admins
- The supervision app
- The device management role holder
Value: "android.app.admin.action.DEVICE_FINANCING_STATE_CHANGED"
ACTION_DEVICE_OWNER_CHANGED
static val ACTION_DEVICE_OWNER_CHANGED: String
Broadcast action: sent when the device owner is set, changed or cleared. This broadcast is sent only to the primary user.
Value: "android.app.action.DEVICE_OWNER_CHANGED"
ACTION_DEVICE_POLICY_RESOURCE_UPDATED
static val ACTION_DEVICE_POLICY_RESOURCE_UPDATED: String
Broadcast action: notify system apps (e.g. settings, SysUI, etc) that the device management resources with IDs EXTRA_RESOURCE_IDS
has been updated, the updated resources can be retrieved using android.app.admin.DevicePolicyResourcesManager#getDrawable and android.app.admin.DevicePolicyResourcesManager#getString.
This broadcast is sent to registered receivers only.
EXTRA_RESOURCE_TYPE
will be included to identify the type of resource being updated.
Value: "android.app.action.DEVICE_POLICY_RESOURCE_UPDATED"
ACTION_GET_PROVISIONING_MODE
static val ACTION_GET_PROVISIONING_MODE: String
Activity action: Starts the administrator to get the mode for the provisioning. This intent may contain the following extras:
EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
EXTRA_PROVISIONING_IMEI
EXTRA_PROVISIONING_SERIAL_NUMBER
EXTRA_PROVISIONING_ALLOWED_PROVISIONING_MODES
EXTRA_PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT
The target activity should return one of the following values in EXTRA_PROVISIONING_MODE
as result:
If performing fully-managed device provisioning and the admin app desires to show its own education screens, the target activity can additionally return EXTRA_PROVISIONING_SKIP_EDUCATION_SCREENS
set to true
.
The target activity may also return the account that needs to be migrated from primary user to managed profile in case of a profile owner provisioning in EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
as result.
The target activity may also include the EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
extra in the intent result. The values of this android.os.PersistableBundle
will be sent as an intent extra of the same name to the ACTION_ADMIN_POLICY_COMPLIANCE
activity, along with the values of the EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
extra that are already supplied to this activity.
Other extras the target activity may include in the intent result:
EXTRA_PROVISIONING_DISCLAIMERS
EXTRA_PROVISIONING_SKIP_ENCRYPTION
EXTRA_PROVISIONING_KEEP_SCREEN_ON
EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION
for work profile provisioningEXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
for work profile provisioningEXTRA_PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT
for fully-managed device provisioningEXTRA_PROVISIONING_LOCALE
for fully-managed device provisioningEXTRA_PROVISIONING_LOCAL_TIME
for fully-managed device provisioningEXTRA_PROVISIONING_TIME_ZONE
for fully-managed device provisioning
Value: "android.app.action.GET_PROVISIONING_MODE"
See Also
ACTION_MANAGED_PROFILE_PROVISIONED
static val ACTION_MANAGED_PROFILE_PROVISIONED: String
Broadcast Action: This broadcast is sent to indicate that provisioning of a managed profile has completed successfully.
The broadcast is limited to the primary profile, to the app specified in the provisioning intent with action ACTION_PROVISION_MANAGED_PROFILE
.
This intent will contain the following extras
Intent.EXTRA_USER
, corresponds to theUserHandle
of the managed profile.EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
, corresponds to the account requested to be migrated at provisioning time, if any.
Value: "android.app.action.MANAGED_PROFILE_PROVISIONED"
ACTION_PROFILE_OWNER_CHANGED
static val ACTION_PROFILE_OWNER_CHANGED: String
Broadcast action: sent when the profile owner is set, changed or cleared. This broadcast is sent only to the user managed by the new profile owner.
Value: "android.app.action.PROFILE_OWNER_CHANGED"
ACTION_PROVISIONING_SUCCESSFUL
static val ACTION_PROVISIONING_SUCCESSFUL: String
Activity action: This activity action is sent to indicate that provisioning of a managed profile or managed device has completed successfully. It'll be sent at the same time as DeviceAdminReceiver.ACTION_PROFILE_PROVISIONING_COMPLETE
broadcast but this will be delivered faster as it's an activity intent.
The intent is only sent to the new device or profile owner.
Value: "android.app.action.PROVISIONING_SUCCESSFUL"
ACTION_PROVISION_MANAGED_DEVICE
static valACTION_PROVISION_MANAGED_DEVICE: String
Deprecated: to support android.os.Build.VERSION_CODES#S
and later, admin apps must implement activities with intent filters for the ACTION_GET_PROVISIONING_MODE
and ACTION_ADMIN_POLICY_COMPLIANCE
intent actions; using ACTION_PROVISION_MANAGED_DEVICE
to start provisioning will cause the provisioning to fail; to additionally support pre-android.os.Build.VERSION_CODES#S
, admin apps must also continue to use this constant.
Activity action: Starts the provisioning flow which sets up a managed device. Must be started with android.app.Activity#startActivityForResult(Intent, int)
.
During device owner provisioning a device admin app is set as the owner of the device. A device owner has full control over the device. The device owner can not be modified by the user.
A typical use case would be a device that is owned by a company, but used by either an employee or client.
An intent with this action can be sent only on an unprovisioned device. It is possible to check if provisioning is allowed or not by querying the method isProvisioningAllowed(java.lang.String)
.
The intent contains the following extras:
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
EXTRA_PROVISIONING_SKIP_ENCRYPTION
, optionalEXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
, optionalEXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
, optionalEXTRA_PROVISIONING_LOGO_URI
, optionalEXTRA_PROVISIONING_DISCLAIMERS
, optionalEXTRA_PROVISIONING_SKIP_EDUCATION_SCREENS
, optional
When device owner provisioning has completed, an intent of the type DeviceAdminReceiver.ACTION_PROFILE_PROVISIONING_COMPLETE
is broadcast to the device owner.
From version android.os.Build.VERSION_CODES#O
, when device owner provisioning has completed, along with the above broadcast, activity intent ACTION_PROVISIONING_SUCCESSFUL
will also be sent to the device owner.
If provisioning fails, the device is factory reset.
A result code of android.app.Activity#RESULT_OK
implies that the synchronous part of the provisioning flow was successful, although this doesn't guarantee the full flow will succeed. Conversely a result code of android.app.Activity#RESULT_CANCELED
implies that the user backed-out of provisioning, or some precondition for provisioning wasn't met.
Value: "android.app.action.PROVISION_MANAGED_DEVICE"
ACTION_PROVISION_MANAGED_PROFILE
static val ACTION_PROVISION_MANAGED_PROFILE: String
Activity action: Starts the provisioning flow which sets up a managed profile.
It is possible to check if provisioning is allowed or not by querying the method isProvisioningAllowed(java.lang.String)
.
The intent may contain the following extras:
Extra | Supported Versions | |
---|---|---|
EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE |
||
EXTRA_PROVISIONING_SKIP_ENCRYPTION |
android.os.Build.VERSION_CODES#N + |
|
EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE |
||
EXTRA_PROVISIONING_LOGO_URI |
||
EXTRA_PROVISIONING_SKIP_USER_CONSENT |
Can only be used by an existing device owner trying to create a managed profile | |
EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION |
||
EXTRA_PROVISIONING_DISCLAIMERS |
||
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME |
Required if EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME is not specified. Must match the package name of the calling application. |
android.os.Build.VERSION_CODES#LOLLIPOP + |
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME |
Required if EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME is not specified. Package name must match the package name of the calling application. |
android.os.Build.VERSION_CODES#M + |
EXTRA_PROVISIONING_ALLOW_OFFLINE |
On android.os.Build.VERSION_CODES#TIRAMISU +, when set to true this will force offline provisioning instead of allowing it |
When managed provisioning has completed, broadcasts are sent to the application specified in the provisioning intent. The DeviceAdminReceiver.ACTION_PROFILE_PROVISIONING_COMPLETE
broadcast is sent in the managed profile and the ACTION_MANAGED_PROFILE_PROVISIONED
broadcast is sent in the primary profile.
From version android.os.Build.VERSION_CODES#O
, when managed provisioning has completed, along with the above broadcast, activity intent ACTION_PROVISIONING_SUCCESSFUL
will also be sent to the profile owner.
If provisioning fails, the managed profile is removed so the device returns to its previous state.
If launched with android.app.Activity#startActivityForResult(Intent, int)
a result code of android.app.Activity#RESULT_OK
indicates that the synchronous part of the provisioning flow was successful, although this doesn't guarantee the full flow will succeed. Conversely a result code of android.app.Activity#RESULT_CANCELED
indicates that the user backed-out of provisioning or some precondition for provisioning wasn't met.
If a device policy management role holder updater is present on the device, an internet connection attempt must be made prior to launching this intent.
Value: "android.app.action.PROVISION_MANAGED_PROFILE"
ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
static val ACTION_SET_NEW_PARENT_PROFILE_PASSWORD: String
Activity action: have the user enter a new password for the parent profile. If the intent is launched from within a managed profile, this will trigger entering a new password for the parent of the profile. The caller can optionally set EXTRA_DEVICE_PASSWORD_REQUIREMENT_ONLY
to only enforce device-wide password requirement. In all other cases the behaviour is identical to ACTION_SET_NEW_PASSWORD
.
Value: "android.app.action.SET_NEW_PARENT_PROFILE_PASSWORD"
ACTION_SET_NEW_PASSWORD
static val ACTION_SET_NEW_PASSWORD: String
Activity action: have the user enter a new password.
For admin apps, this activity should be launched after using setPasswordQuality(android.content.ComponentName,int)
, or setPasswordMinimumLength(android.content.ComponentName,int)
to have the user enter a new password that meets the current requirements. You can use isActivePasswordSufficient()
to determine whether you need to have the user select a new password in order to meet the current constraints. Upon being resumed from this activity, you can check the new password characteristics to see if they are sufficient.
Non-admin apps can use getPasswordComplexity()
to check the current screen lock complexity, and use this activity with extra EXTRA_PASSWORD_COMPLEXITY
to suggest to users how complex the app wants the new screen lock to be. Note that both getPasswordComplexity()
and the extra EXTRA_PASSWORD_COMPLEXITY
require the calling app to have the permission permission.REQUEST_PASSWORD_COMPLEXITY
.
If the intent is launched from within a managed profile with a profile owner built against android.os.Build.VERSION_CODES#M
or before, this will trigger entering a new password for the parent of the profile. For all other cases it will trigger entering a new password for the user or profile it is launched from.
Value: "android.app.action.SET_NEW_PASSWORD"
ACTION_START_ENCRYPTION
static val ACTION_START_ENCRYPTION: String
Activity action: begin the process of encrypting data on the device. This activity should be launched after using setStorageEncryption
to request encryption be activated. After resuming from this activity, use getStorageEncryption
to check encryption status. However, on some devices this activity may never return, as it may trigger a reboot and in some cases a complete data wipe of the device.
Value: "android.app.action.START_ENCRYPTION"
ACTION_SYSTEM_UPDATE_POLICY_CHANGED
static val ACTION_SYSTEM_UPDATE_POLICY_CHANGED: String
Broadcast action: notify that a new local system update policy has been set by the device owner. The new policy can be retrieved by getSystemUpdatePolicy()
.
Value: "android.app.action.SYSTEM_UPDATE_POLICY_CHANGED"
CONTENT_PROTECTION_DISABLED
static val CONTENT_PROTECTION_DISABLED: Int
Indicates that content protection is controlled and disabled by a policy (default).
Value: 1
CONTENT_PROTECTION_ENABLED
static val CONTENT_PROTECTION_ENABLED: Int
Indicates that content protection is controlled and enabled by a policy.
Value: 2
CONTENT_PROTECTION_NOT_CONTROLLED_BY_POLICY
static val CONTENT_PROTECTION_NOT_CONTROLLED_BY_POLICY: Int
Indicates that content protection is not controlled by policy, allowing user to choose.
Value: 0
DELEGATION_APP_RESTRICTIONS
static val DELEGATION_APP_RESTRICTIONS: String
Delegation of application restrictions management. This scope grants access to the setApplicationRestrictions
and getApplicationRestrictions
APIs.
Value: "delegation-app-restrictions"
DELEGATION_BLOCK_UNINSTALL
static val DELEGATION_BLOCK_UNINSTALL: String
Delegation of application uninstall block. This scope grants access to the setUninstallBlocked
API.
Value: "delegation-block-uninstall"
DELEGATION_CERT_INSTALL
static val DELEGATION_CERT_INSTALL: String
Delegation of certificate installation and management. This scope grants access to the getInstalledCaCerts
, hasCaCertInstalled
, installCaCert
, uninstallCaCert
, uninstallAllUserCaCerts
and #installKeyPair APIs. This scope also grants the ability to read identifiers that the delegating device owner or profile owner can obtain. See getEnrollmentSpecificId()
.
Value: "delegation-cert-install"
DELEGATION_CERT_SELECTION
static val DELEGATION_CERT_SELECTION: String
Grants access to selection of KeyChain certificates on behalf of requesting apps. Once granted the app will start receiving DelegatedAdminReceiver.onChoosePrivateKeyAlias
. The caller (PO/DO) will no longer receive DeviceAdminReceiver.onChoosePrivateKeyAlias
. There can be at most one app that has this delegation. If another app already had delegated certificate selection access, it will lose the delegation when a new app is delegated.
The delegated app can also call grantKeyPairToApp
and revokeKeyPairFromApp
to directly grant KeyChain keys to other apps.
Can be granted by Device Owner or Profile Owner.
Value: "delegation-cert-selection"
DELEGATION_ENABLE_SYSTEM_APP
static val DELEGATION_ENABLE_SYSTEM_APP: String
Delegation for enabling system apps. This scope grants access to the #enableSystemApp API.
Value: "delegation-enable-system-app"
DELEGATION_INSTALL_EXISTING_PACKAGE
static val DELEGATION_INSTALL_EXISTING_PACKAGE: String
Delegation for installing existing packages. This scope grants access to the installExistingPackage
API.
Value: "delegation-install-existing-package"
DELEGATION_KEEP_UNINSTALLED_PACKAGES
static val DELEGATION_KEEP_UNINSTALLED_PACKAGES: String
Delegation of management of uninstalled packages. This scope grants access to the setKeepUninstalledPackages
and getKeepUninstalledPackages
APIs.
Value: "delegation-keep-uninstalled-packages"
DELEGATION_NETWORK_LOGGING
static val DELEGATION_NETWORK_LOGGING: String
Grants access to setNetworkLoggingEnabled
, isNetworkLoggingEnabled
and retrieveNetworkLogs
. Once granted the delegated app will start receiving DelegatedAdminReceiver.onNetworkLogsAvailable() callback, and Device owner or Profile Owner will no longer receive the DeviceAdminReceiver.onNetworkLogsAvailable() callback. There can be at most one app that has this delegation. If another app already had delegated network logging access, it will lose the delegation when a new app is delegated.
Device Owner can grant this access since Android 10. Profile Owner of a managed profile can grant this access since Android 12.
Value: "delegation-network-logging"
DELEGATION_PACKAGE_ACCESS
static val DELEGATION_PACKAGE_ACCESS: String
Delegation of package access state. This scope grants access to the isApplicationHidden
, setApplicationHidden
, isPackageSuspended
, and setPackagesSuspended
APIs.
Value: "delegation-package-access"
DELEGATION_PERMISSION_GRANT
static val DELEGATION_PERMISSION_GRANT: String
Delegation of permission policy and permission grant state. This scope grants access to the setPermissionPolicy
, getPermissionGrantState
, and setPermissionGrantState
APIs.
Value: "delegation-permission-grant"
DELEGATION_SECURITY_LOGGING
static val DELEGATION_SECURITY_LOGGING: String
Grants access to setSecurityLoggingEnabled
, isSecurityLoggingEnabled
, retrieveSecurityLogs
, and retrievePreRebootSecurityLogs
. Once granted the delegated app will start receiving DelegatedAdminReceiver.onSecurityLogsAvailable
callback, and Device owner or Profile Owner will no longer receive the DeviceAdminReceiver.onSecurityLogsAvailable
callback. There can be at most one app that has this delegation. If another app already had delegated security logging access, it will lose the delegation when a new app is delegated.
Can only be granted by Device Owner or Profile Owner of an organization-owned managed profile.
Value: "delegation-security-logging"
ENCRYPTION_STATUS_ACTIVATING
static valENCRYPTION_STATUS_ACTIVATING: Int
Deprecated: This result code has never actually been used, so there is no reason for apps to check for it.
Result code for getStorageEncryptionStatus
: indicating that encryption is not currently active, but is currently being activated.
Value: 2
ENCRYPTION_STATUS_ACTIVE
static val ENCRYPTION_STATUS_ACTIVE: Int
Result code for setStorageEncryption
and getStorageEncryptionStatus
: indicating that encryption is active.
getStorageEncryptionStatus
can only return this value for apps targeting API level 23 or lower, or on devices that use Full Disk Encryption. Support for Full Disk Encryption was entirely removed in API level 33, having been replaced by File Based Encryption. The result code ENCRYPTION_STATUS_ACTIVE_PER_USER
is used on devices that use File Based Encryption, except when the app targets API level 23 or lower.
setStorageEncryption
can still return this value for an unrelated reason, but setStorageEncryption
is deprecated since it doesn't do anything useful.
Value: 3
ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY
static val ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY: Int
Result code for getStorageEncryptionStatus
: indicating that encryption is active, but the encryption key is not cryptographically protected by the user's credentials.
This value can only be returned on devices that use Full Disk Encryption. Support for Full Disk Encryption was entirely removed in API level 33, having been replaced by File Based Encryption. With File Based Encryption, each user's credential-encrypted storage is always cryptographically protected by the user's credentials.
Value: 4
ENCRYPTION_STATUS_ACTIVE_PER_USER
static val ENCRYPTION_STATUS_ACTIVE_PER_USER: Int
Result code for getStorageEncryptionStatus
: indicating that encryption is active and the encryption key is tied to the user or profile.
This value is only returned to apps targeting API level 24 and above. For apps targeting earlier API levels, ENCRYPTION_STATUS_ACTIVE
is returned, even if the encryption key is specific to the user or profile.
Value: 5
ENCRYPTION_STATUS_INACTIVE
static val ENCRYPTION_STATUS_INACTIVE: Int
Result code for setStorageEncryption
and getStorageEncryptionStatus
: indicating that encryption is supported, but is not currently active.
getStorageEncryptionStatus
can only return this value on devices that use Full Disk Encryption. Support for Full Disk Encryption was entirely removed in API level 33, having been replaced by File Based Encryption. Devices that use File Based Encryption always automatically activate their encryption on first boot.
setStorageEncryption
can still return this value for an unrelated reason, but setStorageEncryption
is deprecated since it doesn't do anything useful.
Value: 1
ENCRYPTION_STATUS_UNSUPPORTED
static val ENCRYPTION_STATUS_UNSUPPORTED: Int
Result code for setStorageEncryption
and getStorageEncryptionStatus
: indicating that encryption is not supported.
Value: 0
EXTRA_ADD_EXPLANATION
static val EXTRA_ADD_EXPLANATION: String
An optional CharSequence providing additional explanation for why the admin is being added.
Value: "android.app.extra.ADD_EXPLANATION"
See Also
EXTRA_DELEGATION_SCOPES
static val EXTRA_DELEGATION_SCOPES: String
An ArrayList<String>
corresponding to the delegation scopes given to an app in the ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED
broadcast.
Value: "android.app.extra.DELEGATION_SCOPES"
EXTRA_DEVICE_ADMIN
static val EXTRA_DEVICE_ADMIN: String
The ComponentName of the administrator component.
Value: "android.app.extra.DEVICE_ADMIN"
See Also
EXTRA_DEVICE_PASSWORD_REQUIREMENT_ONLY
static val EXTRA_DEVICE_PASSWORD_REQUIREMENT_ONLY: String
A boolean extra for ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
requesting that only device password requirement is enforced during the parent profile password enrolment flow.
Normally when enrolling password for the parent profile, both the device-wide password requirement (requirement set via getParentProfileInstance(android.content.ComponentName)
instance) and the profile password requirement are enforced, if the profile currently does not have a separate work challenge. By setting this to true
, profile password requirement is explicitly disregarded.
Value: "android.app.extra.DEVICE_PASSWORD_REQUIREMENT_ONLY"
EXTRA_PASSWORD_COMPLEXITY
static val EXTRA_PASSWORD_COMPLEXITY: String
An integer indicating the complexity level of the new password an app would like the user to set when launching the action ACTION_SET_NEW_PASSWORD
.
Must be one of
PASSWORD_COMPLEXITY_HIGH
PASSWORD_COMPLEXITY_MEDIUM
PASSWORD_COMPLEXITY_LOW
PASSWORD_COMPLEXITY_NONE
If an invalid value is used, it will be treated as PASSWORD_COMPLEXITY_NONE
.
Requires android.Manifest.permission#REQUEST_PASSWORD_COMPLEXITY
Value: "android.app.extra.PASSWORD_COMPLEXITY"
EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE
static val EXTRA_PROVISIONING_ACCOUNT_TO_MIGRATE: String
An android.accounts.Account
extra holding the account to migrate during managed profile provisioning.
If the account supplied is present in the user, it will be copied, along with its credentials to the managed profile and removed from the user.
Value: "android.app.extra.PROVISIONING_ACCOUNT_TO_MIGRATE"
EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
static val EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE: String
A android.os.Parcelable
extra of type android.os.PersistableBundle
that is passed directly to the Device Policy Controller after provisioning.
Starting from android.os.Build.VERSION_CODES#M
, if used with MIME_TYPE_PROVISIONING_NFC
as part of NFC managed device provisioning, the NFC message should contain a stringified java.util.Properties
instance, whose string properties will be converted into a android.os.PersistableBundle
and passed to the management application after provisioning.
Value: "android.app.extra.PROVISIONING_ADMIN_EXTRAS_BUNDLE"
EXTRA_PROVISIONING_ALLOWED_PROVISIONING_MODES
static val EXTRA_PROVISIONING_ALLOWED_PROVISIONING_MODES: String
An ArrayList
of Integer
extra specifying the allowed provisioning modes.
This extra will be passed to the admin app's ACTION_GET_PROVISIONING_MODE
activity, whose result intent must contain EXTRA_PROVISIONING_MODE
set to one of the values in this array.
If the value set to EXTRA_PROVISIONING_MODE
is not in the array, provisioning will fail.
Value: "android.app.extra.PROVISIONING_ALLOWED_PROVISIONING_MODES"
EXTRA_PROVISIONING_ALLOW_OFFLINE
static val EXTRA_PROVISIONING_ALLOW_OFFLINE: String
A boolean extra indicating whether offline provisioning should be used.
The default value is false
.
Value: "android.app.extra.PROVISIONING_ALLOW_OFFLINE"
EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
static val EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME: String
A ComponentName extra indicating the device admin receiver
of the application that will be set as the Device Policy Controller.
If an application starts provisioning directly via an intent with action ACTION_PROVISION_MANAGED_DEVICE
the package name of this component has to match the package name of the application that started provisioning.
This component is set as device owner and active admin when device owner provisioning is started by an intent with action ACTION_PROVISION_MANAGED_DEVICE
or by an NFC message containing an NFC record with MIME type MIME_TYPE_PROVISIONING_NFC
. For the NFC record, the component name must be flattened to a string, via ComponentName.flattenToShortString()
.
Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME"
EXTRA_PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE
static val EXTRA_PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE: String
An int extra holding a minimum required version code for the device admin package. If the device admin is already installed on the device, it will only be re-downloaded from EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
if the version of the installed package is less than this version code.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_MINIMUM_VERSION_CODE"
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
static val EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM: String
A String extra holding the URL-safe base64 encoded SHA-256 hash of the file at download location specified in EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
.
Either this extra or EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
must be present. The provided checksum must match the checksum of the file at the download location. If the checksum doesn't match an error will be shown to the user and the user will be asked to factory reset the device.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Note: for devices running android.os.Build.VERSION_CODES#LOLLIPOP
and android.os.Build.VERSION_CODES#LOLLIPOP_MR1
only SHA-1 hash is supported. Starting from android.os.Build.VERSION_CODES#M
, this parameter accepts SHA-256 in addition to SHA-1. From android.os.Build.VERSION_CODES#Q
, only SHA-256 hash is supported.
Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM"
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
static val EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER: String
A String extra holding a http cookie header which should be used in the http request to the url specified in EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER"
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
static val EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION: String
A String extra holding a url that specifies the download location of the device admin package. When not provided it is assumed that the device admin package is already installed.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION"
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
static valEXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME: String
Deprecated: Use EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
.
A String extra holding the package name of the application that will be set as Device Policy Controller.
When this extra is set, the application must have exactly one device admin receiver
. This receiver will be set as the Device Policy Controller.
Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME"
EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM
static val EXTRA_PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM: String
A String extra holding the URL-safe base64 encoded SHA-256 checksum of any signature of the android package archive at the download location specified in EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
.
The signatures of an android package archive can be obtained using android.content.pm.PackageManager#getPackageArchiveInfo with flag android.content.pm.PackageManager#GET_SIGNATURES
.
Either this extra or EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
must be present. The provided checksum must match the checksum of any signature of the file at the download location. If the checksum does not match an error will be shown to the user and the user will be asked to factory reset the device.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_DEVICE_ADMIN_SIGNATURE_CHECKSUM"
EXTRA_PROVISIONING_DISCLAIMERS
static val EXTRA_PROVISIONING_DISCLAIMERS: String
A Bundle
[] extra consisting of list of disclaimer headers and disclaimer contents.
Each Bundle
must have both EXTRA_PROVISIONING_DISCLAIMER_HEADER
as disclaimer header, and EXTRA_PROVISIONING_DISCLAIMER_CONTENT
as disclaimer content.
The extra typically contains one disclaimer from the company of mobile device management application (MDM), and one disclaimer from the organization.
Call Bundle.putParcelableArray(String, Parcelable[])
to put the Bundle
[]
Maximum 3 key-value pairs can be specified. The rest will be ignored.
Can be used in an intent with action ACTION_PROVISION_MANAGED_PROFILE
. This extra can also be returned by the admin app when performing the admin-integrated provisioning flow as a result of the ACTION_GET_PROVISIONING_MODE
activity.
Value: "android.app.extra.PROVISIONING_DISCLAIMERS"
EXTRA_PROVISIONING_DISCLAIMER_CONTENT
static val EXTRA_PROVISIONING_DISCLAIMER_CONTENT: String
A Uri
extra pointing to disclaimer content.
The following URI schemes are accepted:
- content (
android.content.ContentResolver#SCHEME_CONTENT
) - android.resource (
android.content.ContentResolver#SCHEME_ANDROID_RESOURCE
)
Styled text is supported. This is parsed by android.text.Html#fromHtml(String)
and displayed in a android.widget.TextView
.
If a content:
URI is passed, the intent should also have the flag Intent.FLAG_GRANT_READ_URI_PERMISSION
and the uri should be added to the android.content.ClipData
of the intent.
System apps
can also insert a disclaimer by declaring an application-level meta-data in AndroidManifest.xml
.
For example:
<meta-data android:name="android.app.extra.PROVISIONING_DISCLAIMER_CONTENT" android:resource="@string/disclaimer_content" />
This must be accompanied with another extra using the key EXTRA_PROVISIONING_DISCLAIMER_HEADER
.
Value: "android.app.extra.PROVISIONING_DISCLAIMER_CONTENT"
EXTRA_PROVISIONING_DISCLAIMER_HEADER
static val EXTRA_PROVISIONING_DISCLAIMER_HEADER: String
A String extra of localized disclaimer header.
The extra is typically the company name of mobile device management application (MDM) or the organization name.
System apps
can also insert a disclaimer by declaring an application-level meta-data in AndroidManifest.xml
.
For example:
<meta-data android:name="android.app.extra.PROVISIONING_DISCLAIMER_HEADER" android:resource="@string/disclaimer_header" />
This must be accompanied with another extra using the key EXTRA_PROVISIONING_DISCLAIMER_CONTENT
.
Value: "android.app.extra.PROVISIONING_DISCLAIMER_HEADER"
EXTRA_PROVISIONING_EMAIL_ADDRESS
static valEXTRA_PROVISIONING_EMAIL_ADDRESS: String
Deprecated: From android.os.Build.VERSION_CODES#O
, never used while provisioning the device.
Value: "android.app.extra.PROVISIONING_EMAIL_ADDRESS"
EXTRA_PROVISIONING_IMEI
static val EXTRA_PROVISIONING_IMEI: String
A string extra holding the IMEI (International Mobile Equipment Identity) of the device.
Value: "android.app.extra.PROVISIONING_IMEI"
EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION
static val EXTRA_PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION: String
Boolean extra to indicate that the migrated account
should be kept.
If it's set to true
, the account will not be removed from the user after it is migrated to the newly created user or profile.
Defaults to false
Value: "android.app.extra.PROVISIONING_KEEP_ACCOUNT_ON_MIGRATION"
EXTRA_PROVISIONING_KEEP_SCREEN_ON
static valEXTRA_PROVISIONING_KEEP_SCREEN_ON: String
Deprecated: from android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
, the flag wouldn't be functional. The screen is kept on throughout the provisioning flow.
A boolean
flag that indicates whether the screen should be on throughout the provisioning flow.
This extra can either be passed as an extra to the ACTION_PROVISION_MANAGED_PROFILE
intent, or it can be returned by the admin app when performing the admin-integrated provisioning flow as a result of the ACTION_GET_PROVISIONING_MODE
activity.
Value: "android.app.extra.PROVISIONING_KEEP_SCREEN_ON"
EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED
static val EXTRA_PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED: String
A Boolean extra that can be used by the mobile device management application to skip the disabling of system apps during provisioning when set to true
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
, an intent with action ACTION_PROVISION_MANAGED_PROFILE
that starts profile owner provisioning or set as an extra to the intent result of the ACTION_GET_PROVISIONING_MODE
activity.
Value: "android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED"
EXTRA_PROVISIONING_LOCALE
static val EXTRA_PROVISIONING_LOCALE: String
A String extra holding the java.util.Locale
that the device will be set to. Format: xx_yy, where xx is the language code, and yy the country code.
Use only for device owner provisioning. This extra can be returned by the admin app when performing the admin-integrated provisioning flow as a result of the ACTION_GET_PROVISIONING_MODE
activity.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_LOCALE"
EXTRA_PROVISIONING_LOCAL_TIME
static val EXTRA_PROVISIONING_LOCAL_TIME: String
A Long extra holding the wall clock time (in milliseconds) to be set on the device's android.app.AlarmManager
.
Use only for device owner provisioning. This extra can be returned by the admin app when performing the admin-integrated provisioning flow as a result of the ACTION_GET_PROVISIONING_MODE
activity.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_LOCAL_TIME"
EXTRA_PROVISIONING_LOGO_URI
static valEXTRA_PROVISIONING_LOGO_URI: String
Deprecated: Logo customization is no longer supported in the provisioning flow.
A Uri
extra pointing to a logo image. This image will be shown during the provisioning. If this extra is not passed, a default image will be shown.
The following URI schemes are accepted:
- content (
android.content.ContentResolver#SCHEME_CONTENT
) - android.resource (
android.content.ContentResolver#SCHEME_ANDROID_RESOURCE
)
It is the responsibility of the caller to provide an image with a reasonable pixel density for the device.
If a content: URI is passed, the intent should also have the flag Intent.FLAG_GRANT_READ_URI_PERMISSION
and the uri should be added to the android.content.ClipData
of the intent.
Value: "android.app.extra.PROVISIONING_LOGO_URI"
EXTRA_PROVISIONING_MAIN_COLOR
static valEXTRA_PROVISIONING_MAIN_COLOR: String
Deprecated: Color customization is no longer supported in the provisioning flow.
A integer extra indicating the predominant color to show during the provisioning. Refer to android.graphics.Color
for how the color is represented.
Use with ACTION_PROVISION_MANAGED_PROFILE
or ACTION_PROVISION_MANAGED_DEVICE
.
Value: "android.app.extra.PROVISIONING_MAIN_COLOR"
EXTRA_PROVISIONING_MODE
static val EXTRA_PROVISIONING_MODE: String
An intent extra holding the provisioning mode returned by the administrator. The value of this extra must be one of the values provided in EXTRA_PROVISIONING_ALLOWED_PROVISIONING_MODES
, which is provided as an intent extra to the admin app's ACTION_GET_PROVISIONING_MODE
activity.
Value: "android.app.extra.PROVISIONING_MODE"
EXTRA_PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT
static val EXTRA_PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT: String
A boolean extra indicating the admin of a fully-managed device opts out of controlling permission grants for sensor-related permissions, see setPermissionGrantState(android.content.ComponentName,java.lang.String,java.lang.String,int)
. The default for this extra is false
- by default, the admin of a fully-managed device has the ability to grant sensors-related permissions.
Use only for device owner provisioning. This extra can be returned by the admin app when performing the admin-integrated provisioning flow as a result of the ACTION_GET_PROVISIONING_MODE
activity.
This extra may also be provided to the admin app via an intent extra for ACTION_GET_PROVISIONING_MODE
.
Value: "android.app.extra.PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT"
See Also
EXTRA_PROVISIONING_SERIAL_NUMBER
static val EXTRA_PROVISIONING_SERIAL_NUMBER: String
A string extra holding the serial number of the device.
Value: "android.app.extra.PROVISIONING_SERIAL_NUMBER"
EXTRA_PROVISIONING_SHOULD_LAUNCH_RESULT_INTENT
static val EXTRA_PROVISIONING_SHOULD_LAUNCH_RESULT_INTENT: String
A boolean extra that determines whether the provisioning flow should launch the resulting launch intent, if one is supplied by the device policy management role holder via EXTRA_RESULT_LAUNCH_INTENT
. Default value is false
.
If true
, the resulting intent will be launched by the provisioning flow, if one is supplied by the device policy management role holder.
If false
, the resulting intent will be returned as EXTRA_RESULT_LAUNCH_INTENT
to the provisioning initiator, if one is supplied by the device manager role holder. It will be the responsibility of the provisioning initiator to launch this Intent
after provisioning completes.
This extra is respected when provided via the provisioning intent actions such as ACTION_PROVISION_MANAGED_PROFILE
.
Value: "android.app.extra.PROVISIONING_SHOULD_LAUNCH_RESULT_INTENT"
EXTRA_PROVISIONING_SKIP_EDUCATION_SCREENS
static val EXTRA_PROVISIONING_SKIP_EDUCATION_SCREENS: String
A boolean extra indicating if the education screens from the provisioning flow should be skipped. If unspecified, defaults to false
.
This extra can be set in the following ways:
- By the admin app when performing the admin-integrated provisioning flow as a result of the
ACTION_GET_PROVISIONING_MODE
activity - For managed account enrollment
If the education screens are skipped, it is the admin application's responsibility to display its own user education screens.
Value: "android.app.extra.PROVISIONING_SKIP_EDUCATION_SCREENS"
EXTRA_PROVISIONING_SKIP_ENCRYPTION
static val EXTRA_PROVISIONING_SKIP_ENCRYPTION: String
A boolean extra indicating whether device encryption can be skipped as part of provisioning.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
or an intent with action ACTION_PROVISION_MANAGED_DEVICE
that starts device owner provisioning.
From android.os.Build.VERSION_CODES#N
onwards, this is also supported for an intent with action ACTION_PROVISION_MANAGED_PROFILE
.
Value: "android.app.extra.PROVISIONING_SKIP_ENCRYPTION"
EXTRA_PROVISIONING_SKIP_USER_CONSENT
static valEXTRA_PROVISIONING_SKIP_USER_CONSENT: String
Deprecated: this extra is no longer relevant as device owners cannot create managed profiles
A boolean extra indicating if the user consent steps from the provisioning flow should be skipped.
If unspecified, defaults to false
.
Value: "android.app.extra.PROVISIONING_SKIP_USER_CONSENT"
EXTRA_PROVISIONING_TIME_ZONE
static val EXTRA_PROVISIONING_TIME_ZONE: String
A String extra holding the time zone android.app.AlarmManager
that the device will be set to.
Use only for device owner provisioning. This extra can be returned by the admin app when performing the admin-integrated provisioning flow as a result of the ACTION_GET_PROVISIONING_MODE
activity.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_TIME_ZONE"
EXTRA_PROVISIONING_USE_MOBILE_DATA
static val EXTRA_PROVISIONING_USE_MOBILE_DATA: String
A boolean extra indicating if mobile data should be used during the provisioning flow for downloading the admin app. If EXTRA_PROVISIONING_WIFI_SSID
is also specified, wifi network will be used instead.
Default value is false
.
If this extra is set to true
and EXTRA_PROVISIONING_WIFI_SSID
is not specified, this extra has different behaviour depending on the way provisioning is triggered:
- For provisioning started via a QR code or an NFC tag, mobile data is always used for downloading the admin app.
- For all other provisioning methods, a mobile data connection check is made at the start of provisioning. If mobile data is connected at that point, the admin app download will happen using mobile data. If mobile data is not connected at that point, the end-user will be asked to pick a wifi network and the admin app download will proceed over wifi.
Value: "android.app.extra.PROVISIONING_USE_MOBILE_DATA"
EXTRA_PROVISIONING_WIFI_ANONYMOUS_IDENTITY
static val EXTRA_PROVISIONING_WIFI_ANONYMOUS_IDENTITY: String
The anonymous identity of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
. This is only used if the EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_ANONYMOUS_IDENTITY"
EXTRA_PROVISIONING_WIFI_CA_CERTIFICATE
static val EXTRA_PROVISIONING_WIFI_CA_CERTIFICATE: String
The CA certificate of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
. This should be an X.509 certificate Base64 encoded DER format, ie. PEM representation of a certificate without header, footer and line breaks. More information This is only used if the EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_CA_CERTIFICATE"
EXTRA_PROVISIONING_WIFI_DOMAIN
static val EXTRA_PROVISIONING_WIFI_DOMAIN: String
The domain of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
. This is only used if the EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_DOMAIN"
EXTRA_PROVISIONING_WIFI_EAP_METHOD
static val EXTRA_PROVISIONING_WIFI_EAP_METHOD: String
The EAP method of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
and could be one of PEAP
, TLS
, TTLS
, PWD
, SIM
, AKA
or AKA_PRIME
. This is only used if the EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_EAP_METHOD"
EXTRA_PROVISIONING_WIFI_HIDDEN
static val EXTRA_PROVISIONING_WIFI_HIDDEN: String
A boolean extra indicating whether the wifi network in EXTRA_PROVISIONING_WIFI_SSID
is hidden or not.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_HIDDEN"
EXTRA_PROVISIONING_WIFI_IDENTITY
static val EXTRA_PROVISIONING_WIFI_IDENTITY: String
The identity of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
. This is only used if the EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_IDENTITY"
EXTRA_PROVISIONING_WIFI_PAC_URL
static val EXTRA_PROVISIONING_WIFI_PAC_URL: String
A String extra holding the proxy auto-config (PAC) URL for the wifi network in EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_PAC_URL"
EXTRA_PROVISIONING_WIFI_PASSWORD
static val EXTRA_PROVISIONING_WIFI_PASSWORD: String
A String extra holding the password of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_PASSWORD"
EXTRA_PROVISIONING_WIFI_PHASE2_AUTH
static val EXTRA_PROVISIONING_WIFI_PHASE2_AUTH: String
The phase 2 authentication of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
and could be one of NONE
, PAP
, MSCHAP
, MSCHAPV2
, GTC
, SIM
, AKA
or AKA_PRIME
. This is only used if the EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_PHASE2_AUTH"
EXTRA_PROVISIONING_WIFI_PROXY_BYPASS
static val EXTRA_PROVISIONING_WIFI_PROXY_BYPASS: String
A String extra holding the proxy bypass for the wifi network in EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_PROXY_BYPASS"
EXTRA_PROVISIONING_WIFI_PROXY_HOST
static val EXTRA_PROVISIONING_WIFI_PROXY_HOST: String
A String extra holding the proxy host for the wifi network in EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_PROXY_HOST"
EXTRA_PROVISIONING_WIFI_PROXY_PORT
static val EXTRA_PROVISIONING_WIFI_PROXY_PORT: String
An int extra holding the proxy port for the wifi network in EXTRA_PROVISIONING_WIFI_SSID
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_PROXY_PORT"
EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
static val EXTRA_PROVISIONING_WIFI_SECURITY_TYPE: String
A String extra indicating the security type of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
and could be one of NONE
, WPA
, WEP
or EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_SECURITY_TYPE"
EXTRA_PROVISIONING_WIFI_SSID
static val EXTRA_PROVISIONING_WIFI_SSID: String
A String extra holding the ssid of the wifi network that should be used during nfc device owner provisioning for downloading the mobile device management application.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_SSID"
EXTRA_PROVISIONING_WIFI_USER_CERTIFICATE
static val EXTRA_PROVISIONING_WIFI_USER_CERTIFICATE: String
The user certificate of the wifi network in EXTRA_PROVISIONING_WIFI_SSID
. This should be an X.509 certificate and private key Base64 encoded DER format, ie. PEM representation of a certificate and key without header, footer and line breaks. More information This is only used if the EXTRA_PROVISIONING_WIFI_SECURITY_TYPE
is EAP
.
Use in an NFC record with MIME_TYPE_PROVISIONING_NFC
that starts device owner provisioning via an NFC bump. It can also be used for QR code provisioning.
Value: "android.app.extra.PROVISIONING_WIFI_USER_CERTIFICATE"
EXTRA_RESOURCE_IDS
static val EXTRA_RESOURCE_IDS: String
An integer array extra for ACTION_DEVICE_POLICY_RESOURCE_UPDATED
to indicate which resource IDs (i.e. strings and drawables) have been updated.
Value: "android.app.extra.RESOURCE_IDS"
EXTRA_RESOURCE_TYPE
static val EXTRA_RESOURCE_TYPE: String
An int
extra for ACTION_DEVICE_POLICY_RESOURCE_UPDATED
to indicate the type of the resource being updated, the type can be EXTRA_RESOURCE_TYPE_DRAWABLE
or EXTRA_RESOURCE_TYPE_STRING
Value: "android.app.extra.RESOURCE_TYPE"
EXTRA_RESOURCE_TYPE_DRAWABLE
static val EXTRA_RESOURCE_TYPE_DRAWABLE: Int
A int
value for EXTRA_RESOURCE_TYPE
to indicate that a resource of type Drawable
is being updated.
Value: 1
EXTRA_RESOURCE_TYPE_STRING
static val EXTRA_RESOURCE_TYPE_STRING: Int
A int
value for EXTRA_RESOURCE_TYPE
to indicate that a resource of type String
is being updated.
Value: 2
EXTRA_RESULT_LAUNCH_INTENT
static val EXTRA_RESULT_LAUNCH_INTENT: String
An Intent
result extra specifying the Intent
to be launched after provisioning is finalized.
If EXTRA_PROVISIONING_SHOULD_LAUNCH_RESULT_INTENT
is set to false
, this result will be supplied as part of the result Intent
for provisioning actions such as ACTION_PROVISION_MANAGED_PROFILE
. This result will also be supplied as part of the result Intent
for the device policy management role holder provisioning actions.
Value: "android.app.extra.RESULT_LAUNCH_INTENT"
FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY
static val FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY: Int
Flag for lockNow(int)
: also evict the user's credential encryption key from the keyring. The user's credential will need to be entered again in order to derive the credential encryption key that will be stored back in the keyring for future use.
This flag can only be used by a profile owner when locking a managed profile when getStorageEncryptionStatus
returns ENCRYPTION_STATUS_ACTIVE_PER_USER
.
In order to secure user data, the user will be stopped and restarted so apps should wait until they are next run to perform further actions.
Value: 1
FLAG_MANAGED_CAN_ACCESS_PARENT
static val FLAG_MANAGED_CAN_ACCESS_PARENT: Int
Flag used by addCrossProfileIntentFilter
to allow activities in the managed profile to access intents sent from the parent profile. That is, when an app in the parent profile calls android.app.Activity#startActivity(android.content.Intent), the intent can be resolved by a matching activity in the managed profile.
Value: 2
FLAG_PARENT_CAN_ACCESS_MANAGED
static val FLAG_PARENT_CAN_ACCESS_MANAGED: Int
Flag used by addCrossProfileIntentFilter
to allow activities in the parent profile to access intents sent from the managed profile. That is, when an app in the managed profile calls android.app.Activity#startActivity(android.content.Intent), the intent can be resolved by a matching activity in the parent profile.
Value: 1
ID_TYPE_BASE_INFO
static val ID_TYPE_BASE_INFO: Int
Specifies that the device should attest its manufacturer details. For use with generateKeyPair
.
Value: 1
See Also
ID_TYPE_IMEI
static val ID_TYPE_IMEI: Int
Specifies that the device should attest its IMEI. For use with generateKeyPair
.
Value: 4
See Also
ID_TYPE_INDIVIDUAL_ATTESTATION
static val ID_TYPE_INDIVIDUAL_ATTESTATION: Int
Specifies that the device should attest using an individual attestation certificate. For use with generateKeyPair
.
Value: 16
See Also
ID_TYPE_MEID
static val ID_TYPE_MEID: Int
Specifies that the device should attest its MEID. For use with generateKeyPair
.
Value: 8
See Also
ID_TYPE_SERIAL
static val ID_TYPE_SERIAL: Int
Specifies that the device should attest its serial number. For use with generateKeyPair
.
Value: 2
See Also
INSTALLKEY_REQUEST_CREDENTIALS_ACCESS
static val INSTALLKEY_REQUEST_CREDENTIALS_ACCESS: Int
Specifies that the calling app should be granted access to the installed credentials immediately. Otherwise, access to the credentials will be gated by user approval. For use with installKeyPair(android.content.ComponentName,java.security.PrivateKey,java.security.cert.Certificate[],java.lang.String,int)
Value: 1
INSTALLKEY_SET_USER_SELECTABLE
static val INSTALLKEY_SET_USER_SELECTABLE: Int
Specifies that a user can select the key via the Certificate Selection prompt. If this flag is not set when calling #installKeyPair, the key can only be granted access by implementing android.app.admin.DeviceAdminReceiver#onChoosePrivateKeyAlias
. For use with installKeyPair(android.content.ComponentName,java.security.PrivateKey,java.security.cert.Certificate[],java.lang.String,int)
Value: 2
KEYGUARD_DISABLE_BIOMETRICS
static val KEYGUARD_DISABLE_BIOMETRICS: Int
Disable all biometric authentication on keyguard secure screens (e.g. PIN/Pattern/Password).
Value: 416
KEYGUARD_DISABLE_FACE
static val KEYGUARD_DISABLE_FACE: Int
Disable face authentication on keyguard secure screens (e.g. PIN/Pattern/Password).
Value: 128
KEYGUARD_DISABLE_FEATURES_ALL
static val KEYGUARD_DISABLE_FEATURES_ALL: Int
Disable all current and future keyguard customizations.
Value: 2147483647
KEYGUARD_DISABLE_FEATURES_NONE
static val KEYGUARD_DISABLE_FEATURES_NONE: Int
Widgets are enabled in keyguard
Value: 0
KEYGUARD_DISABLE_FINGERPRINT
static val KEYGUARD_DISABLE_FINGERPRINT: Int
Disable fingerprint authentication on keyguard secure screens (e.g. PIN/Pattern/Password).
Value: 32
KEYGUARD_DISABLE_IRIS
static val KEYGUARD_DISABLE_IRIS: Int
Disable iris authentication on keyguard secure screens (e.g. PIN/Pattern/Password).
Value: 256
KEYGUARD_DISABLE_REMOTE_INPUT
static valKEYGUARD_DISABLE_REMOTE_INPUT: Int
Deprecated: This flag was added in version android.os.Build.VERSION_CODES#N
, but it never had any effect.
Disable text entry into notifications on secure keyguard screens (e.g. PIN/Pattern/Password).
Value: 64
KEYGUARD_DISABLE_SECURE_CAMERA
static val KEYGUARD_DISABLE_SECURE_CAMERA: Int
Disable the camera on secure keyguard screens (e.g. PIN/Pattern/Password)
Value: 2
KEYGUARD_DISABLE_SECURE_NOTIFICATIONS
static val KEYGUARD_DISABLE_SECURE_NOTIFICATIONS: Int
Disable showing all notifications on secure keyguard screens (e.g. PIN/Pattern/Password)
Value: 4
KEYGUARD_DISABLE_SHORTCUTS_ALL
static val KEYGUARD_DISABLE_SHORTCUTS_ALL: Int
Disable all keyguard shortcuts.
Value: 512
KEYGUARD_DISABLE_TRUST_AGENTS
static val KEYGUARD_DISABLE_TRUST_AGENTS: Int
Disable trust agents on secure keyguard screens (e.g. PIN/Pattern/Password). By setting this flag alone, all trust agents are disabled. If the admin then wants to allowlist specific features of some trust agent, setTrustAgentConfiguration
can be used in conjuction to set trust-agent-specific configurations.
Value: 16
KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS
static val KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS: Int
Only allow redacted notifications on secure keyguard screens (e.g. PIN/Pattern/Password)
Value: 8
KEYGUARD_DISABLE_WIDGETS_ALL
static val KEYGUARD_DISABLE_WIDGETS_ALL: Int
Disable all keyguard widgets. Has no effect between android.os.Build.VERSION_CODES#LOLLIPOP
and android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
(both inclusive), since keyguard widget is only supported on Android versions lower than 5.0 and versions higher than 14.
Value: 1
LEAVE_ALL_SYSTEM_APPS_ENABLED
static val LEAVE_ALL_SYSTEM_APPS_ENABLED: Int
Flag used by createAndManageUser
to specify that the newly created user should skip the disabling of system apps during provisioning.
Value: 16
LOCK_TASK_FEATURE_BLOCK_ACTIVITY_START_IN_TASK
static val LOCK_TASK_FEATURE_BLOCK_ACTIVITY_START_IN_TASK: Int
Enable blocking of non-allowlisted activities from being started into a locked task.
Value: 64
LOCK_TASK_FEATURE_GLOBAL_ACTIONS
static val LOCK_TASK_FEATURE_GLOBAL_ACTIONS: Int
Enable the global actions dialog during LockTask mode. This is the dialog that shows up when the user long-presses the power button, for example. Note that the user may not be able to power off the device if this flag is not set.
This flag is enabled by default until setLockTaskFeatures(android.content.ComponentName,int)
is called for the first time.
Value: 16
LOCK_TASK_FEATURE_HOME
static val LOCK_TASK_FEATURE_HOME: Int
Enable the Home button during LockTask mode. Note that if a custom launcher is used, it has to be registered as the default launcher with addPersistentPreferredActivity(android.content.ComponentName,android.content.IntentFilter,android.content.ComponentName)
, and its package needs to be allowlisted for LockTask with setLockTaskPackages(android.content.ComponentName,java.lang.String[])
.
Value: 4
LOCK_TASK_FEATURE_KEYGUARD
static val LOCK_TASK_FEATURE_KEYGUARD: Int
Enable the keyguard during LockTask mode. Note that if the keyguard is already disabled with setKeyguardDisabled(android.content.ComponentName,boolean)
, setting this flag will have no effect. If this flag is not set, the keyguard will not be shown even if the user has a lock screen credential.
Value: 32
LOCK_TASK_FEATURE_NONE
static val LOCK_TASK_FEATURE_NONE: Int
Disable all configurable SystemUI features during LockTask mode. This includes,
- system info area in the status bar (connectivity icons, clock, etc.)
- notifications (including alerts, icons, and the notification shade)
- Home button
- Recents button and UI
- global actions menu (i.e. power button menu)
- keyguard
Value: 0
LOCK_TASK_FEATURE_NOTIFICATIONS
static val LOCK_TASK_FEATURE_NOTIFICATIONS: Int
Enable notifications during LockTask mode. This includes notification icons on the status bar, heads-up notifications, and the expandable notification shade. Note that the Quick Settings panel remains disabled. This feature flag can only be used in combination with LOCK_TASK_FEATURE_HOME
. setLockTaskFeatures(android.content.ComponentName,int)
throws an IllegalArgumentException
if this feature flag is defined without LOCK_TASK_FEATURE_HOME
.
Value: 2
LOCK_TASK_FEATURE_OVERVIEW
static val LOCK_TASK_FEATURE_OVERVIEW: Int
Enable the Overview button and the Overview screen during LockTask mode. This feature flag can only be used in combination with LOCK_TASK_FEATURE_HOME
, and setLockTaskFeatures(android.content.ComponentName,int)
will throw an IllegalArgumentException
if this feature flag is defined without LOCK_TASK_FEATURE_HOME
.
Value: 8
LOCK_TASK_FEATURE_SYSTEM_INFO
static val LOCK_TASK_FEATURE_SYSTEM_INFO: Int
Enable the system info area in the status bar during LockTask mode. The system info area usually occupies the right side of the status bar (although this can differ across OEMs). It includes all system information indicators, such as date and time, connectivity, battery, vibration mode, etc.
Value: 1
MAKE_USER_EPHEMERAL
static val MAKE_USER_EPHEMERAL: Int
Flag used by createAndManageUser
to specify that the user should be created ephemeral. Ephemeral users will be removed after switching to another user or rebooting the device.
Value: 2
MIME_TYPE_PROVISIONING_NFC
static val MIME_TYPE_PROVISIONING_NFC: String
This MIME type is used for starting the device owner provisioning.
During device owner provisioning a device admin app is set as the owner of the device. A device owner has full control over the device. The device owner can not be modified by the user and the only way of resetting the device is if the device owner app calls a factory reset.
A typical use case would be a device that is owned by a company, but used by either an employee or client.
The NFC message must be sent to an unprovisioned device.
The NFC record must contain a serialized java.util.Properties
object which contains the following properties:
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION
, optionalEXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_COOKIE_HEADER
, optionalEXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_CHECKSUM
, optionalEXTRA_PROVISIONING_LOCAL_TIME
(convert to String), optionalEXTRA_PROVISIONING_TIME_ZONE
, optionalEXTRA_PROVISIONING_LOCALE
, optionalEXTRA_PROVISIONING_WIFI_SSID
, optionalEXTRA_PROVISIONING_WIFI_HIDDEN
(convert to String), optionalEXTRA_PROVISIONING_WIFI_SECURITY_TYPE
, optionalEXTRA_PROVISIONING_WIFI_PASSWORD
, optionalEXTRA_PROVISIONING_WIFI_PROXY_HOST
, optionalEXTRA_PROVISIONING_WIFI_PROXY_PORT
(convert to String), optionalEXTRA_PROVISIONING_WIFI_PROXY_BYPASS
, optionalEXTRA_PROVISIONING_WIFI_PAC_URL
, optionalEXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
, optional, supported fromandroid.os.Build.VERSION_CODES#M
EXTRA_PROVISIONING_WIFI_EAP_METHOD
, optional, supported fromandroid.os.Build.VERSION_CODES#Q
EXTRA_PROVISIONING_WIFI_PHASE2_AUTH
, optional, supported fromandroid.os.Build.VERSION_CODES#Q
EXTRA_PROVISIONING_WIFI_CA_CERTIFICATE
, optional, supported fromandroid.os.Build.VERSION_CODES#Q
EXTRA_PROVISIONING_WIFI_USER_CERTIFICATE
, optional, supported fromandroid.os.Build.VERSION_CODES#Q
EXTRA_PROVISIONING_WIFI_IDENTITY
, optional, supported fromandroid.os.Build.VERSION_CODES#Q
EXTRA_PROVISIONING_WIFI_ANONYMOUS_IDENTITY
, optional, supported fromandroid.os.Build.VERSION_CODES#Q
EXTRA_PROVISIONING_WIFI_DOMAIN
, optional, supported fromandroid.os.Build.VERSION_CODES#Q
As of android.os.Build.VERSION_CODES#M
, the properties should contain EXTRA_PROVISIONING_DEVICE_ADMIN_COMPONENT_NAME
instead of EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
, (although specifying only EXTRA_PROVISIONING_DEVICE_ADMIN_PACKAGE_NAME
is still supported).
Value: "application/com.android.managedprovisioning"
MTE_DISABLED
static val MTE_DISABLED: Int
Require that MTE be disabled on the device. Can be set by a device owner.
Value: 2
MTE_ENABLED
static val MTE_ENABLED: Int
Require that MTE be enabled on the device, if supported. Can be set by a device owner or a profile owner of an organization-owned managed profile.
Value: 1
MTE_NOT_CONTROLLED_BY_POLICY
static val MTE_NOT_CONTROLLED_BY_POLICY: Int
Allow the user to choose whether to enable MTE on the device.
Value: 0
NEARBY_STREAMING_DISABLED
static val NEARBY_STREAMING_DISABLED: Int
Indicates that nearby streaming is disabled.
Value: 1
NEARBY_STREAMING_ENABLED
static val NEARBY_STREAMING_ENABLED: Int
Indicates that nearby streaming is enabled.
Value: 2
NEARBY_STREAMING_NOT_CONTROLLED_BY_POLICY
static val NEARBY_STREAMING_NOT_CONTROLLED_BY_POLICY: Int
Indicates that nearby streaming is not controlled by policy, which means nearby streaming is allowed.
Value: 0
NEARBY_STREAMING_SAME_MANAGED_ACCOUNT_ONLY
static val NEARBY_STREAMING_SAME_MANAGED_ACCOUNT_ONLY: Int
Indicates that nearby streaming is enabled only to devices offering a comparable level of security, with the same authenticated managed account.
Value: 3
OPERATION_SAFETY_REASON_DRIVING_DISTRACTION
static val OPERATION_SAFETY_REASON_DRIVING_DISTRACTION: Int
Indicates that a UnsafeStateException
was thrown because the operation would distract the driver of the vehicle.
Value: 1
PASSWORD_COMPLEXITY_HIGH
static val PASSWORD_COMPLEXITY_HIGH: Int
Constant for getPasswordComplexity()
and setRequiredPasswordComplexity(int)
. Define the high password complexity band as:
- PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 8
- alphabetic, length at least 6
- alphanumeric, length at least 6
When returned from getPasswordComplexity()
, the constant represents the exact complexity band the password is in. When passed to it sets the minimum complexity
Value: 327680
PASSWORD_COMPLEXITY_LOW
static val PASSWORD_COMPLEXITY_LOW: Int
Constant for getPasswordComplexity()
and setRequiredPasswordComplexity(int)
. Define the low password complexity band as:
- pattern
- PIN with repeating (4444) or ordered (1234, 4321, 2468) sequences
When returned from getPasswordComplexity()
, the constant represents the exact complexity band the password is in. When passed to it sets the minimum complexity
Value: 65536
PASSWORD_COMPLEXITY_MEDIUM
static val PASSWORD_COMPLEXITY_MEDIUM: Int
Constant for getPasswordComplexity()
and setRequiredPasswordComplexity(int)
. Define the medium password complexity band as:
- PIN with no repeating (4444) or ordered (1234, 4321, 2468) sequences, length at least 4
- alphabetic, length at least 4
- alphanumeric, length at least 4
When returned from getPasswordComplexity()
, the constant represents the exact complexity band the password is in. When passed to it sets the minimum complexity
Value: 196608
PASSWORD_COMPLEXITY_NONE
static val PASSWORD_COMPLEXITY_NONE: Int
Constant for getPasswordComplexity()
and setRequiredPasswordComplexity(int)
: no password.
When returned from getPasswordComplexity()
, the constant represents the exact complexity band the password is in. When passed to it sets the minimum complexity
Value: 0
PASSWORD_QUALITY_ALPHABETIC
static val PASSWORD_QUALITY_ALPHABETIC: Int
Constant for setPasswordQuality
: the user must have entered a password containing at least alphabetic (or other symbol) characters. Note that quality constants are ordered so that higher values are more restrictive.
Value: 262144
PASSWORD_QUALITY_ALPHANUMERIC
static val PASSWORD_QUALITY_ALPHANUMERIC: Int
Constant for setPasswordQuality
: the user must have entered a password containing at least both> numeric and alphabetic (or other symbol) characters. Note that quality constants are ordered so that higher values are more restrictive.
Value: 327680
PASSWORD_QUALITY_BIOMETRIC_WEAK
static val PASSWORD_QUALITY_BIOMETRIC_WEAK: Int
Constant for setPasswordQuality
: the policy allows for low-security biometric recognition technology. This implies technologies that can recognize the identity of an individual to about a 3 digit PIN (false detection is less than 1 in 1,000). Note that quality constants are ordered so that higher values are more restrictive.
Value: 32768
PASSWORD_QUALITY_COMPLEX
static val PASSWORD_QUALITY_COMPLEX: Int
Constant for setPasswordQuality
: allows the admin to set precisely how many characters of various types the password should contain to satisfy the policy. The admin should set these requirements via setPasswordMinimumLetters
, setPasswordMinimumNumeric
, setPasswordMinimumSymbols
, setPasswordMinimumUpperCase
, setPasswordMinimumLowerCase
, setPasswordMinimumNonLetter
, and setPasswordMinimumLength
. Note that quality constants are ordered so that higher values are more restrictive.
Value: 393216
PASSWORD_QUALITY_NUMERIC
static val PASSWORD_QUALITY_NUMERIC: Int
Constant for setPasswordQuality
: the user must have entered a password containing at least numeric characters. Note that quality constants are ordered so that higher values are more restrictive.
Value: 131072
PASSWORD_QUALITY_NUMERIC_COMPLEX
static val PASSWORD_QUALITY_NUMERIC_COMPLEX: Int
Constant for setPasswordQuality
: the user must have entered a password containing at least numeric characters with no repeating (4444) or ordered (1234, 4321, 2468) sequences. Note that quality constants are ordered so that higher values are more restrictive.
Value: 196608
PASSWORD_QUALITY_SOMETHING
static val PASSWORD_QUALITY_SOMETHING: Int
Constant for setPasswordQuality
: the policy requires some kind of password or pattern, but doesn't care what it is. Note that quality constants are ordered so that higher values are more restrictive.
Value: 65536
PASSWORD_QUALITY_UNSPECIFIED
static val PASSWORD_QUALITY_UNSPECIFIED: Int
Constant for setPasswordQuality
: the policy has no requirements for the password. Note that quality constants are ordered so that higher values are more restrictive.
Value: 0
PERMISSION_GRANT_STATE_DEFAULT
static val PERMISSION_GRANT_STATE_DEFAULT: Int
Runtime permission state: The user can manage the permission through the UI.
Value: 0
PERMISSION_GRANT_STATE_DENIED
static val PERMISSION_GRANT_STATE_DENIED: Int
Runtime permission state: The permission is denied to the app and the user cannot manage the permission through the UI.
Value: 2
PERMISSION_GRANT_STATE_GRANTED
static val PERMISSION_GRANT_STATE_GRANTED: Int
Runtime permission state: The permission is granted to the app and the user cannot manage the permission through the UI.
Value: 1
PERMISSION_POLICY_AUTO_DENY
static val PERMISSION_POLICY_AUTO_DENY: Int
Permission policy to always deny new permission requests for runtime permissions. Already granted or denied permissions are not affected by this.
Value: 2
PERMISSION_POLICY_AUTO_GRANT
static val PERMISSION_POLICY_AUTO_GRANT: Int
Permission policy to always grant new permission requests for runtime permissions. Already granted or denied permissions are not affected by this.
Value: 1
PERMISSION_POLICY_PROMPT
static val PERMISSION_POLICY_PROMPT: Int
Permission policy to prompt user for new permission requests for runtime permissions. Already granted or denied permissions are not affected by this.
Value: 0
PERSONAL_APPS_NOT_SUSPENDED
static val PERSONAL_APPS_NOT_SUSPENDED: Int
Return value for getPersonalAppsSuspendedReasons
when personal apps are not suspended.
Value: 0
PERSONAL_APPS_SUSPENDED_EXPLICITLY
static val PERSONAL_APPS_SUSPENDED_EXPLICITLY: Int
Flag for getPersonalAppsSuspendedReasons
return value. Set when personal apps are suspended by an admin explicitly via setPersonalAppsSuspended
.
Value: 1
PERSONAL_APPS_SUSPENDED_PROFILE_TIMEOUT
static val PERSONAL_APPS_SUSPENDED_PROFILE_TIMEOUT: Int
Flag for getPersonalAppsSuspendedReasons
return value. Set when personal apps are suspended by framework because managed profile was off for longer than allowed by policy.
Value: 2
See Also
POLICY_DISABLE_CAMERA
static val POLICY_DISABLE_CAMERA: String
Constant to indicate the feature of disabling the camera. Used as argument to createAdminSupportIntent(java.lang.String)
.
Value: "policy_disable_camera"
POLICY_DISABLE_SCREEN_CAPTURE
static val POLICY_DISABLE_SCREEN_CAPTURE: String
Constant to indicate the feature of disabling screen captures. Used as argument to createAdminSupportIntent(java.lang.String)
.
Value: "policy_disable_screen_capture"
PRIVATE_DNS_MODE_OFF
static val PRIVATE_DNS_MODE_OFF: Int
Specifies that Private DNS was turned off completely.
Value: 1
PRIVATE_DNS_MODE_OPPORTUNISTIC
static val PRIVATE_DNS_MODE_OPPORTUNISTIC: Int
Specifies that the device owner requested opportunistic DNS over TLS
Value: 2
PRIVATE_DNS_MODE_PROVIDER_HOSTNAME
static val PRIVATE_DNS_MODE_PROVIDER_HOSTNAME: Int
Specifies that the device owner configured a specific host to use for Private DNS.
Value: 3
PRIVATE_DNS_MODE_UNKNOWN
static val PRIVATE_DNS_MODE_UNKNOWN: Int
Specifies that the Private DNS setting is in an unknown state.
Value: 0
PRIVATE_DNS_SET_ERROR_FAILURE_SETTING
static val PRIVATE_DNS_SET_ERROR_FAILURE_SETTING: Int
General failure to set the Private DNS mode, not due to one of the reasons listed above.
Value: 2
PRIVATE_DNS_SET_ERROR_HOST_NOT_SERVING
static val PRIVATE_DNS_SET_ERROR_HOST_NOT_SERVING: Int
If the privateDnsHost
provided was of a valid hostname but that host was found to not support DNS-over-TLS.
Value: 1
PRIVATE_DNS_SET_NO_ERROR
static val PRIVATE_DNS_SET_NO_ERROR: Int
The selected mode has been set successfully. If the mode is PRIVATE_DNS_MODE_PROVIDER_HOSTNAME
then it implies the supplied host is valid and reachable.
Value: 0
PROVISIONING_MODE_FULLY_MANAGED_DEVICE
static val PROVISIONING_MODE_FULLY_MANAGED_DEVICE: Int
The provisioning mode for fully managed device.
Value: 1
PROVISIONING_MODE_MANAGED_PROFILE
static val PROVISIONING_MODE_MANAGED_PROFILE: Int
The provisioning mode for managed profile.
Value: 2
PROVISIONING_MODE_MANAGED_PROFILE_ON_PERSONAL_DEVICE
static val PROVISIONING_MODE_MANAGED_PROFILE_ON_PERSONAL_DEVICE: Int
The provisioning mode for a managed profile on a personal device.
This mode is only available when the provisioning initiator has explicitly instructed the provisioning flow to support managed profile on a personal device provisioning. In that case, PROVISIONING_MODE_MANAGED_PROFILE
corresponds to an organization-owned managed profile, whereas this constant corresponds to a personally-owned managed profile.
Value: 3
See Also
RESET_PASSWORD_DO_NOT_ASK_CREDENTIALS_ON_BOOT
static val RESET_PASSWORD_DO_NOT_ASK_CREDENTIALS_ON_BOOT: Int
Flag for resetPasswordWithToken
and resetPassword
: don't ask for user credentials on device boot. If the flag is set, the device can be booted without asking for user password. The absence of this flag does not change the current boot requirements. This flag can be set by the device owner only. If the app is not the device owner, the flag is ignored. Once the flag is set, it cannot be reverted back without resetting the device to factory defaults.
Value: 2
RESET_PASSWORD_REQUIRE_ENTRY
static val RESET_PASSWORD_REQUIRE_ENTRY: Int
Flag for resetPasswordWithToken
and resetPassword
: don't allow other admins to change the password again until the user has entered it.
Value: 1
SKIP_SETUP_WIZARD
static val SKIP_SETUP_WIZARD: Int
Flag used by createAndManageUser
to skip setup wizard after creating a new user.
Value: 1
WIFI_SECURITY_ENTERPRISE_192
static val WIFI_SECURITY_ENTERPRISE_192: Int
Constant for getMinimumRequiredWifiSecurityLevel()
and setMinimumRequiredWifiSecurityLevel(int)
: enterprise 192 bit network.
When returned from getMinimumRequiredWifiSecurityLevel()
, the constant represents the current minimum security level required. When passed to setMinimumRequiredWifiSecurityLevel(int)
, it sets the minimum security level a Wi-Fi network must meet.
Value: 3
WIFI_SECURITY_ENTERPRISE_EAP
static val WIFI_SECURITY_ENTERPRISE_EAP: Int
Constant for getMinimumRequiredWifiSecurityLevel()
and setMinimumRequiredWifiSecurityLevel(int)
: enterprise EAP network.
When returned from getMinimumRequiredWifiSecurityLevel()
, the constant represents the current minimum security level required. When passed to setMinimumRequiredWifiSecurityLevel(int)
, it sets the minimum security level a Wi-Fi network must meet.
Value: 2
WIFI_SECURITY_OPEN
static val WIFI_SECURITY_OPEN: Int
Constant for getMinimumRequiredWifiSecurityLevel()
and setMinimumRequiredWifiSecurityLevel(int)
: no minimum security level.
When returned from getMinimumRequiredWifiSecurityLevel()
, the constant represents the current minimum security level required. When passed to setMinimumRequiredWifiSecurityLevel(int)
, it sets the minimum security level a Wi-Fi network must meet.
Value: 0
WIFI_SECURITY_PERSONAL
static val WIFI_SECURITY_PERSONAL: Int
Constant for getMinimumRequiredWifiSecurityLevel()
and setMinimumRequiredWifiSecurityLevel(int)
: personal network such as WEP, WPA2-PSK.
When returned from getMinimumRequiredWifiSecurityLevel()
, the constant represents the current minimum security level required. When passed to setMinimumRequiredWifiSecurityLevel(int)
, it sets the minimum security level a Wi-Fi network must meet.
Value: 1
WIPE_EUICC
static val WIPE_EUICC: Int
Flag for wipeData(int)
: also erase the device's eUICC data.
Value: 4
WIPE_EXTERNAL_STORAGE
static val WIPE_EXTERNAL_STORAGE: Int
Flag for wipeData(int)
: also erase the device's adopted external storage (such as adopted SD cards).
Value: 1
See Also
WIPE_RESET_PROTECTION_DATA
static val WIPE_RESET_PROTECTION_DATA: Int
Flag for wipeData(int)
: also erase the factory reset protection data.
This flag may only be set by device owner admins; if it is set by other admins a SecurityException
will be thrown.
Value: 2
WIPE_SILENTLY
static val WIPE_SILENTLY: Int
Flag for wipeData(int)
: won't show reason for wiping to the user.
Value: 8
Public methods
acknowledgeDeviceCompliant
open fun acknowledgeDeviceCompliant(): Unit
Called by a profile owner of an organization-owned managed profile to acknowledge that the device is compliant and the user can turn the profile off if needed according to the maximum time off policy. This method should be called when the device is deemed compliant after getting DeviceAdminReceiver.onComplianceAcknowledgementRequired(Context, Intent)
callback in case it is overridden. Before this method is called the user is still free to turn the profile off, but the timer won't be reset, so personal apps will be suspended sooner. DPCs only need acknowledging device compliance if they override DeviceAdminReceiver.onComplianceAcknowledgementRequired(Context, Intent)
, otherwise compliance is acknowledged automatically.
Exceptions | |
---|---|
java.lang.IllegalStateException |
if the user isn't unlocked |
addCrossProfileIntentFilter
open fun addCrossProfileIntentFilter(
admin: ComponentName?,
filter: IntentFilter!,
flags: Int
): Unit
Called by the profile owner of a managed profile so that some intents sent in the managed profile can also be resolved in the parent, or vice versa. Only activity intents are supported.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. This value may be null . |
filter |
IntentFilter!: The IntentFilter the intent has to match to be also resolved in the other profile |
flags |
Int: DevicePolicyManager.FLAG_MANAGED_CAN_ACCESS_PARENT and DevicePolicyManager.FLAG_PARENT_CAN_ACCESS_MANAGED are supported. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
addCrossProfileWidgetProvider
open fun addCrossProfileWidgetProvider(
admin: ComponentName?,
packageName: String!
): Boolean
Called by the profile owner of a managed profile or a holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_PROFILE_INTERACTION
to enable widget providers from a given package to be available in the parent profile. As a result the user will be able to add widgets from the allowlisted package running under the profile to a widget host which runs under the parent profile, for example the home screen. Note that a package may have zero or more provider components, where each component provides a different widget type.
Note: By default no widget provider package is allowlisted.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
packageName |
String!: The package from which widget providers are allowlisted. |
Return | |
---|---|
Boolean |
Whether the package was added. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner and not a holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_PROFILE_INTERACTION . |
addOverrideApn
open fun addOverrideApn(
admin: ComponentName,
apnSetting: ApnSetting
): Int
Called by device owner or managed profile owner to add an override APN.
This method may returns -1
if apnSetting
conflicts with an existing override APN. Update the existing conflicted APN with updateOverrideApn(android.content.ComponentName,int,android.telephony.data.ApnSetting)
instead of adding a new entry.
Two override APNs are considered to conflict when all the following APIs return the same values on both override APNs:
ApnSetting.getOperatorNumeric()
ApnSetting.getApnName()
ApnSetting.getProxyAddressAsString()
ApnSetting.getProxyPort()
ApnSetting.getMmsProxyAddressAsString()
ApnSetting.getMmsProxyPort()
ApnSetting.getMmsc()
ApnSetting.isEnabled()
ApnSetting.getMvnoType()
ApnSetting.getProtocol()
ApnSetting.getRoamingProtocol()
Before Android version android.os.Build.VERSION_CODES#TIRAMISU
: Only device owners can add APNs.
Starting from Android version android.os.Build.VERSION_CODES#TIRAMISU
: Both device owners and managed profile owners can add enterprise APNs (ApnSetting.TYPE_ENTERPRISE
), while only device owners can add other type of APNs. Enterprise APNs are specific to the managed profile and do not override any user-configured VPNs. They are prerequisites for enabling preferential network service on the managed profile on 4G networks (setPreferentialNetworkServiceConfigs
).
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with This value cannot be null . |
apnSetting |
ApnSetting: the override APN to insert This value cannot be null . |
Return | |
---|---|
Int |
The id of inserted override APN. Or -1 when failed to insert into the database. |
Exceptions | |
---|---|
java.lang.SecurityException |
If request is for enterprise APN admin is either device owner or profile owner and in all other types of APN if admin is not a device owner. |
addPersistentPreferredActivity
open fun addPersistentPreferredActivity(
admin: ComponentName?,
filter: IntentFilter!,
activity: ComponentName
): Unit
Called by a profile owner or device owner or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_LOCK_TASK
. to set a default activity that the system selects to handle intents that match the given IntentFilter
instead of showing the default disambiguation mechanism. This activity will remain the default intent handler even if the set of potential event handlers for the intent filter changes and if the intent preferences are reset.
Note that the target application should still declare the activity in the manifest, the API just sets the activity to be the default one to handle the given intent filter.
The default disambiguation mechanism takes over if the activity is not installed (anymore). When the activity is (re)installed, it is automatically reset as default intent handler for the filter.
Note that calling this API to set a default intent handler, only allow to avoid the default disambiguation mechanism. Implicit intents that do not trigger this mechanism (like invoking the browser) cannot be configured as they are controlled by other configurations.
The calling device admin must be a profile owner or device owner. If it is not, a security exception will be thrown.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the persistent preferred activity policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.PERSISTENT_PREFERRED_ACTIVITY_POLICY
- The additional policy params bundle, which contains
PolicyUpdateReceiver.EXTRA_INTENT_FILTER
the intent filter the policy applies to - The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
NOTE: Performs disk I/O and shouldn't be called on the main thread.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
filter |
IntentFilter!: The IntentFilter for which a default handler is added. |
activity |
ComponentName: The Activity that is added as default intent handler. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_LOCK_TASK . |
addUserRestriction
open fun addUserRestriction(
admin: ComponentName,
key: String!
): Unit
Called by a profile owner, device owner or a holder of any permission that is associated with a user restriction to set a user restriction specified by the key.
The calling device admin must be a profile owner, device owner or holder of any permission that is associated with a user restriction; if it is not, a security exception will be thrown.
The profile owner of an organization-owned managed profile may invoke this method on the DevicePolicyManager
instance it obtained from getParentProfileInstance(android.content.ComponentName)
, for enforcing device-wide restrictions.
See the constants in android.os.UserManager
for the list of restrictions that can be enforced device-wide. These constants will also state in their documentation which permission is required to manage the restriction using this API.
For callers targeting Android android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
or above, calling this API will result in applying the restriction locally on the calling user, or locally on the parent profile if called from the DevicePolicyManager
instance obtained from getParentProfileInstance(android.content.ComponentName)
. To set a restriction globally, call addUserRestrictionGlobally
instead.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the user restriction policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier returned from
DevicePolicyIdentifiers.getIdentifierForUserRestriction(String)
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner and if the caller has not been granted the permission to set the given user restriction. |
addUserRestrictionGlobally
open fun addUserRestrictionGlobally(key: String): Unit
Called by a profile owner, device owner or a holder of any permission that is associated with a user restriction to set a user restriction specified by the provided key
globally on all users. To clear the restriction use clearUserRestriction
.
For a given user, a restriction will be set if it was applied globally or locally by any admin.
The calling device admin must be a profile owner, device owner or a holder of any permission that is associated with a user restriction; if it is not, a security exception will be thrown.
See the constants in android.os.UserManager
for the list of restrictions that can be enforced device-wide. These constants will also state in their documentation which permission is required to manage the restriction using this API.
After the user restriction policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String, Bundle, TargetUser,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier returned from
DevicePolicyIdentifiers.getIdentifierForUserRestriction(String)
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner and if the caller has not been granted the permission to set the given user restriction. |
java.lang.IllegalStateException |
if caller is not targeting Android android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE or above. |
bindDeviceAdminServiceAsUser
open fun bindDeviceAdminServiceAsUser(
admin: ComponentName,
serviceIntent: Intent,
conn: ServiceConnection,
flags: Context.BindServiceFlags,
targetUser: UserHandle
): Boolean
See bindDeviceAdminServiceAsUser(android.content.ComponentName,android.content.Intent,android.content.ServiceConnection,int,android.os.UserHandle)
. Call Context.BindServiceFlags.of(long)
to obtain a BindServiceFlags object.
Parameters | |
---|---|
admin |
ComponentName: This value cannot be null . |
serviceIntent |
Intent: This value cannot be null . |
conn |
ServiceConnection: This value cannot be null . |
flags |
Context.BindServiceFlags: This value cannot be null . |
targetUser |
UserHandle: This value cannot be null . |
bindDeviceAdminServiceAsUser
open fun bindDeviceAdminServiceAsUser(
admin: ComponentName,
serviceIntent: Intent,
conn: ServiceConnection,
flags: Int,
targetUser: UserHandle
): Boolean
Called by a device owner to bind to a service from a secondary managed user or vice versa. See getBindDeviceAdminTargetUsers
for the pre-requirements of a device owner to bind to services of another managed user.
The service must be protected by android.Manifest.permission#BIND_DEVICE_ADMIN
. Note that the Context
used to obtain this DevicePolicyManager
instance via Context.getSystemService(Class)
will be used to bind to the android.app.Service
.
Note: This method used to be available for communication between device owner and profile owner. However, since Android 11, this combination is not possible. This method is now only useful for communication between device owner and managed secondary users.
Return | |
---|---|
Boolean |
If you have successfully bound to the service, true is returned; false is returned if the connection is not made and you will not receive the service object. |
canAdminGrantSensorsPermissions
open fun canAdminGrantSensorsPermissions(): Boolean
Returns true if the caller is running on a device where an admin can grant permissions related to device sensors. This is a signal that the device is a fully-managed device where personal usage is discouraged. The list of permissions is listed in setPermissionGrantState(android.content.ComponentName,java.lang.String,java.lang.String,int)
. May be called by any app.
Return | |
---|---|
Boolean |
true if an admin can grant device sensors-related permissions, false otherwise. |
canUsbDataSignalingBeDisabled
open fun canUsbDataSignalingBeDisabled(): Boolean
Returns whether enabling or disabling USB data signaling is supported on the device.
Return | |
---|---|
Boolean |
true if the device supports enabling and disabling USB data signaling. |
clearApplicationUserData
open fun clearApplicationUserData(
admin: ComponentName,
packageName: String,
executor: Executor,
listener: DevicePolicyManager.OnClearApplicationUserDataListener
): Unit
Called by the device owner or profile owner to clear application user data of a given package. The behaviour of this is equivalent to the target application calling android.app.ActivityManager#clearApplicationUserData()
.
Note: an application can store data outside of its application data, e.g. external storage or user dictionary. This data will not be wiped by calling this API.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
packageName |
String: The name of the package which will have its user data wiped. This value cannot be null . |
executor |
Executor: The executor through which the listener should be invoked. This value cannot be null . Callback and listener events are dispatched through this Executor , providing an easy way to control which thread is used. To dispatch events through the main thread of your application, you can use Context.getMainExecutor() . Otherwise, provide an Executor that dispatches to an appropriate thread. |
listener |
DevicePolicyManager.OnClearApplicationUserDataListener: A callback object that will inform the caller when the clearing is done. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not the device owner/profile owner. |
clearCrossProfileIntentFilters
open fun clearCrossProfileIntentFilters(admin: ComponentName?): Unit
Called by a profile owner of a managed profile to remove the cross-profile intent filters that go from the managed profile to the parent, or from the parent to the managed profile. Only removes those that have been set by the profile owner.
Note: A list of default cross profile intent filters are set up by the system when the profile is created, some of them ensure the proper functioning of the profile, while others enable sharing of data from the parent to the managed profile for user convenience. These default intent filters are not cleared when this API is called. If the default cross profile data sharing is not desired, they can be disabled with UserManager.DISALLOW_SHARE_INTO_MANAGED_PROFILE
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner. |
clearDeviceOwnerApp
open funclearDeviceOwnerApp(packageName: String!): Unit
Deprecated: This method is expected to be used for testing purposes only. The device owner will lose control of the device and its data after calling it. In order to protect any sensitive data that remains on the device, it is advised that the device owner factory resets the device instead of calling this method. See wipeData(int)
.
Clears the current device owner. The caller must be the device owner. This function should be used cautiously as once it is called it cannot be undone. The device owner can only be set as a part of device setup, before it completes.
While some policies previously set by the device owner will be cleared by this method, it is a best-effort process and some other policies will still remain in place after the device owner is cleared.
Parameters | |
---|---|
packageName |
String!: The package name of the device owner. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not in packageName or packageName does not own the current device owner component. |
clearPackagePersistentPreferredActivities
open fun clearPackagePersistentPreferredActivities(
admin: ComponentName?,
packageName: String!
): Unit
Called by a profile owner or device owner or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_LOCK_TASK
to remove all persistent intent handler preferences associated with the given package that were set by addPersistentPreferredActivity
.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the persistent preferred activity policy has been cleared, PolicyUpdateReceiver.onPolicySetResult(Context,
will notify the admin on whether the policy was successfully cleared or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.PERSISTENT_PREFERRED_ACTIVITY_POLICY
- The additional policy params bundle, which contains
PolicyUpdateReceiver.EXTRA_INTENT_FILTER
the intent filter the policy applies to - The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully cleared or the reason the policy failed to be cleared (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
packageName |
String!: The name of the package for which preferences are removed. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_LOCK_TASK . |
clearProfileOwner
open funclearProfileOwner(admin: ComponentName): Unit
Deprecated: This method is expected to be used for testing purposes only. The profile owner will lose control of the user and its data after calling it. In order to protect any sensitive data that remains on this user, it is advised that the profile owner deletes it instead of calling this method. See wipeData(int)
.
Clears the active profile owner. The caller must be the profile owner of this user, otherwise a SecurityException will be thrown. This method is not available to managed profile owners.
While some policies previously set by the profile owner will be cleared by this method, it is a best-effort process and some other policies will still remain in place after the profile owner is cleared.
Parameters | |
---|---|
admin |
ComponentName: The component to remove as the profile owner. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active profile owner, or the method is being called from a managed profile. |
clearResetPasswordToken
open fun clearResetPasswordToken(admin: ComponentName?): Boolean
Called by a profile, device owner or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_RESET_PASSWORD
to revoke the current password reset token.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, this method has no effect - the reset token should not have been set in the first place - and false is returned.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
Return | |
---|---|
Boolean |
true if the operation is successful, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner and if the caller does not the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_RESET_PASSWORD . |
clearUserRestriction
open fun clearUserRestriction(
admin: ComponentName,
key: String!
): Unit
Called by a profile owner, device owner or a holder of any permission that is associated with a user restriction to clear a user restriction specified by the key.
The calling device admin must be a profile or device owner; if it is not, a security exception will be thrown.
The profile owner of an organization-owned managed profile may invoke this method on the DevicePolicyManager
instance it obtained from getParentProfileInstance(android.content.ComponentName)
, for clearing device-wide restrictions.
See the constants in android.os.UserManager
for the list of restrictions. These constants state in their documentation which permission is required to manage the restriction using this API.
For callers targeting Android android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
or above, calling this API will result in clearing any local and global restriction with the specified key that was previously set by the caller.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the user restriction policy has been cleared, PolicyUpdateReceiver.onPolicySetResult(Context, String,
will notify the admin on whether the policy was successfully cleared or not. This callback will contain:
- The policy identifier returned from
DevicePolicyIdentifiers.getIdentifierForUserRestriction(String)
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully cleared or the reason the policy failed to be cleared (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner and if the caller has not been granted the permission to set the given user restriction. |
createAdminSupportIntent
open fun createAdminSupportIntent(restriction: String): Intent!
Called by any app to display a support dialog when a feature was disabled by an admin. This returns an intent that can be used with Context.startActivity(Intent)
to display the dialog. It will tell the user that the feature indicated by restriction
was disabled by an admin, and include a link for more information. The default content of the dialog can be changed by the restricting admin via setShortSupportMessage(android.content.ComponentName,java.lang.CharSequence)
. If the restriction is not set (i.e. the feature is available), then the return value will be null
.
Parameters | |
---|---|
restriction |
String: Indicates for which feature the dialog should be displayed. Can be a user restriction from UserManager , e.g. UserManager.DISALLOW_ADJUST_VOLUME , or one of the constants POLICY_DISABLE_CAMERA or POLICY_DISABLE_SCREEN_CAPTURE . This value cannot be null . |
Return | |
---|---|
Intent! |
Intent An intent to be used to start the dialog-activity if the restriction is set by an admin, or null if the restriction does not exist or no admin set it. |
createAndManageUser
open fun createAndManageUser(
admin: ComponentName,
name: String,
profileOwner: ComponentName,
adminExtras: PersistableBundle?,
flags: Int
): UserHandle?
Called by a device owner to create a user with the specified name and a given component of the calling package as profile owner. The UserHandle returned by this method should not be persisted as user handles are recycled as users are removed and created. If you need to persist an identifier for this user, use UserManager.getSerialNumberForUser
. The new user will not be started in the background.
admin is the DeviceAdminReceiver
which is the device owner. profileOwner is also a DeviceAdminReceiver in the same package as admin, and will become the profile owner and will be registered as an active admin on the new user. The profile owner package will be installed on the new user.
If the adminExtras are not null, they will be stored on the device until the user is started for the first time. Then the extras will be passed to the admin when onEnable is called.
From android.os.Build.VERSION_CODES#P
onwards, if targeting android.os.Build.VERSION_CODES#P
, throws UserOperationException
instead of returning null
on failure.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
name |
String: The user's name. This value cannot be null . |
profileOwner |
ComponentName: Which DeviceAdminReceiver will be profile owner. Has to be in the same package as admin, otherwise no user is created and an IllegalArgumentException is thrown. This value cannot be null . |
adminExtras |
PersistableBundle?: Extras that will be passed to onEnable of the admin receiver on the new user. This value may be null . |
flags |
Int: SKIP_SETUP_WIZARD , MAKE_USER_EPHEMERAL and LEAVE_ALL_SYSTEM_APPS_ENABLED are supported. Value is either 0 or a combination of android.app.admin.DevicePolicyManager#SKIP_SETUP_WIZARD , android.app.admin.DevicePolicyManager#MAKE_USER_EPHEMERAL , android.app.admin.DevicePolicyManager.MAKE_USER_DEMO, and android.app.admin.DevicePolicyManager#LEAVE_ALL_SYSTEM_APPS_ENABLED |
Return | |
---|---|
UserHandle? |
the android.os.UserHandle object for the created user, or null if the user could not be created. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner |
android.os.UserManager.UserOperationException |
if the user could not be created and the calling app is targeting android.os.Build.VERSION_CODES#P and running on android.os.Build.VERSION_CODES#P . |
See Also
enableSystemApp
open fun enableSystemApp(
admin: ComponentName,
intent: Intent!
): Int
Re-enable system apps by intent that were disabled by default when the user was initialized. This function can be called by a device owner, profile owner, or by a delegate given the DELEGATION_ENABLE_SYSTEM_APP
scope via setDelegatedScopes
.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with, or null if the caller is an enable system app delegate. |
intent |
Intent!: An intent matching the app(s) to be installed. All apps that resolve for this intent will be re-enabled in the calling profile. |
Return | |
---|---|
Int |
int The number of activities that matched the intent and were installed. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
enableSystemApp
open fun enableSystemApp(
admin: ComponentName,
packageName: String!
): Unit
Re-enable a system app that was disabled by default when the user was initialized. This function can be called by a device owner, profile owner, or by a delegate given the DELEGATION_ENABLE_SYSTEM_APP
scope via setDelegatedScopes
.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with, or null if the caller is an enable system app delegate. |
packageName |
String!: The package to be re-enabled in the calling profile. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
generateKeyPair
open fun generateKeyPair(
admin: ComponentName?,
algorithm: String,
keySpec: KeyGenParameterSpec,
idAttestationFlags: Int
): AttestedKeyPair!
This API can be called by the following to generate a new private/public key pair:
- Device owner
- Profile owner
- Delegated certificate installer
- Credential management app
- An app that holds the
android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES
permission
From Android android.os.Build.VERSION_CODES#S
, the credential management app can call this API. If called by the credential management app, the componentName must be null
. Note, there can only be a credential management app on an unmanaged device.
Because this method might take several seconds to complete, it should only be called from a worker thread. This method returns null
when called from the main thread.
This method is not thread-safe, calling it from multiple threads at the same time will result in undefined behavior. If the calling thread is interrupted while the invocation is in-flight, it will eventually terminate and return null
.
Note: If the provided alias
is of an existing alias, all former grants that apps have been given to access the key and certificates associated with this alias will be revoked.
Attestation: to enable attestation, set an attestation challenge in keySpec
via KeyGenParameterSpec.Builder.setAttestationChallenge
. By specifying flags to the idAttestationFlags
parameter, it is possible to request the device's unique identity to be included in the attestation record.
Specific identifiers can be included in the attestation record, and an individual attestation certificate can be used to sign the attestation record. To find out if the device supports these features, refer to isDeviceIdAttestationSupported()
and isUniqueDeviceAttestationSupported()
.
Device owner, profile owner, their delegated certificate installer and the credential management app can use ID_TYPE_BASE_INFO
to request inclusion of the general device information including manufacturer, model, brand, device and product in the attestation record. Only device owner, profile owner on an organization-owned device or affiliated user, and their delegated certificate installers can use ID_TYPE_SERIAL
, ID_TYPE_IMEI
and ID_TYPE_MEID
to request unique device identifiers to be attested (the serial number, IMEI and MEID correspondingly), if supported by the device (see isDeviceIdAttestationSupported()
). Additionally, device owner, profile owner on an organization-owned device and their delegated certificate installers can also request the attestation record to be signed using an individual attestation certificate by specifying the ID_TYPE_INDIVIDUAL_ATTESTATION
flag (if supported by the device, see isUniqueDeviceAttestationSupported()
).
If any of ID_TYPE_SERIAL
, ID_TYPE_IMEI
and ID_TYPE_MEID
is set, it is implicitly assumed that ID_TYPE_BASE_INFO
is also set.
Attestation using ID_TYPE_INDIVIDUAL_ATTESTATION
can only be requested if key generation is done in StrongBox.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if the caller is not a device admin. |
algorithm |
String: The key generation algorithm, see java.security.KeyPairGenerator . This value cannot be null . |
keySpec |
KeyGenParameterSpec: Specification of the key to generate, see java.security.KeyPairGenerator . This value cannot be null . |
idAttestationFlags |
Int: A bitmask of the identifiers that should be included in the attestation record (ID_TYPE_BASE_INFO , ID_TYPE_SERIAL , ID_TYPE_IMEI and ID_TYPE_MEID ), and ID_TYPE_INDIVIDUAL_ATTESTATION if the attestation record should be signed using an individual attestation certificate.
If any flag is specified, then an attestation challenge must be included in the |
Return | |
---|---|
AttestedKeyPair! |
A non-null AttestedKeyPair if the key generation succeeded, null otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not null and not a device or profile owner, or admin is null but the calling application is not a delegated certificate installer or credential management app. If Device ID attestation is requested (using ID_TYPE_SERIAL , ID_TYPE_IMEI or ID_TYPE_MEID ), the caller must be the Device Owner or the Certificate Installer delegate. |
java.lang.IllegalArgumentException |
in the following cases:
|
java.lang.UnsupportedOperationException |
if Device ID attestation or individual attestation was requested but the underlying hardware does not support it. |
android.security.keystore.StrongBoxUnavailableException |
if the use of StrongBox for key generation was specified in keySpec but the device does not have one. |
getAccountTypesWithManagementDisabled
open fun getAccountTypesWithManagementDisabled(): Array<String!>?
Gets the array of accounts for which account management is disabled by the profile owner or device owner.
Account management can be disabled/enabled by calling setAccountManagementDisabled
.
This method may be called on the DevicePolicyManager
instance returned from getParentProfileInstance(android.content.ComponentName)
. Note that only a profile owner on an organization-owned device can affect account types on the parent profile instance.
Return | |
---|---|
Array<String!>? |
a list of account types for which account management has been disabled. This value may be null . |
See Also
getActiveAdmins
open fun getActiveAdmins(): MutableList<ComponentName!>?
Return a list of all currently active device administrators' component names. If there are no administrators null
may be returned.
getAffiliationIds
open fun getAffiliationIds(admin: ComponentName): MutableSet<String!>
Returns the set of affiliation ids previously set via setAffiliationIds
, or an empty set if none have been set.
Parameters | |
---|---|
admin |
ComponentName: This value cannot be null . |
Return | |
---|---|
MutableSet<String!> |
This value cannot be null . |
getAlwaysOnVpnLockdownWhitelist
open fun getAlwaysOnVpnLockdownWhitelist(admin: ComponentName): MutableSet<String!>?
Called by device or profile owner to query the set of packages that are allowed to access the network directly when always-on VPN is in lockdown mode but not connected. Returns null
when always-on VPN is not active or not in lockdown mode.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or a profile owner. |
getAlwaysOnVpnPackage
open fun getAlwaysOnVpnPackage(admin: ComponentName): String?
Called by a device or profile owner to read the name of the package administering an always-on VPN connection for the current user. If there is no such package, or the always-on VPN is provided by the system instead of by an application, null
will be returned.
Parameters | |
---|---|
admin |
ComponentName: This value cannot be null . |
Return | |
---|---|
String? |
Package name of VPN controller responsible for always-on VPN, or null if none is set. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or a profile owner. |
getApplicationRestrictions
open fun getApplicationRestrictions(
admin: ComponentName?,
packageName: String!
): Bundle
Retrieves the application restrictions for a given target application running in the calling user.
The caller must be a profile or device owner on that user, or the package allowed to manage application restrictions via setDelegatedScopes
with the DELEGATION_APP_RESTRICTIONS
scope; otherwise a security exception will be thrown.
NOTE: The method performs disk I/O and shouldn't be called on the main thread
This method may take several seconds to complete, so it should only be called from a worker thread.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if called by the application restrictions managing package. |
packageName |
String!: The name of the package to fetch restricted settings of. |
Return | |
---|---|
Bundle |
Bundle of settings corresponding to what was set last time DevicePolicyManager.setApplicationRestrictions was called, or an empty Bundle if no restrictions have been set. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
getApplicationRestrictionsManagingPackage
open fungetApplicationRestrictionsManagingPackage(admin: ComponentName): String?
Deprecated: From android.os.Build.VERSION_CODES#O
. Use getDelegatePackages
with the DELEGATION_APP_RESTRICTIONS
scope instead.
Called by a profile owner or device owner to retrieve the application restrictions managing package for the current user, or null
if none is set. If there are multiple delegates this function will return one of them.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
String? |
The package name allowed to manage application restrictions on the current user, or null if none is set. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
getAutoTimeEnabled
open fun getAutoTimeEnabled(admin: ComponentName?): Boolean
Returns true if auto time is enabled on the device.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
Return | |
---|---|
Boolean |
true if auto time is enabled on the device. |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a device owner, a profile owner for the primary user, or a profile owner of an organization-owned managed profile. |
getAutoTimeRequired
open fungetAutoTimeRequired(): Boolean
Deprecated: From android.os.Build.VERSION_CODES#R
. Use getAutoTimeEnabled
Return | |
---|---|
Boolean |
true if auto time is required. |
getAutoTimeZoneEnabled
open fun getAutoTimeZoneEnabled(admin: ComponentName?): Boolean
Returns true if auto time zone is enabled on the device.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
Return | |
---|---|
Boolean |
true if auto time zone is enabled on the device. |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a device owner, a profile owner for the primary user, or a profile owner of an organization-owned managed profile. |
getBindDeviceAdminTargetUsers
open fun getBindDeviceAdminTargetUsers(admin: ComponentName): MutableList<UserHandle!>
Returns the list of target users that the calling device owner or owner of secondary user can use when calling #bindDeviceAdminServiceAsUser.
A device owner can bind to a service from a secondary managed user and vice versa, provided that both users are affiliated. See setAffiliationIds
.
Parameters | |
---|---|
admin |
ComponentName: This value cannot be null . |
Return | |
---|---|
MutableList<UserHandle!> |
This value cannot be null . |
getBluetoothContactSharingDisabled
open fun getBluetoothContactSharingDisabled(admin: ComponentName): Boolean
Called by a profile owner of a managed profile to determine whether or not Bluetooth devices cannot access enterprise contacts.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
This API works on managed profile only.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner. |
getCameraDisabled
open fun getCameraDisabled(admin: ComponentName?): Boolean
Determine whether or not the device's cameras have been disabled for this user, either by the calling admin, if specified, or all admins.
This method can be called on the DevicePolicyManager
instance, returned by getParentProfileInstance(android.content.ComponentName)
, where the caller must be the profile owner of an organization-owned managed profile.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to check whether any admins have disabled the camera |
getCertInstallerPackage
open fungetCertInstallerPackage(admin: ComponentName): String?
Deprecated: From android.os.Build.VERSION_CODES#O
. Use getDelegatePackages
with the DELEGATION_CERT_INSTALL
scope instead.
Called by a profile owner or device owner to retrieve the certificate installer for the user, or null
if none is set. If there are multiple delegates this function will return one of them.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
String? |
The package name of the current delegated certificate installer, or null if none is set. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or a profile owner. |
getContentProtectionPolicy
open fun getContentProtectionPolicy(admin: ComponentName?): Int
Returns the current content protection policy.
The returned policy will be the current resolved policy rather than the policy set by the calling admin.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not the device owner, the profile owner of an affiliated user or profile, or the profile owner when no device owner is set or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_CONTENT_PROTECTION . |
getCredentialManagerPolicy
open fun getCredentialManagerPolicy(): PackagePolicy?
Called by a device owner or profile owner of a managed profile to retrieve the credential manager policy.
Return | |
---|---|
PackagePolicy? |
the current credential manager policy if null then this policy has not been configured. |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a device owner or profile owner of a managed profile. |
getCrossProfileCalendarPackages
open fungetCrossProfileCalendarPackages(admin: ComponentName): MutableSet<String!>?
Deprecated: Use setCrossProfilePackages(android.content.ComponentName,java.util.Set)
.
Gets a set of package names that are allowed to access cross-profile calendar APIs.
Called by a profile owner of a managed profile.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with This value cannot be null . |
Return | |
---|---|
MutableSet<String!>? |
the set of names of packages that were previously allowed via setCrossProfileCalendarPackages(android.content.ComponentName,java.util.Set) , or an empty set if none have been allowed This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner |
getCrossProfileCallerIdDisabled
open fungetCrossProfileCallerIdDisabled(admin: ComponentName): Boolean
Deprecated: starting with android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
, use getManagedProfileCallerIdAccessPolicy()
instead
Called by a profile owner of a managed profile to determine whether or not caller-Id information has been disabled.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
Starting with android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
, this will return true when setManagedProfileCallerIdAccessPolicy(android.app.admin.PackagePolicy)
has been set with a non-null policy whose policy type is NOT PackagePolicy.PACKAGE_POLICY_BLOCKLIST
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner. |
getCrossProfileContactsSearchDisabled
open fungetCrossProfileContactsSearchDisabled(admin: ComponentName): Boolean
Deprecated: From android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
use getManagedProfileContactsAccessPolicy()
Called by a profile owner of a managed profile to determine whether or not contacts search has been disabled.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
Starting with android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
, this will return true when setManagedProfileContactsAccessPolicy(android.app.admin.PackagePolicy)
has been set with a non-null policy whose policy type is NOT PackagePolicy.PACKAGE_POLICY_BLOCKLIST
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner. |
getCrossProfilePackages
open fun getCrossProfilePackages(admin: ComponentName): MutableSet<String!>
Returns the set of package names that the admin has previously set as allowed to request user consent for cross-profile communication, via setCrossProfilePackages(android.content.ComponentName,java.util.Set)
.
Assumes that the caller is a profile owner and is the given admin
.
Note that other apps not included in the returned set may be able to request user consent for cross-profile communication if they have been explicitly allowlisted by the OEM.
Parameters | |
---|---|
admin |
ComponentName: the DeviceAdminReceiver this request is associated with This value cannot be null . |
Return | |
---|---|
MutableSet<String!> |
the set of package names the admin has previously set as allowed to request user consent for cross-profile communication, via setCrossProfilePackages(android.content.ComponentName,java.util.Set) This value cannot be null . |
getCrossProfileWidgetProviders
open fun getCrossProfileWidgetProviders(admin: ComponentName?): MutableList<String!>
Called by the profile owner of a managed profile or a holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_PROFILE_INTERACTION
to query providers from which packages are available in the parent profile.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
Return | |
---|---|
MutableList<String!> |
The allowlisted package list. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner and not a holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_PROFILE_INTERACTION . |
getCurrentFailedPasswordAttempts
open fun getCurrentFailedPasswordAttempts(): Int
Retrieve the number of times the user has failed at entering a password since that last successful password entry.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve the number of failed password attemts for the parent user.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_WATCH_LOGIN
to be able to call this method; if it has not, a security exception will be thrown.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always empty and this method always returns 0.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Return | |
---|---|
Int |
The number of times user has entered an incorrect password since the last correct password entry. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the calling application does not own an active administrator that uses DeviceAdminInfo.USES_POLICY_WATCH_LOGIN |
getDelegatePackages
open fun getDelegatePackages(
admin: ComponentName,
delegationScope: String
): MutableList<String!>?
Called by a profile owner or device owner to retrieve a list of delegate packages that were granted a delegation scope.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
delegationScope |
String: The scope whose delegates should be retrieved. This value cannot be null . |
Return | |
---|---|
MutableList<String!>? |
A list of package names of the current delegated packages for delegationScope . This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or a profile owner. |
getDelegatedScopes
open fun getDelegatedScopes(
admin: ComponentName?,
delegatedPackage: String
): MutableList<String!>
Called by a profile owner or device owner to retrieve a list of the scopes given to a delegate package. Other apps can use this method to retrieve their own delegated scopes by passing null
for admin
and their own package name as delegatedPackage
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if the caller is delegatedPackage . |
delegatedPackage |
String: The package name of the app whose scopes should be retrieved. This value cannot be null . |
Return | |
---|---|
MutableList<String!> |
A list containing the scopes given to delegatedPackage . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or a profile owner. |
getDeviceOwnerLockScreenInfo
open fun getDeviceOwnerLockScreenInfo(): CharSequence!
Return | |
---|---|
CharSequence! |
The device owner information. If it is not set returns null . |
getDevicePolicyManagementRoleHolderPackage
open fun getDevicePolicyManagementRoleHolderPackage(): String?
Returns the package name of the device policy management role holder.
If the device policy management role holder is not configured for this device, returns null
.
getEndUserSessionMessage
open fun getEndUserSessionMessage(admin: ComponentName): CharSequence!
Returns the user session end message.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
getEnrollmentSpecificId
open fun getEnrollmentSpecificId(): String
Returns an enrollment-specific identifier of this device, which is guaranteed to be the same value for the same device, enrolled into the same organization by the same managing app. This identifier is high-entropy, useful for uniquely identifying individual devices within the same organisation. It is available both in a work profile and on a fully-managed device. The identifier would be consistent even if the work profile is removed and enrolled again (to the same organization), or the device is factory reset and re-enrolled. Can only be called by the Profile Owner and Device Owner, and starting from Android android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM
, holders of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES
. If setOrganizationId(java.lang.String)
was not called, then the returned value will be an empty string.
Note about access to device identifiers: a device owner, a profile owner of an organization-owned device or the delegated certificate installer (holding the DELEGATION_CERT_INSTALL
delegation) on such a device can still obtain hardware identifiers by calling e.g. android.os.Build#getSerial()
, in addition to using this method. However, a profile owner on a personal (non organization-owned) device, or the delegated certificate installer on such a device, cannot obtain hardware identifiers anymore and must switch to using this method.
Return | |
---|---|
String |
A stable, enrollment-specific identifier. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not a profile owner, device owner or holding the android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES permission |
getFactoryResetProtectionPolicy
open fun getFactoryResetProtectionPolicy(admin: ComponentName?): FactoryResetProtectionPolicy?
Callable by device owner or profile owner of an organization-owned device, to retrieve the current factory reset protection (FRP) policy set previously by setFactoryResetProtectionPolicy
.
This method can also be called by the FRP management agent on device or with the permission android.Manifest.permission#MASTER_CLEAR
, in which case, it can pass null
as the ComponentName.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with or null if the caller is not a device admin |
Return | |
---|---|
FactoryResetProtectionPolicy? |
The current FRP policy object or null if no policy is set. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner, a profile owner of an organization-owned device or the FRP management agent. |
java.lang.UnsupportedOperationException |
if factory reset protection is not supported on the device. |
getGlobalPrivateDnsHost
open fun getGlobalPrivateDnsHost(admin: ComponentName): String?
Returns the system-wide Private DNS host.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
String? |
The hostname used for Private DNS queries, null if none is set. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not the device owner. |
getGlobalPrivateDnsMode
open fun getGlobalPrivateDnsMode(admin: ComponentName): Int
Returns the system-wide Private DNS mode.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
Int |
one of PRIVATE_DNS_MODE_OFF , PRIVATE_DNS_MODE_OPPORTUNISTIC , PRIVATE_DNS_MODE_PROVIDER_HOSTNAME or PRIVATE_DNS_MODE_UNKNOWN . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not the device owner. |
getInstalledCaCerts
open fun getInstalledCaCerts(admin: ComponentName?): MutableList<ByteArray!>
Returns all CA certificates that are currently trusted, excluding system CA certificates. If a user has installed any certificates by other means than device policy these will be included too.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if calling from a delegated certificate installer. |
Return | |
---|---|
MutableList<ByteArray!> |
a List of byte[] arrays, each encoding one user CA certificate. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not null and not a device or profile owner. |
getKeepUninstalledPackages
open fun getKeepUninstalledPackages(admin: ComponentName?): MutableList<String!>?
Get the list of apps to keep around as APKs even if no user has currently installed it. This function can be called by a device owner or by a delegate given the DELEGATION_KEEP_UNINSTALLED_PACKAGES
scope via setDelegatedScopes
.
Please note that packages returned in this method are not automatically pre-cached.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if the caller is a keep uninstalled packages delegate. |
Return | |
---|---|
MutableList<String!>? |
List of package names to keep cached. This value may be null . |
getKeyPairGrants
open fun getKeyPairGrants(alias: String): MutableMap<Int!, MutableSet<String!>!>
Called by a device or profile owner, or delegated certificate chooser (an app that has been delegated the DELEGATION_CERT_SELECTION
privilege), to query which apps have access to a given KeyChain key. Key are granted on a per-UID basis, so if several apps share the same UID, granting access to one of them automatically grants it to others. This method returns a map containing one entry per grantee UID. Entries have UIDs as keys and sets of corresponding package names as values. In particular, grantee packages that don't share UID with other packages are represented by entries having singleton sets as values.
Parameters | |
---|---|
alias |
String: The alias of the key to grant access to. This value cannot be null . |
Return | |
---|---|
MutableMap<Int!, MutableSet<String!>!> |
apps that have access to a given key, arranged in a map from UID to sets of package names. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not a device owner, a profile owner or delegated certificate chooser. |
java.lang.IllegalArgumentException |
if alias doesn't correspond to an existing key. |
getKeyguardDisabledFeatures
open fun getKeyguardDisabledFeatures(admin: ComponentName?): Int
Determine whether or not features have been disabled in keyguard either by the calling admin, if specified, or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to check whether any admins have disabled features in keyguard. |
Return | |
---|---|
Int |
bitfield of flags. See setKeyguardDisabledFeatures(android.content.ComponentName,int) for a list. |
getLockTaskFeatures
open fun getLockTaskFeatures(admin: ComponentName?): Int
Gets which system features are enabled for LockTask mode.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, the returned policy will be the current resolved policy rather than the policy set by the calling admin.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not the device owner, the profile owner of an affiliated user or profile, or the profile owner when no device owner is set or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_LOCK_TASK . |
See Also
getLockTaskPackages
open fun getLockTaskPackages(admin: ComponentName?): Array<String!>
Returns the list of packages allowed to start the lock task mode.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, the returned policy will be the current resolved policy rather than the policy set by the calling admin.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
Return | |
---|---|
Array<String!> |
This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not the device owner, the profile owner of an affiliated user or profile, or the profile owner when no device owner is set or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_LOCK_TASK . |
See Also
getLongSupportMessage
open fun getLongSupportMessage(admin: ComponentName): CharSequence?
Called by a device admin to get the long support message.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
CharSequence? |
The message set by setLongSupportMessage(android.content.ComponentName,java.lang.CharSequence) or null if no message has been set. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator. |
getManagedProfileCallerIdAccessPolicy
open fun getManagedProfileCallerIdAccessPolicy(): PackagePolicy?
Called by a profile owner of a managed profile to retrieve the caller id policy.
The calling device admin must be a profile owner of a managed profile. If it is not, a SecurityException
will be thrown.
Return | |
---|---|
PackagePolicy? |
the current caller id policy This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a profile owner of a managed profile. |
getManagedProfileContactsAccessPolicy
open fun getManagedProfileContactsAccessPolicy(): PackagePolicy?
Called by a profile owner of a managed profile to determine the current policy applied to managed profile contacts.
The calling device admin must be a profile owner of a managed profile. If it is not, a SecurityException
will be thrown.
Return | |
---|---|
PackagePolicy? |
the current contacts search policy This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a profile owner of a managed profile. |
getManagedProfileMaximumTimeOff
open fun getManagedProfileMaximumTimeOff(admin: ComponentName): Long
Called by a profile owner of an organization-owned managed profile to get maximum time the profile is allowed to be turned off.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with This value cannot be null . |
Return | |
---|---|
Long |
Maximum time the profile is allowed to be off in milliseconds or 0 if not limited. |
See Also
getManagedSubscriptionsPolicy
open fun getManagedSubscriptionsPolicy(): ManagedSubscriptionsPolicy
Returns the current ManagedSubscriptionsPolicy
. If the policy has not been set, it will return a default policy of Type android.app.admin.ManagedSubscriptionsPolicy#TYPE_ALL_PERSONAL_SUBSCRIPTIONS
.
Return | |
---|---|
ManagedSubscriptionsPolicy |
This value cannot be null . |
getMaximumFailedPasswordsForWipe
open fun getMaximumFailedPasswordsForWipe(admin: ComponentName?): Int
Retrieve the current maximum number of login attempts that are allowed before the device or profile is wiped, for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve the value for the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always empty and this method returns a default value (0) indicating that the policy is not set.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
getMaximumTimeToLock
open fun getMaximumTimeToLock(admin: ComponentName?): Long
Retrieve the current maximum time to unlock for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
Return | |
---|---|
Long |
time in milliseconds for the given admin or the minimum value (strictest) of all admins if admin is null. Returns 0 if there are no restrictions. |
getMeteredDataDisabledPackages
open fun getMeteredDataDisabledPackages(admin: ComponentName): MutableList<String!>
Called by a device or profile owner to retrieve the list of packages which are restricted by the admin from using metered data.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
MutableList<String!> |
the list of restricted package names. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
getMinimumRequiredWifiSecurityLevel
open fun getMinimumRequiredWifiSecurityLevel(): Int
Returns the current Wi-Fi minimum security level.
getMtePolicy
open fun getMtePolicy(): Int
Called by a device owner, profile owner of an organization-owned device to get the Memory Tagging Extension (MTE) policy Learn more about MTE
Return | |
---|---|
Int |
the currently set MTE policy Value is android.app.admin.DevicePolicyManager#MTE_ENABLED , android.app.admin.DevicePolicyManager#MTE_DISABLED , or android.app.admin.DevicePolicyManager#MTE_NOT_CONTROLLED_BY_POLICY |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not permitted to set Mte policy |
getNearbyAppStreamingPolicy
open fun getNearbyAppStreamingPolicy(): Int
Returns the current runtime nearby app streaming policy set by the device or profile owner.
The caller must be the target user's device owner/profile owner or hold the READ_NEARBY_STREAMING_POLICY
permission.
getNearbyNotificationStreamingPolicy
open fun getNearbyNotificationStreamingPolicy(): Int
Returns the current runtime nearby notification streaming policy set by the device or profile owner.
The caller must be the target user's device owner/profile owner or hold the READ_NEARBY_STREAMING_POLICY
permission.
getOrganizationColor
open fungetOrganizationColor(admin: ComponentName): Int
Deprecated: From android.os.Build.VERSION_CODES#R
, the organization color is never used as the background color of the confirm credentials screen.
Called by a profile owner of a managed profile to retrieve the color used for customization. This color is used as background color of the confirm credentials screen for that user.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
Int |
The 24bit (0xRRGGBB) representation of the color to be used. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner. |
getOrganizationName
open fun getOrganizationName(admin: ComponentName?): CharSequence?
Called by the device owner (since API 26) or profile owner (since API 24) or holders of the permission to retrieve the name of the organization under management.
getOverrideApns
open fun getOverrideApns(admin: ComponentName): MutableList<ApnSetting!>!
Called by device owner or managed profile owner to get all override APNs inserted by device owner or managed profile owner previously using addOverrideApn
.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with This value cannot be null . |
Return | |
---|---|
MutableList<ApnSetting!>! |
A list of override APNs inserted by device owner. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
getParentProfileInstance
open fun getParentProfileInstance(admin: ComponentName): DevicePolicyManager
Called by the profile owner of a managed profile to obtain a DevicePolicyManager
whose calls act on the parent profile.
The following methods are supported for the parent instance, all other methods will throw a SecurityException when called on the parent instance:
getPasswordQuality
setPasswordQuality
getPasswordMinimumLength
setPasswordMinimumLength
getPasswordMinimumUpperCase
setPasswordMinimumUpperCase
getPasswordMinimumLowerCase
setPasswordMinimumLowerCase
getPasswordMinimumLetters
setPasswordMinimumLetters
getPasswordMinimumNumeric
setPasswordMinimumNumeric
getPasswordMinimumSymbols
setPasswordMinimumSymbols
getPasswordMinimumNonLetter
setPasswordMinimumNonLetter
getPasswordHistoryLength
setPasswordHistoryLength
getPasswordExpirationTimeout
setPasswordExpirationTimeout
getPasswordExpiration
getPasswordMaximumLength
isActivePasswordSufficient
getCurrentFailedPasswordAttempts
getMaximumFailedPasswordsForWipe
setMaximumFailedPasswordsForWipe
getMaximumTimeToLock
setMaximumTimeToLock
- lockNow
getKeyguardDisabledFeatures
setKeyguardDisabledFeatures
getTrustAgentConfiguration
setTrustAgentConfiguration
getRequiredStrongAuthTimeout
setRequiredStrongAuthTimeout
getAccountTypesWithManagementDisabled
setRequiredPasswordComplexity(int)
getRequiredPasswordComplexity()
The following methods are supported for the parent instance but can only be called by the profile owner of a managed profile that was created during the device provisioning flow:
getPasswordComplexity
setCameraDisabled
getCameraDisabled
setAccountManagementDisabled(android.content.ComponentName,java.lang.String,boolean)
setPermittedInputMethods
getPermittedInputMethods
The following methods can be called by the profile owner of a managed profile on an organization-owned device:
- wipeData
Parameters | |
---|---|
admin |
ComponentName: This value cannot be null . |
Return | |
---|---|
DevicePolicyManager |
a new instance of DevicePolicyManager that acts on the parent profile. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner. |
getPasswordComplexity
open fun getPasswordComplexity(): Int
Returns how complex the current user's screen lock is.
Note that when called from a profile which uses an unified challenge with its parent, the screen lock complexity of the parent will be returned.
Apps need the permission.REQUEST_PASSWORD_COMPLEXITY
permission to call this method. On Android android.os.Build.VERSION_CODES#S
and above, the calling application does not need this permission if it is a device owner or a profile owner.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
Exceptions | |
---|---|
java.lang.IllegalStateException |
if the user is not unlocked. |
java.lang.SecurityException |
if the calling application does not have the permission permission.REQUEST_PASSWORD_COMPLEXITY , and is not a device owner or a profile owner. |
getPasswordExpiration
open fun getPasswordExpiration(admin: ComponentName?): Long
Get the current password expiration time for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account. If admin is null
, then a composite of all expiration times is returned - which will be the minimum of all of them.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve the password expiration for the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password expiration is always disabled and this method always returns 0.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
Return | |
---|---|
Long |
The password expiration time, in milliseconds since epoch. |
getPasswordExpirationTimeout
open fun getPasswordExpirationTimeout(admin: ComponentName?): Long
Get the password expiration timeout for the given admin. The expiration timeout is the recurring expiration timeout provided in the call to setPasswordExpirationTimeout(android.content.ComponentName,long)
for the given admin or the aggregate of all participating policy administrators if admin
is null. Admins that have set restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password expiration is always disabled and this method always returns 0.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
Return | |
---|---|
Long |
The timeout for the given admin or the minimum of all timeouts |
getPasswordHistoryLength
open fun getPasswordHistoryLength(admin: ComponentName?): Int
Retrieve the current password history length for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password history length is always 0.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
Return | |
---|---|
Int |
The length of the password history |
getPasswordMaximumLength
open fun getPasswordMaximumLength(quality: Int): Int
Return the maximum password length that the device supports for a particular password quality.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always empty and this method always returns 0.
Parameters | |
---|---|
quality |
Int: The quality being interrogated. |
Return | |
---|---|
Int |
Returns the maximum length that the user can enter. |
getPasswordMinimumLength
open fungetPasswordMinimumLength(admin: ComponentName?): Int
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Retrieve the current minimum password length for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
getPasswordMinimumLetters
open fungetPasswordMinimumLetters(admin: ComponentName?): Int
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Retrieve the current number of letters required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account. This is the same value as set by setPasswordMinimumLetters(android.content.ComponentName,int)
and only applies when the password quality is PASSWORD_QUALITY_COMPLEX
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
Return | |
---|---|
Int |
The minimum number of letters required in the password. |
getPasswordMinimumLowerCase
open fungetPasswordMinimumLowerCase(admin: ComponentName?): Int
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Retrieve the current number of lower case letters required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account. This is the same value as set by setPasswordMinimumLowerCase(android.content.ComponentName,int)
and only applies when the password quality is PASSWORD_QUALITY_COMPLEX
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
Return | |
---|---|
Int |
The minimum number of lower case letters required in the password. |
getPasswordMinimumNonLetter
open fungetPasswordMinimumNonLetter(admin: ComponentName?): Int
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Retrieve the current number of non-letter characters required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account. This is the same value as set by setPasswordMinimumNonLetter(android.content.ComponentName,int)
and only applies when the password quality is PASSWORD_QUALITY_COMPLEX
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
Return | |
---|---|
Int |
The minimum number of letters required in the password. |
getPasswordMinimumNumeric
open fungetPasswordMinimumNumeric(admin: ComponentName?): Int
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Retrieve the current number of numerical digits required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account. This is the same value as set by setPasswordMinimumNumeric(android.content.ComponentName,int)
and only applies when the password quality is PASSWORD_QUALITY_COMPLEX
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
Return | |
---|---|
Int |
The minimum number of numerical digits required in the password. |
getPasswordMinimumSymbols
open fungetPasswordMinimumSymbols(admin: ComponentName?): Int
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Retrieve the current number of symbols required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account. This is the same value as set by setPasswordMinimumSymbols(android.content.ComponentName,int)
and only applies when the password quality is PASSWORD_QUALITY_COMPLEX
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
Return | |
---|---|
Int |
The minimum number of symbols required in the password. |
getPasswordMinimumUpperCase
open fungetPasswordMinimumUpperCase(admin: ComponentName?): Int
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Retrieve the current number of upper case letters required in the password for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account. This is the same value as set by setPasswordMinimumUpperCase(android.content.ComponentName,int)
and only applies when the password quality is PASSWORD_QUALITY_COMPLEX
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
Return | |
---|---|
Int |
The minimum number of upper case letters required in the password. |
getPasswordQuality
open fungetPasswordQuality(admin: ComponentName?): Int
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Retrieve the current minimum password quality for a particular admin or all admins that set restrictions on this user and its participating profiles. Restrictions on profiles that have a separate challenge are not taken into account.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
Note: on devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate all admins. |
getPendingSystemUpdate
open fun getPendingSystemUpdate(admin: ComponentName?): SystemUpdateInfo?
Get information about a pending system update. Can be called by device or profile owners, and starting from Android android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM
, holders of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES
.
Parameters | |
---|---|
admin |
ComponentName?: Which profile or device owner this request is associated with. This value may be null . |
Return | |
---|---|
SystemUpdateInfo? |
Information about a pending system update or null if no update pending. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device, profile owner or holders of android.Manifest.permission#MANAGE_DEVICE_POLICY_QUERY_SYSTEM_UPDATES . |
getPermissionGrantState
open fun getPermissionGrantState(
admin: ComponentName?,
packageName: String,
permission: String
): Int
Returns the current grant state of a runtime permission for a specific application. This function can be called by a device owner, profile owner, or by a delegate given the DELEGATION_PERMISSION_GRANT
scope via setDelegatedScopes
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
packageName |
String: The application to check the grant state for. This value cannot be null . |
permission |
String: The permission to check for. This value cannot be null . |
Return | |
---|---|
Int |
the current grant state specified by device policy. If admins have not set a grant has not set a grant state, the return value is PERMISSION_GRANT_STATE_DEFAULT . This does not indicate whether or not the permission is currently granted for the package.
If a grant state was set by the profile or device owner, then the return value will be one of PERMISSION_GRANT_STATE_DENIED or PERMISSION_GRANT_STATE_GRANTED , which indicates if the permission is currently denied or granted. Value is android.app.admin.DevicePolicyManager#PERMISSION_GRANT_STATE_DEFAULT , android.app.admin.DevicePolicyManager#PERMISSION_GRANT_STATE_GRANTED , or android.app.admin.DevicePolicyManager#PERMISSION_GRANT_STATE_DENIED |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
getPermissionPolicy
open fun getPermissionPolicy(admin: ComponentName!): Int
Returns the current runtime permission policy set by the device or profile owner. The default is PERMISSION_POLICY_PROMPT
.
Parameters | |
---|---|
admin |
ComponentName!: Which profile or device owner this request is associated with. |
Return | |
---|---|
Int |
the current policy for future permission requests. |
getPermittedAccessibilityServices
open fun getPermittedAccessibilityServices(admin: ComponentName): MutableList<String!>?
Returns the list of permitted accessibility services set by this device or profile owner.
An empty list means no accessibility services except system services are allowed. null
means all accessibility services are allowed.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
MutableList<String!>? |
List of accessiblity service package names. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
getPermittedCrossProfileNotificationListeners
open fun getPermittedCrossProfileNotificationListeners(admin: ComponentName): MutableList<String!>?
Returns the list of packages installed on the primary user that allowed to use a android.service.notification.NotificationListenerService
to receive notifications from this managed profile, as set by the profile owner.
An empty list means no notification listener services except system ones are allowed. A null
return value indicates that all notification listeners are allowed.
Parameters | |
---|---|
admin |
ComponentName: This value cannot be null . |
getPermittedInputMethods
open fun getPermittedInputMethods(admin: ComponentName?): MutableList<String!>?
Returns the list of permitted input methods set by this device or profile owner.
This method can be called on the DevicePolicyManager
instance, returned by getParentProfileInstance(android.content.ComponentName)
, where the caller must be a profile owner of an organization-owned managed profile. If called on the parent instance, then the returned list of permitted input methods are those which are applied on the personal profile.
An empty list means no input methods except system input methods are allowed. Null means all input methods are allowed.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin This value may be null . |
Return | |
---|---|
MutableList<String!>? |
List of input method package names. This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device, profile owner or if called on the parent profile and the admin is not a profile owner of an organization-owned managed profile. |
getPersonalAppsSuspendedReasons
open fun getPersonalAppsSuspendedReasons(admin: ComponentName): Int
Called by profile owner of an organization-owned managed profile to check whether personal apps are suspended.
Parameters | |
---|---|
admin |
ComponentName: This value cannot be null . |
Return | |
---|---|
Int |
a bitmask of reasons for personal apps suspension or PERSONAL_APPS_NOT_SUSPENDED if apps are not suspended. Value is either 0 or a combination of android.app.admin.DevicePolicyManager#PERSONAL_APPS_NOT_SUSPENDED , android.app.admin.DevicePolicyManager#PERSONAL_APPS_SUSPENDED_EXPLICITLY , and android.app.admin.DevicePolicyManager#PERSONAL_APPS_SUSPENDED_PROFILE_TIMEOUT |
See Also
getPreferentialNetworkServiceConfigs
open fun getPreferentialNetworkServiceConfigs(): MutableList<PreferentialNetworkServiceConfig!>
Get preferential network configuration {@see PreferentialNetworkServiceConfig}
Return | |
---|---|
MutableList<PreferentialNetworkServiceConfig!> |
preferential network configuration. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not the profile owner or device owner. |
getRequiredPasswordComplexity
open fun getRequiredPasswordComplexity(): Int
Gets the password complexity requirement set by setRequiredPasswordComplexity(int)
, for the current user.
The difference between this method and getPasswordComplexity()
is that this method simply returns the value set by setRequiredPasswordComplexity(int)
while getPasswordComplexity()
returns the complexity of the actual password.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to get restrictions on the parent profile.
Exceptions | |
---|---|
java.lang.SecurityException |
if the calling application is not a device owner or a profile owner. |
getRequiredStrongAuthTimeout
open fun getRequiredStrongAuthTimeout(admin: ComponentName?): Long
Determine for how long the user will be able to use secondary, non strong auth for authentication, since last strong method authentication (password, pin or pattern) was used. After the returned timeout the user is required to use strong authentication method.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve restrictions on the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, 0 is returned to indicate that no timeout is configured.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to aggregate across all participating admins. |
Return | |
---|---|
Long |
The timeout in milliseconds or 0 if not configured for the provided admin. |
getResources
open fun getResources(): DevicePolicyResourcesManager
Returns a DevicePolicyResourcesManager
containing the required APIs to set, reset, and get device policy related resources.
Return | |
---|---|
DevicePolicyResourcesManager |
This value cannot be null . |
getScreenCaptureDisabled
open fun getScreenCaptureDisabled(admin: ComponentName?): Boolean
Determine whether or not screen capture has been disabled by the calling admin, if specified, or all admins.
This method can be called on the DevicePolicyManager
instance, returned by getParentProfileInstance(android.content.ComponentName)
, where the caller must be the profile owner of an organization-owned managed profile (the calling admin must be specified).
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component to check, or null to check whether any admins have disabled screen capture. |
getSecondaryUsers
open fun getSecondaryUsers(admin: ComponentName): MutableList<UserHandle!>!
Called by a device owner to list all secondary users on the device. Managed profiles are not considered as secondary users.
Used for various user management APIs, including switchUser
, removeUser
and stopUser
.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
MutableList<UserHandle!>! |
list of other UserHandle s on the device. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
getShortSupportMessage
open fun getShortSupportMessage(admin: ComponentName?): CharSequence!
Called by a device admin or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_SUPPORT_MESSAGE
to get the short support message.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
Return | |
---|---|
CharSequence! |
The message set by setShortSupportMessage(android.content.ComponentName,java.lang.CharSequence) or null if no message has been set. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator and not a holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_SUPPORT_MESSAGE .. |
getStartUserSessionMessage
open fun getStartUserSessionMessage(admin: ComponentName): CharSequence!
Returns the user session start message.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
getStorageEncryption
open fungetStorageEncryption(admin: ComponentName?): Boolean
Deprecated: This method only returns the value set by setStorageEncryption
. It does not actually reflect the storage encryption status. Use getStorageEncryptionStatus
for that. Called by an application that is administering the device to determine the requested setting for secure storage.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. If null, this will return the requested encryption setting as an aggregate of all active administrators. |
Return | |
---|---|
Boolean |
true if the admin(s) are requesting encryption, false if not. |
getStorageEncryptionStatus
open fun getStorageEncryptionStatus(): Int
Called by an application that is administering the device to determine the current encryption status of the device.
Depending on the returned status code, the caller may proceed in different ways. If the result is ENCRYPTION_STATUS_UNSUPPORTED
, the storage system does not support encryption. If the result is ENCRYPTION_STATUS_INACTIVE
, use ACTION_START_ENCRYPTION
to begin the process of encrypting or decrypting the storage. If the result is ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY
, the storage system has enabled encryption but no password is set so further action may be required. If the result is ENCRYPTION_STATUS_ACTIVATING
, ENCRYPTION_STATUS_ACTIVE
or ENCRYPTION_STATUS_ACTIVE_PER_USER
, no further action is required.
Return | |
---|---|
Int |
current status of encryption. The value will be one of ENCRYPTION_STATUS_UNSUPPORTED , ENCRYPTION_STATUS_INACTIVE , ENCRYPTION_STATUS_ACTIVATING , ENCRYPTION_STATUS_ACTIVE_DEFAULT_KEY , ENCRYPTION_STATUS_ACTIVE , or ENCRYPTION_STATUS_ACTIVE_PER_USER . |
Exceptions | |
---|---|
java.lang.SecurityException |
if called on a parent instance. |
getSubscriptionIds
open fun getSubscriptionIds(): MutableSet<Int!>
Returns the subscription ids of all subscriptions which were downloaded by the calling admin.
This returns only the subscriptions which were downloaded by the calling admin via android.telephony.euicc.EuiccManager#downloadSubscription
. If a subscription is returned by this method then in it subject to management controls and cannot be removed by users.
Callable by device owners and profile owners.
Requires android.Manifest.permission#MANAGE_DEVICE_POLICY_MANAGED_SUBSCRIPTIONS
Return | |
---|---|
MutableSet<Int!> |
ids of all managed subscriptions currently downloaded by an admin on the device. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not authorized to call this method. |
getSystemUpdatePolicy
open fun getSystemUpdatePolicy(): SystemUpdatePolicy?
Retrieve a local system update policy set previously by setSystemUpdatePolicy
.
Return | |
---|---|
SystemUpdatePolicy? |
The current policy object, or null if no policy is set. |
getTransferOwnershipBundle
open fun getTransferOwnershipBundle(): PersistableBundle?
Returns the data passed from the current administrator to the new administrator during an ownership transfer. This is the same bundle
passed in transferOwnership(android.content.ComponentName,android.content.ComponentName,android.os.PersistableBundle)
. The bundle is persisted until the profile owner or device owner is removed.
This is the same bundle
received in the DeviceAdminReceiver.onTransferOwnershipComplete(Context, PersistableBundle)
. Use this method to retrieve it after the transfer as long as the new administrator is the active device or profile owner.
Returns null
if no ownership transfer was started for the calling user.
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not a device or profile owner. |
getTrustAgentConfiguration
open fun getTrustAgentConfiguration(
admin: ComponentName?,
agent: ComponentName
): MutableList<PersistableBundle!>?
Gets configuration for the given trust agent based on aggregating all calls to setTrustAgentConfiguration(android.content.ComponentName,android.content.ComponentName,android.os.PersistableBundle)
for all device admins.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to retrieve the configuration set on the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, null is always returned.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. If null, this function returns a list of configurations for all admins that declare KEYGUARD_DISABLE_TRUST_AGENTS . If any admin declares KEYGUARD_DISABLE_TRUST_AGENTS but doesn't call setTrustAgentConfiguration(android.content.ComponentName,android.content.ComponentName,android.os.PersistableBundle) for this {@param agent} or calls it with a null configuration, null is returned. |
agent |
ComponentName: Which component to get enabled features for. This value cannot be null . |
Return | |
---|---|
MutableList<PersistableBundle!>? |
configuration for the given trust agent. |
getUserControlDisabledPackages
open fun getUserControlDisabledPackages(admin: ComponentName?): MutableList<String!>
Returns the list of packages over which user control is disabled by a device or profile owner or holders of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_APPS_CONTROL
.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, the returned policy will be the current resolved policy rather than the policy set by the calling admin.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
Return | |
---|---|
MutableList<String!> |
This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_APPS_CONTROL . |
getUserRestrictions
open fun getUserRestrictions(admin: ComponentName): Bundle
Called by an admin to get user restrictions set by themselves with addUserRestriction(android.content.ComponentName,java.lang.String)
.
The target user may have more restrictions set by the system or other admin. To get all the user restrictions currently set, use UserManager.getUserRestrictions()
.
The profile owner of an organization-owned managed profile may invoke this method on the DevicePolicyManager
instance it obtained from getParentProfileInstance(android.content.ComponentName)
, for retrieving device-wide restrictions it previously set with addUserRestriction(android.content.ComponentName,java.lang.String)
.
For callers targeting Android android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
or above, this API will return the local restrictions set on the calling user, or on the parent profile if called from the DevicePolicyManager
instance obtained from getParentProfileInstance(android.content.ComponentName)
. To get global restrictions set by admin, call getUserRestrictionsGlobally()
instead.
Note that this is different that the returned restrictions for callers targeting pre Android android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
, were this API returns all local/global restrictions set by the admin on the calling user using addUserRestriction(android.content.ComponentName,java.lang.String)
or the parent user if called on the DevicePolicyManager
instance it obtained from getParentProfileInstance
.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
Bundle |
a Bundle whose keys are the user restrictions, and the values a boolean indicating whether the restriction is set. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
getUserRestrictionsGlobally
open fun getUserRestrictionsGlobally(): Bundle
Called by a profile or device owner to get global user restrictions set with addUserRestrictionGlobally(java.lang.String)
.
To get all the user restrictions currently set for a certain user, use UserManager.getUserRestrictions()
.
Return | |
---|---|
Bundle |
a Bundle whose keys are the user restrictions, and the values a boolean indicating whether the restriction is set. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
java.lang.IllegalStateException |
if caller is not targeting Android android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE or above. |
getWifiMacAddress
open fun getWifiMacAddress(admin: ComponentName?): String?
Called by a device owner or profile owner on organization-owned device to get the MAC address of the Wi-Fi device. NOTE: The MAC address returned here should only be used for inventory management and is not likely to be the MAC address used by the device to connect to Wi-Fi networks: MAC addresses used for scanning and connecting to Wi-Fi networks are randomized by default. To get the randomized MAC address used, call android.net.wifi.WifiConfiguration#getRandomizedMacAddress
.
Parameters | |
---|---|
admin |
ComponentName?: Which admin this request is associated with. Null if the caller is not a device admin This value may be null . |
Return | |
---|---|
String? |
the MAC address of the Wi-Fi device, or null when the information is not available. (For example, Wi-Fi hasn't been enabled, or the device doesn't support Wi-Fi.)
The address will be in the |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not permitted to get wifi mac addresses |
getWifiSsidPolicy
open fun getWifiSsidPolicy(): WifiSsidPolicy?
Returns the current Wi-Fi SSID policy. If the policy has not been set, it will return NULL.
Return | |
---|---|
WifiSsidPolicy? |
This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not a device owner or a profile owner on an organization-owned managed profile. |
See Also
grantKeyPairToApp
open fun grantKeyPairToApp(
admin: ComponentName?,
alias: String,
packageName: String
): Boolean
Called by a device or profile owner, or delegated certificate chooser (an app that has been delegated the DELEGATION_CERT_SELECTION
privilege), to grant an application access to an already-installed (or generated) KeyChain key. This is useful (in combination with #installKeyPair or generateKeyPair
) to let an application call android.security.KeyChain#getPrivateKey
without having to call android.security.KeyChain#choosePrivateKeyAlias first. The grantee app will receive the android.security.KeyChain#ACTION_KEY_ACCESS_CHANGED
broadcast when access to a key is granted. Starting from android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
throws an IllegalArgumentException
if alias
doesn't correspond to an existing key.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if calling from a delegated certificate chooser. |
alias |
String: The alias of the key to grant access to. This value cannot be null . |
packageName |
String: The name of the (already installed) package to grant access to. This value cannot be null . |
Return | |
---|---|
Boolean |
true if the grant was set successfully, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not a device owner, a profile owner or delegated certificate chooser. |
java.lang.IllegalArgumentException |
if packageName or alias are empty, or if packageName is not a name of an installed package. |
See Also
grantKeyPairToWifiAuth
open fun grantKeyPairToWifiAuth(alias: String): Boolean
Called by a device or profile owner, or delegated certificate chooser (an app that has been delegated the DELEGATION_CERT_SELECTION
privilege), to allow using a KeyChain key pair for authentication to Wifi networks. The key can then be used in configurations passed to android.net.wifi.WifiManager#addNetwork
. Starting from android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
throws an IllegalArgumentException
if alias
doesn't correspond to an existing key.
Parameters | |
---|---|
alias |
String: The alias of the key pair. This value cannot be null . |
Return | |
---|---|
Boolean |
true if the operation was set successfully, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not a device owner, a profile owner or delegated certificate chooser. |
See Also
hasCaCertInstalled
open fun hasCaCertInstalled(
admin: ComponentName?,
certBuffer: ByteArray!
): Boolean
Returns whether this certificate is installed as a trusted CA.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if calling from a delegated certificate installer. |
certBuffer |
ByteArray!: encoded form of the certificate to look up. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not null and not a device or profile owner. |
hasGrantedPolicy
open fun hasGrantedPolicy(
admin: ComponentName,
usesPolicy: Int
): Boolean
Returns true if an administrator has been granted a particular device policy. This can be used to check whether the administrator was activated under an earlier set of policies, but requires additional policies after an upgrade.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. Must be an active administrator, or an exception will be thrown. This value cannot be null . |
usesPolicy |
Int: Which uses-policy to check, as defined in DeviceAdminInfo . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator. |
hasKeyPair
open fun hasKeyPair(alias: String): Boolean
This API can be called by the following to query whether a certificate and private key are installed under a given alias:
- Device owner
- Profile owner
- Delegated certificate installer
- Credential management app
- An app that holds the
android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES
permission
android.security.AppUriAuthenticationPolicy
.
Parameters | |
---|---|
alias |
String: The alias under which the key pair is installed. This value cannot be null . |
Return | |
---|---|
Boolean |
true if a key pair with this alias exists, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not a device or profile owner, a delegated certificate installer, the credential management app and does not have the android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES permission. |
hasLockdownAdminConfiguredNetworks
open fun hasLockdownAdminConfiguredNetworks(admin: ComponentName?): Boolean
Called by a device owner or a profile owner of an organization-owned managed profile to determine whether the user is prevented from modifying networks configured by the admin.
Parameters | |
---|---|
admin |
ComponentName?: admin Which DeviceAdminReceiver this request is associated with. This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a device owner or a profile owner of an organization-owned managed profile. |
installCaCert
open fun installCaCert(
admin: ComponentName?,
certBuffer: ByteArray!
): Boolean
Installs the given certificate as a user CA.
Inserted user CAs aren't automatically trusted by apps in Android 7.0 (API level 24) and higher. App developers can change the default behavior for an app by adding a Security Configuration File to the app manifest file. The caller must be a profile or device owner on that user, or a delegate package given the DELEGATION_CERT_INSTALL
scope via setDelegatedScopes
; otherwise a security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if calling from a delegated certificate installer. |
certBuffer |
ByteArray!: encoded form of the certificate to install. |
Return | |
---|---|
Boolean |
false if the certBuffer cannot be parsed or installation is interrupted, true otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not null and not a device or profile owner. |
installExistingPackage
open fun installExistingPackage(
admin: ComponentName,
packageName: String!
): Boolean
Install an existing package that has been installed in another user, or has been kept after removal via setKeepUninstalledPackages
. This function can be called by a device owner, profile owner or a delegate given the DELEGATION_INSTALL_EXISTING_PACKAGE
scope via setDelegatedScopes
. When called in a secondary user or managed profile, the user/profile must be affiliated with the device. See isAffiliatedUser
.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
packageName |
String!: The package to be installed in the calling profile. |
Return | |
---|---|
Boolean |
true if the app is installed; false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not the device owner, or the profile owner of an affiliated user or profile. |
installKeyPair
open fun installKeyPair(
admin: ComponentName?,
privKey: PrivateKey,
cert: Certificate,
alias: String
): Boolean
This API can be called by the following to install a certificate and corresponding private key:
- Device owner
- Profile owner
- Delegated certificate installer
- Credential management app
- An app that holds the
android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES
permission
From Android android.os.Build.VERSION_CODES#S
, the credential management app can call this API. However, this API sets the key pair as user selectable by default, which is not permitted when called by the credential management app. Instead, installKeyPair(android.content.ComponentName,java.security.PrivateKey,java.security.cert.Certificate[],java.lang.String,int)
should be called with INSTALLKEY_SET_USER_SELECTABLE
not set as a flag.
Access to the installed credentials will not be granted to the caller of this API without direct user approval. This is for security - should a certificate installer become compromised, certificates it had already installed will be protected.
If the installer must have access to the credentials, call installKeyPair(android.content.ComponentName,java.security.PrivateKey,java.security.cert.Certificate[],java.lang.String,boolean)
instead.
Note: If the provided alias
is of an existing alias, all former grants that apps have been given to access the key and certificates associated with this alias will be revoked.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if the caller is not a device admin. |
privKey |
PrivateKey: The private key to install. This value cannot be null . |
cert |
Certificate: The certificate to install. This value cannot be null . |
alias |
String: The private key alias under which to install the certificate. If a certificate with that alias already exists, it will be overwritten. This value cannot be null . |
Return | |
---|---|
Boolean |
true if the keys were installed, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not null and not a device or profile owner, or admin is null and the calling application does not have the android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES permission. |
installKeyPair
open fun installKeyPair(
admin: ComponentName?,
privKey: PrivateKey,
certs: Array<Certificate!>,
alias: String,
requestAccess: Boolean
): Boolean
This API can be called by the following to install a certificate chain and corresponding private key for the leaf certificate:
- Device owner
- Profile owner
- Delegated certificate installer
- Credential management app
- An app that holds the
android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES
permission
From Android android.os.Build.VERSION_CODES#S
, the credential management app can call this API. However, this API sets the key pair as user selectable by default, which is not permitted when called by the credential management app. Instead, installKeyPair(android.content.ComponentName,java.security.PrivateKey,java.security.cert.Certificate[],java.lang.String,int)
should be called with INSTALLKEY_SET_USER_SELECTABLE
not set as a flag. Note, there can only be a credential management app on an unmanaged device.
The caller of this API may grant itself access to the certificate and private key immediately, without user approval. It is a best practice not to request this unless strictly necessary since it opens up additional security vulnerabilities.
Note: If the provided alias
is of an existing alias, all former grants that apps have been given to access the key and certificates associated with this alias will be revoked.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if the caller is not a device admin. |
privKey |
PrivateKey: The private key to install. This value cannot be null . |
certs |
Array<Certificate!>: The certificate chain to install. The chain should start with the leaf certificate and include the chain of trust in order. This will be returned by android.security.KeyChain#getCertificateChain . This value cannot be null . |
alias |
String: The private key alias under which to install the certificate. If a certificate with that alias already exists, it will be overwritten. This value cannot be null . |
requestAccess |
Boolean: true to request that the calling app be granted access to the credentials immediately. Otherwise, access to the credentials will be gated by user approval. |
Return | |
---|---|
Boolean |
true if the keys were installed, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not null and not a device or profile owner, or admin is null and the calling application does not have the android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES permission. |
installKeyPair
open fun installKeyPair(
admin: ComponentName?,
privKey: PrivateKey,
certs: Array<Certificate!>,
alias: String,
flags: Int
): Boolean
This API can be called by the following to install a certificate chain and corresponding private key for the leaf certificate:
- Device owner
- Profile owner
- Delegated certificate installer
- Credential management app
- An app that holds the
android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES
permission
From Android android.os.Build.VERSION_CODES#S
, the credential management app can call this API. If called by the credential management app:
- The componentName must be
null
r - The alias must exist in the credential management app's
android.security.AppUriAuthenticationPolicy
- The key pair must not be user selectable
The caller of this API may grant itself access to the certificate and private key immediately, without user approval. It is a best practice not to request this unless strictly necessary since it opens up additional security vulnerabilities.
Include INSTALLKEY_SET_USER_SELECTABLE
in the flags
argument to allow the user to select the key from a dialog.
Note: If the provided alias
is of an existing alias, all former grants that apps have been given to access the key and certificates associated with this alias will be revoked.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if the caller is not a device admin. |
privKey |
PrivateKey: The private key to install. This value cannot be null . |
certs |
Array<Certificate!>: The certificate chain to install. The chain should start with the leaf certificate and include the chain of trust in order. This will be returned by android.security.KeyChain#getCertificateChain . This value cannot be null . |
alias |
String: The private key alias under which to install the certificate. If a certificate with that alias already exists, it will be overwritten. This value cannot be null . |
flags |
Int: Flags to request that the calling app be granted access to the credentials and set the key to be user-selectable. See INSTALLKEY_SET_USER_SELECTABLE and INSTALLKEY_REQUEST_CREDENTIALS_ACCESS . |
Return | |
---|---|
Boolean |
true if the keys were installed, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not null and not a device or profile owner, or admin is null but the calling application is not a delegated certificate installer, credential management app and does not have the android.Manifest.permission#MANAGE_DEVICE_POLICY_CERTIFICATES permission. |
installSystemUpdate
open fun installSystemUpdate(
admin: ComponentName?,
updateFilePath: Uri,
executor: Executor,
callback: DevicePolicyManager.InstallSystemUpdateCallback
): Unit
Called by device owner or profile owner of an organization-owned managed profile to install a system update from the given file. The device will be rebooted in order to finish installing the update. Note that if the device is rebooted, this doesn't necessarily mean that the update has been applied successfully. The caller should additionally check the system version with android.os.Build#FINGERPRINT
or . If an error occurs during processing the OTA before the reboot, the caller will be notified by InstallSystemUpdateCallback
. If device does not have sufficient battery level, the installation will fail with error android.app.admin.DevicePolicyManager.InstallSystemUpdateCallback#UPDATE_ERROR_BATTERY_LOW
.
Parameters | |
---|---|
admin |
ComponentName?: The DeviceAdminReceiver that this request is associated with. Null if the caller is not a device admin This value may be null . |
updateFilePath |
Uri: A Uri of the file that contains the update. The file should be readable by the calling app. This value cannot be null . |
executor |
Executor: The executor through which the callback should be invoked. This value cannot be null . Callback and listener events are dispatched through this Executor , providing an easy way to control which thread is used. To dispatch events through the main thread of your application, you can use Context.getMainExecutor() . Otherwise, provide an Executor that dispatches to an appropriate thread. |
callback |
DevicePolicyManager.InstallSystemUpdateCallback: A callback object that will inform the caller when installing an update fails. This value cannot be null . |
isActivePasswordSufficient
open fun isActivePasswordSufficient(): Boolean
Determines whether the calling user's current password meets policy requirements (e.g. quality, minimum length). The user must be unlocked to perform this check.
Policy requirements which affect this check can be set by admins of the user, but also by the admin of a managed profile associated with the calling user (when the managed profile doesn't have a separate work challenge). When a managed profile has a separate work challenge, its policy requirements only affect the managed profile.
Depending on the user, this method checks the policy requirement against one of the following passwords:
- For the primary user or secondary users: the personal keyguard password.
- For managed profiles: a work challenge if set, otherwise the parent user's personal keyguard password.
Note that this method considers all policy requirements targeting the password in question. For example a profile owner might set a requirement on the parent profile i.e. personal keyguard but not on the profile itself. When the device has a weak personal keyguard password and no separate work challenge, calling this method will return
false
despite the profile owner not setting a policy on the profile itself. This is because the profile's current password is the personal keyguard password, and it does not meet all policy requirements.Device admins must request
DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
before calling this method. Note, this policy type is deprecated for device admins in Android 9.0 (API level 28) or higher.This method can be called on the
DevicePolicyManager
instance returned bygetParentProfileInstance(android.content.ComponentName)
in order to determine if the password set on the parent profile is sufficient.On devices not supporting
PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty - i.e. this method will always return false on such devices, provided any password requirements were set.
Return | |
---|---|
Boolean |
true if the password meets the policy requirements, false otherwise |
Exceptions | |
---|---|
java.lang.SecurityException |
if the calling application isn't an active admin that uses DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD |
java.lang.IllegalStateException |
if the user isn't unlocked |
isActivePasswordSufficientForDeviceRequirement
open fun isActivePasswordSufficientForDeviceRequirement(): Boolean
Called by profile owner of a managed profile to determine whether the current device password meets policy requirements set explicitly device-wide.
This API is similar to isActivePasswordSufficient()
, with two notable differences:
- this API always targets the device password. As a result it should always be called on the
getParentProfileInstance(android.content.ComponentName)
instance. - password policy requirement set on the managed profile is not taken into consideration by this API, even if the device currently does not have a separate work challenge set.
This API is designed to facilite progressive password enrollment flows when the DPC imposes both device and profile password policies. DPC applies profile password policy by calling setPasswordQuality(android.content.ComponentName,int)
or setRequiredPasswordComplexity
on the regular DevicePolicyManager
instance, while it applies device-wide policy by calling setRequiredPasswordComplexity
on the getParentProfileInstance(android.content.ComponentName)
instance. The DPC can utilize this check to guide the user to set a device password first taking into consideration the device-wide policy only, and then prompt the user to either upgrade it to be fully compliant, or enroll a separate work challenge to satisfy the profile password policy only.
The device user must be unlocked (@link UserManager.isUserUnlocked(UserHandle)
) to perform this check.
Return | |
---|---|
Boolean |
true if the device password meets explicit requirement set on it, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the calling application is not a profile owner of a managed profile, or if this API is not called on the parent DevicePolicyManager instance. |
java.lang.IllegalStateException |
if the user isn't unlocked |
isAdminActive
open fun isAdminActive(admin: ComponentName): Boolean
Return true if the given administrator component is currently active (enabled) in the system.
Parameters | |
---|---|
admin |
ComponentName: The administrator component to check for. This value cannot be null . |
Return | |
---|---|
Boolean |
true if admin is currently enabled in the system, false otherwise |
isAffiliatedUser
open fun isAffiliatedUser(): Boolean
Returns whether this user is affiliated with the device.
By definition, the user that the device owner runs on is always affiliated with the device. Any other user is considered affiliated with the device if the set specified by its profile owner via setAffiliationIds
intersects with the device owner's.
See Also
isAlwaysOnVpnLockdownEnabled
open fun isAlwaysOnVpnLockdownEnabled(admin: ComponentName): Boolean
Called by device or profile owner to query whether current always-on VPN is configured in lockdown mode. Returns false
when no always-on configuration is set.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or a profile owner. |
isApplicationHidden
open fun isApplicationHidden(
admin: ComponentName?,
packageName: String!
): Boolean
Determine if a package is hidden. This function can be called by a device owner, profile owner, or by a delegate given the DELEGATION_PACKAGE_ACCESS
scope via setDelegatedScopes
.
This method can be called on the DevicePolicyManager
instance, returned by getParentProfileInstance(android.content.ComponentName)
, where the caller must be the profile owner of an organization-owned managed profile and the package must be a system package. If called on the parent instance, this will determine whether the package is hidden or unhidden in the personal profile.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, the returned policy will be the current resolved policy rather than the policy set by the calling admin.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if the caller is not a device admin. |
packageName |
String!: The name of the package to retrieve the hidden status of. |
Return | |
---|---|
Boolean |
boolean true if the package is hidden, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner or if called on the parent profile and the admin is not a profile owner of an organization-owned managed profile. |
java.lang.IllegalArgumentException |
if called on the parent profile and the package provided is not a system package. |
isBackupServiceEnabled
open fun isBackupServiceEnabled(admin: ComponentName): Boolean
Return whether the backup service is enabled by the device owner or profile owner for the current user, as previously set by setBackupServiceEnabled(android.content.ComponentName,boolean)
.
Whether the backup functionality is actually enabled or not depends on settings from both the current user and the device owner, please see setBackupServiceEnabled(android.content.ComponentName,boolean)
for details.
Backup service manages all backup and restore mechanisms on the device.
Parameters | |
---|---|
admin |
ComponentName: This value cannot be null . |
Return | |
---|---|
Boolean |
true if backup service is enabled, false otherwise. |
See Also
isCallerApplicationRestrictionsManagingPackage
open funisCallerApplicationRestrictionsManagingPackage(): Boolean
Deprecated: From android.os.Build.VERSION_CODES#O
. Use getDelegatedScopes
instead.
Called by any application to find out whether it has been granted permission via setApplicationRestrictionsManagingPackage
to manage application restrictions for the calling user.
This is done by comparing the calling Linux uid with the uid of the package specified by that method.
isCommonCriteriaModeEnabled
open fun isCommonCriteriaModeEnabled(admin: ComponentName?): Boolean
Returns whether Common Criteria mode is currently enabled. Device owner and profile owner of an organization-owned managed profile can query its own Common Criteria mode setting by calling this method with its admin ComponentName
. Any caller can obtain the aggregated device-wide Common Criteria mode state by passing null
as the admin
argument.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
Return | |
---|---|
Boolean |
true if Common Criteria mode is enabled, false otherwise. |
isComplianceAcknowledgementRequired
open fun isComplianceAcknowledgementRequired(): Boolean
Called by a profile owner of an organization-owned managed profile to query whether it needs to acknowledge device compliance to allow the user to turn the profile off if needed according to the maximum profile time off policy. Normally when acknowledgement is needed the DPC gets a DeviceAdminReceiver.onComplianceAcknowledgementRequired(Context, Intent)
callback. But if the callback was not delivered or handled for some reason, this method can be used to verify if acknowledgement is needed.
Exceptions | |
---|---|
java.lang.IllegalStateException |
if the user isn't unlocked |
isDeviceFinanced
open fun isDeviceFinanced(): Boolean
Returns true
if this device is marked as a financed device.
A financed device can be entered into lock task mode (see setLockTaskPackages
) by the holder of the role android.app.role.RoleManager#ROLE_FINANCED_DEVICE_KIOSK
. If this occurs, Device Owners and Profile Owners that have set lock task packages or features, or that attempt to set lock task packages or features, will receive a callback indicating that it could not be set. See PolicyUpdateReceiver.onPolicyChanged
and PolicyUpdateReceiver.onPolicySetResult
.
To be informed of changes to this status you can subscribe to the broadcast ACTION_DEVICE_FINANCING_STATE_CHANGED
.
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not a device owner, profile owner of an organization-owned managed profile, profile owner on the primary user or holder of one of the following roles: android.app.role.RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT , android.app.role.RoleManager.ROLE_SYSTEM_SUPERVISION . |
isDeviceIdAttestationSupported
open fun isDeviceIdAttestationSupported(): Boolean
Returns true
if the device supports attestation of device identifiers in addition to key attestation. See generateKeyPair(android.content.ComponentName,java.lang.String,android.security.keystore.KeyGenParameterSpec,int)
Return | |
---|---|
Boolean |
true if Device ID attestation is supported. |
isDeviceOwnerApp
open fun isDeviceOwnerApp(packageName: String!): Boolean
Used to determine if a particular package has been registered as a Device Owner app. A device owner app is a special device admin that cannot be deactivated by the user, once activated as a device admin. It also cannot be uninstalled. To check whether a particular package is currently registered as the device owner app, pass in the package name from Context.getPackageName()
to this method.
Parameters | |
---|---|
packageName |
String!: the package name of the app, to compare with the registered device owner app, if any. |
Return | |
---|---|
Boolean |
whether or not the package is registered as the device owner app. |
isEphemeralUser
open fun isEphemeralUser(admin: ComponentName): Boolean
Checks if the profile owner is running in an ephemeral user.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
Boolean |
whether the profile owner is running in an ephemeral user. |
isKeyPairGrantedToWifiAuth
open fun isKeyPairGrantedToWifiAuth(alias: String): Boolean
Called by a device or profile owner, or delegated certificate chooser (an app that has been delegated the DELEGATION_CERT_SELECTION
privilege), to query whether a KeyChain key pair can be used for authentication to Wifi networks.
Parameters | |
---|---|
alias |
String: The alias of the key pair. This value cannot be null . |
Return | |
---|---|
Boolean |
true if the key pair can be used, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not a device owner, a profile owner or delegated certificate chooser. |
See Also
isLockTaskPermitted
open fun isLockTaskPermitted(pkg: String!): Boolean
This function lets the caller know whether the given component is allowed to start the lock task mode.
Parameters | |
---|---|
pkg |
String!: The package to check |
isLogoutEnabled
open fun isLogoutEnabled(): Boolean
Returns whether logout is enabled by a device owner.
Return | |
---|---|
Boolean |
true if logout is enabled by device owner, false otherwise. |
isManagedProfile
open fun isManagedProfile(admin: ComponentName): Boolean
Return if this user is a managed profile of another user. An admin can become the profile owner of a managed profile with ACTION_PROVISION_MANAGED_PROFILE
and of a managed user with createAndManageUser
Parameters | |
---|---|
admin |
ComponentName: Which profile owner this request is associated with. This value cannot be null . |
Return | |
---|---|
Boolean |
if this user is a managed profile of another user. |
isMasterVolumeMuted
open fun isMasterVolumeMuted(admin: ComponentName): Boolean
Called by profile or device owners to check whether the global volume mute is on or off.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
Boolean |
true if global volume is muted, false if it's not. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
isMtePolicyEnforced
open static fun isMtePolicyEnforced(): Boolean
Get the current MTE state of the device. Learn more about MTE
Return | |
---|---|
Boolean |
whether MTE is currently enabled on the device. |
isNetworkLoggingEnabled
open fun isNetworkLoggingEnabled(admin: ComponentName?): Boolean
Return whether network logging is enabled by a device owner or profile owner of a managed profile.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Can only be null if the caller is a delegated app with DELEGATION_NETWORK_LOGGING or has MANAGE_USERS permission. |
Return | |
---|---|
Boolean |
true if network logging is enabled by device owner or profile owner, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner or profile owner and caller has no MANAGE_USERS permission |
isOrganizationOwnedDeviceWithManagedProfile
open fun isOrganizationOwnedDeviceWithManagedProfile(): Boolean
Apps can use this method to find out if the device was provisioned as organization-owend device with a managed profile. This, together with checking whether the device has a device owner (by calling isDeviceOwnerApp
), could be used to learn whether the device is owned by an organization or an individual: If this method returns true OR isDeviceOwnerApp
returns true (for any package), then the device is owned by an organization. Otherwise, it's owned by an individual.
Return | |
---|---|
Boolean |
true if the device was provisioned as organization-owned device, false otherwise. |
isOverrideApnEnabled
open fun isOverrideApnEnabled(admin: ComponentName): Boolean
Called by device owner to check if override APNs are currently enabled.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with This value cannot be null . |
Return | |
---|---|
Boolean |
true if override APNs are currently enabled, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
isPackageSuspended
open fun isPackageSuspended(
admin: ComponentName?,
packageName: String!
): Boolean
Determine if a package is suspended. This function can be called by a device owner, profile owner, or by a delegate given the DELEGATION_PACKAGE_ACCESS
scope via setDelegatedScopes
or by holders of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_PACKAGE_STATE
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
packageName |
String!: The name of the package to retrieve the suspended status of. |
Return | |
---|---|
Boolean |
true if the package is suspended or false if the package is not suspended, could not be found or an error occurred. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner or has not been granted the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_PACKAGE_STATE . |
android.content.pm.PackageManager.NameNotFoundException |
if the package could not be found. |
isPreferentialNetworkServiceEnabled
open fun isPreferentialNetworkServiceEnabled(): Boolean
Indicates whether preferential network service is enabled.
Before Android version android.os.Build.VERSION_CODES#TIRAMISU
: This method can be called by the profile owner of a managed profile.
Starting from Android version android.os.Build.VERSION_CODES#TIRAMISU
: This method can be called by the profile owner of a managed profile or device owner.
Return | |
---|---|
Boolean |
whether preferential network service is enabled. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not the profile owner or device owner. |
isProfileOwnerApp
open fun isProfileOwnerApp(packageName: String!): Boolean
Used to determine if a particular package is registered as the profile owner for the user. A profile owner is a special device admin that has additional privileges within the profile.
Parameters | |
---|---|
packageName |
String!: The package name of the app to compare with the registered profile owner. |
Return | |
---|---|
Boolean |
Whether or not the package is registered as the profile owner. |
isProvisioningAllowed
open fun isProvisioningAllowed(action: String): Boolean
Returns whether it is possible for the caller to initiate provisioning of a managed profile or device, setting itself as the device or profile owner.
Parameters | |
---|---|
action |
String: One of ACTION_PROVISION_MANAGED_DEVICE , ACTION_PROVISION_MANAGED_PROFILE . This value cannot be null . |
Return | |
---|---|
Boolean |
whether provisioning a managed profile or device is possible. |
Exceptions | |
---|---|
java.lang.IllegalArgumentException |
if the supplied action is not valid. |
isResetPasswordTokenActive
open fun isResetPasswordTokenActive(admin: ComponentName?): Boolean
Called by a profile, device owner or a holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_RESET_PASSWORD
to check if the current reset password token is active.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, false is always returned.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
Return | |
---|---|
Boolean |
true if the token is active, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner and not a holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_RESET_PASSWORD |
java.lang.IllegalStateException |
if no token has been set. |
isSafeOperation
open fun isSafeOperation(reason: Int): Boolean
Checks if it's safe to run operations that can be affected by the given reason
.
Note: notice that the operation safety state might change between the time this method returns and the operation's method is called, so calls to the latter could still throw a UnsafeStateException
even when this method returns true
.
Parameters | |
---|---|
reason |
Int: currently, only supported reason is OPERATION_SAFETY_REASON_DRIVING_DISTRACTION . Value is android.app.admin.DevicePolicyManager.OPERATION_SAFETY_REASON_NONE, or android.app.admin.DevicePolicyManager#OPERATION_SAFETY_REASON_DRIVING_DISTRACTION |
Return | |
---|---|
Boolean |
whether it's safe to run operations that can be affected by the given reason . |
isSecurityLoggingEnabled
open fun isSecurityLoggingEnabled(admin: ComponentName?): Boolean
Return whether security logging is enabled or not by the admin.
Can only be called by the device owner or a profile owner of an organization-owned managed profile, otherwise a SecurityException
will be thrown.
Parameters | |
---|---|
admin |
ComponentName?: Which device admin this request is associated with. Null if the caller is not a device admin This value may be null . |
Return | |
---|---|
Boolean |
true if security logging is enabled, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not allowed to control security logging. |
isStatusBarDisabled
open fun isStatusBarDisabled(): Boolean
Returns whether the status bar is disabled/enabled, see setStatusBarDisabled
.
Callable by device owner or profile owner of secondary users that is affiliated with the device owner.
This policy has no effect in LockTask mode. The behavior of the status bar in LockTask mode can be configured with setLockTaskFeatures(android.content.ComponentName,int)
.
This policy also does not have any effect while on the lock screen, where the status bar will not be disabled.
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not the device owner, or a profile owner of secondary user that is affiliated with the device. |
See Also
isUninstallBlocked
open fun isUninstallBlocked(
admin: ComponentName?,
packageName: String!
): Boolean
Check whether the user has been blocked by device policy from uninstalling a package. Requires the caller to be the profile owner if checking a specific admin's policy.
Note: Starting from android.os.Build.VERSION_CODES#LOLLIPOP_MR1
, the behavior of this API is changed such that passing null
as the admin
parameter will return if any admin has blocked the uninstallation. Before L MR1, passing null
will cause a NullPointerException to be raised.
Note: If your app targets Android 11 (API level 30) or higher, this method returns a filtered result. Learn more about how to manage package visibility.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, the returned policy will be the current resolved policy rather than the policy set by the calling admin.
Parameters | |
---|---|
admin |
ComponentName?: The name of the admin component whose blocking policy will be checked, or null to check whether any admin has blocked the uninstallation. Starting from android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE admin will be ignored and assumed null . |
packageName |
String!: package to check. |
Return | |
---|---|
Boolean |
true if uninstallation is blocked and the given package is visible to you, false otherwise if uninstallation isn't blocked or the given package isn't visible to you. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
isUniqueDeviceAttestationSupported
open fun isUniqueDeviceAttestationSupported(): Boolean
Returns true
if the StrongBox Keymaster implementation on the device was provisioned with an individual attestation certificate and can sign attestation records using it (as attestation using an individual attestation certificate is a feature only Keymaster implementations with StrongBox security level can implement). For use prior to calling generateKeyPair(android.content.ComponentName,java.lang.String,android.security.keystore.KeyGenParameterSpec,int)
.
Return | |
---|---|
Boolean |
true if individual attestation is supported. |
isUsbDataSignalingEnabled
open fun isUsbDataSignalingEnabled(): Boolean
Returns whether USB data signaling is currently enabled.
When called by a device owner or profile owner of an organization-owned managed profile, this API returns whether USB data signaling is currently enabled by that admin. When called by any other app, returns whether USB data signaling is currently enabled on the device.
Return | |
---|---|
Boolean |
true if USB data signaling is enabled, false otherwise. |
isUsingUnifiedPassword
open fun isUsingUnifiedPassword(admin: ComponentName): Boolean
When called by a profile owner of a managed profile returns true if the profile uses unified challenge with its parent user. Note: This method is not concerned with password quality and will return false if the profile has empty password as a separate challenge.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner of a managed profile. |
listForegroundAffiliatedUsers
open fun listForegroundAffiliatedUsers(): MutableList<UserHandle!>
Gets the list of affiliated
users running on foreground.
Return | |
---|---|
MutableList<UserHandle!> |
list of affiliated users running on foreground. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the calling application is not a device owner |
lockNow
open fun lockNow(): Unit
Make the device lock immediately, as if the lock screen timeout has expired at the point of this call.
This method secures the device in response to an urgent situation, such as a lost or stolen device. After this method is called, the device must be unlocked using strong authentication (PIN, pattern, or password). This API is intended for use only by device admins.
From version android.os.Build.VERSION_CODES#R
onwards, the caller must either have the LOCK_DEVICE permission or the device must have the device admin feature; if neither is true, then the method will return without completing any action. Before version android.os.Build.VERSION_CODES#R
, the device needed the device admin feature, regardless of the caller's permissions.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_FORCE_LOCK
to be able to call this method; if it has not, a security exception will be thrown.
If there's no lock type set, this method forces the device to go to sleep but doesn't lock the device. Device admins who find the device in this state can lock an otherwise-insecure device by first calling resetPassword
to set the password and then lock the device.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to lock the parent profile.
NOTE: on automotive builds
, this method doesn't turn off the screen as it would be a driving safety distraction.
Equivalent to calling lockNow(int)
with no flags.
Exceptions | |
---|---|
java.lang.SecurityException |
if the calling application does not own an active administrator that uses DeviceAdminInfo.USES_POLICY_FORCE_LOCK |
lockNow
open fun lockNow(flags: Int): Unit
Make the device lock immediately, as if the lock screen timeout has expired at the point of this call.
This method secures the device in response to an urgent situation, such as a lost or stolen device. After this method is called, the device must be unlocked using strong authentication (PIN, pattern, or password). This API is intended for use only by device admins.
From version android.os.Build.VERSION_CODES#R
onwards, the caller must either have the LOCK_DEVICE permission or the device must have the device admin feature; if neither is true, then the method will return without completing any action. Before version android.os.Build.VERSION_CODES#R
, the device needed the device admin feature, regardless of the caller's permissions.
A calling device admin must have requested DeviceAdminInfo.USES_POLICY_FORCE_LOCK
to be able to call this method; if it has not, a security exception will be thrown.
If there's no lock type set, this method forces the device to go to sleep but doesn't lock the device. Device admins who find the device in this state can lock an otherwise-insecure device by first calling resetPassword
to set the password and then lock the device.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to lock the parent profile as well as the managed profile.
NOTE: In order to lock the parent profile and evict the encryption key of the managed profile, lockNow()
must be called twice: First, lockNow()
should be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
, then lockNow(int)
should be called on the DevicePolicyManager
instance associated with the managed profile, with the FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY
flag. Calling the method twice in this order ensures that all users are locked and does not stop the device admin on the managed profile from issuing a second call to lock its own profile.
NOTE: on automotive builds
, this method doesn't turn off the screen as it would be a driving safety distraction.
Parameters | |
---|---|
flags |
Int: May be 0 or FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY . Value is either 0 or android.app.admin.DevicePolicyManager#FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY |
Exceptions | |
---|---|
java.lang.SecurityException |
if the calling application does not own an active administrator that uses DeviceAdminInfo.USES_POLICY_FORCE_LOCK and the does not hold the LOCK_DEVICE permission, or the FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY flag is passed by an application that is not a profile owner of a managed profile. |
java.lang.IllegalArgumentException |
if the FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY flag is passed when locking the parent profile. |
java.lang.UnsupportedOperationException |
if the FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY flag is passed when getStorageEncryptionStatus does not return ENCRYPTION_STATUS_ACTIVE_PER_USER . |
logoutUser
open fun logoutUser(admin: ComponentName): Int
Called by a profile owner of secondary user that is affiliated with the device to stop the calling user and switch back to primary user (when the user was switchUser(android.content.ComponentName,android.os.UserHandle)
switched to) or stop the user (when it was started in background
.
Notice that on devices running with headless system user mode
, there is no primary user, so it switches back to the user that was in the foreground before the first call to switchUser(android.content.ComponentName,android.os.UserHandle)
(or fails with UserManager.USER_OPERATION_ERROR_UNKNOWN
if that method was not called prior to this call).
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
Int |
one of the following result codes: UserManager.USER_OPERATION_ERROR_UNKNOWN , UserManager.USER_OPERATION_SUCCESS , UserManager.USER_OPERATION_ERROR_MANAGED_PROFILE , UserManager.USER_OPERATION_ERROR_CURRENT_USER Value is android.os.UserManager#USER_OPERATION_SUCCESS , android.os.UserManager#USER_OPERATION_ERROR_UNKNOWN , android.os.UserManager#USER_OPERATION_ERROR_MANAGED_PROFILE , android.os.UserManager#USER_OPERATION_ERROR_MAX_RUNNING_USERS , android.os.UserManager#USER_OPERATION_ERROR_CURRENT_USER , android.os.UserManager#USER_OPERATION_ERROR_LOW_STORAGE , android.os.UserManager#USER_OPERATION_ERROR_MAX_USERS , android.os.UserManager.USER_OPERATION_ERROR_USER_ACCOUNT_ALREADY_EXISTS, android.os.UserManager.USER_OPERATION_ERROR_DISABLED_USER, android.os.UserManager.USER_OPERATION_ERROR_PRIVATE_PROFILE, or android.os.UserManager.USER_OPERATION_ERROR_USER_RESTRICTED |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner affiliated with the device. |
See Also
reboot
open fun reboot(admin: ComponentName): Unit
Called by device owner to reboot the device. If there is an ongoing call on the device, throws an IllegalStateException
.
Parameters | |
---|---|
admin |
ComponentName: Which device owner the request is associated with. This value cannot be null . |
Exceptions | |
---|---|
java.lang.IllegalStateException |
if device has an ongoing call. |
java.lang.SecurityException |
if admin is not a device owner. |
removeActiveAdmin
open fun removeActiveAdmin(admin: ComponentName): Unit
Remove a current administration component. This can only be called by the application that owns the administration component; if you try to remove someone else's component, a security exception will be thrown.
Note that the operation is not synchronous and the admin might still be active (as indicated by getActiveAdmins()
) by the time this method returns.
Parameters | |
---|---|
admin |
ComponentName: The administration compononent to remove. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not in the owner application of admin . |
removeCrossProfileWidgetProvider
open fun removeCrossProfileWidgetProvider(
admin: ComponentName?,
packageName: String!
): Boolean
Called by the profile owner of a managed profile or a holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_PROFILE_INTERACTION
to disable widget providers from a given package to be available in the parent profile. For this method to take effect the package should have been added via addCrossProfileWidgetProvider(android.content.ComponentName,java.lang.String)
.
Note: By default no widget provider package is allowlisted.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
packageName |
String!: The package from which widget providers are no longer allowlisted. |
Return | |
---|---|
Boolean |
Whether the package was removed. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner and not a holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_PROFILE_INTERACTION . |
removeKeyPair
open fun removeKeyPair(
admin: ComponentName?,
alias: String
): Boolean
This API can be called by the following to remove a certificate and private key pair installed under a given alias:
- Device owner
- Profile owner
- Delegated certificate installer
- Credential management app
From Android android.os.Build.VERSION_CODES#S
, the credential management app can call this API. If called by the credential management app, the componentName must be null
. Note, there can only be a credential management app on an unmanaged device.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if the caller is not a device admin. |
alias |
String: The private key alias under which the certificate is installed. This value cannot be null . |
Return | |
---|---|
Boolean |
true if the private key alias no longer exists, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not null and not a device or profile owner, or admin is null but the calling application is not a delegated certificate installer or credential management app. |
removeOverrideApn
open fun removeOverrideApn(
admin: ComponentName,
apnId: Int
): Boolean
Called by device owner or managed profile owner to remove an override APN.
This method may returns false
if there is no override APN with the given apnId
.
Before Android version android.os.Build.VERSION_CODES#TIRAMISU
: Only device owners can remove APNs.
Starting from Android version android.os.Build.VERSION_CODES#TIRAMISU
: Both device owners and managed profile owners can remove enterprise APNs (ApnSetting.TYPE_ENTERPRISE
), while only device owners can remove other type of APNs.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with This value cannot be null . |
apnId |
Int: the id of the override APN to remove |
Return | |
---|---|
Boolean |
true if the required override APN is successfully removed, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
If request is for enterprise APN admin is either device owner or profile owner and in all other types of APN if admin is not a device owner. |
removeUser
open fun removeUser(
admin: ComponentName,
userHandle: UserHandle
): Boolean
Called by a device owner to remove a user/profile and all associated data. The primary user can not be removed.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
userHandle |
UserHandle: the user to remove. This value cannot be null . |
Return | |
---|---|
Boolean |
true if the user was removed, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
requestBugreport
open fun requestBugreport(admin: ComponentName): Boolean
Called by a device owner to request a bugreport.
If the device contains secondary users or profiles, they must be affiliated with the device. Otherwise a SecurityException
will be thrown. See isAffiliatedUser
.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
Boolean |
true if the bugreport collection started successfully, or false if it wasn't triggered because a previous bugreport operation is still active (either the bugreport is still running or waiting for the user to share or decline) |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner, or there is at least one profile or secondary user that is not affiliated with the device. |
See Also
resetPassword
open funresetPassword(
password: String!,
flags: Int
): Boolean
Deprecated: Please use resetPasswordWithToken
instead.
Force a new password for device unlock (the password needed to access the entire device) or the work profile challenge on the current user. This takes effect immediately.
Before android.os.Build.VERSION_CODES#N
, this API is available to device admin, profile owner and device owner. Starting from android.os.Build.VERSION_CODES#N
, legacy device admin (who is not also profile owner or device owner) can only call this API to set a new password if there is currently no password set. Profile owner and device owner can continue to force change an existing password as long as the target user is unlocked, although device owner will not be able to call this API at all if there is also a managed profile on the device.
Between android.os.Build.VERSION_CODES#O
, android.os.Build.VERSION_CODES#P
and android.os.Build.VERSION_CODES#Q
, profile owner and devices owner targeting SDK level android.os.Build.VERSION_CODES#O
or above who attempt to call this API will receive SecurityException
; they are encouraged to migrate to the new resetPasswordWithToken
API instead. Profile owner and device owner targeting older SDK levels are not affected: they continue to experience the existing behaviour described in the previous paragraph.
Starting from android.os.Build.VERSION_CODES#R
, this API is no longer supported in most cases. Device owner and profile owner calling this API will receive SecurityException
if they target SDK level android.os.Build.VERSION_CODES#O
or above, or they will receive a silent failure (API returning false
) if they target lower SDK level. For legacy device admins, this API throws SecurityException
if they target SDK level android.os.Build.VERSION_CODES#N
or above, and returns false
otherwise. Only privileged apps holding RESET_PASSWORD permission which are part of the system factory image can still call this API to set a new password if there is currently no password set. In this case, if the device already has a password, this API will throw SecurityException
.
The given password must be sufficient for the current password quality and length constraints as returned by getPasswordQuality(android.content.ComponentName)
and getPasswordMinimumLength(android.content.ComponentName)
; if it does not meet these constraints, then it will be rejected and false returned. Note that the password may be a stronger quality (containing alphanumeric characters when the requested quality is only numeric), in which case the currently active quality will be increased to match.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, this methods does nothing.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_RESET_PASSWORD
to be able to call this method; if it has not, a security exception will be thrown.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
password |
String!: The new password for the user. Null or empty clears the password. |
flags |
Int: May be 0 or combination of RESET_PASSWORD_REQUIRE_ENTRY and RESET_PASSWORD_DO_NOT_ASK_CREDENTIALS_ON_BOOT . |
Return | |
---|---|
Boolean |
Returns true if the password was applied, or false if it is not acceptable for the current constraints. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the calling application does not own an active administrator that uses DeviceAdminInfo.USES_POLICY_RESET_PASSWORD |
java.lang.IllegalStateException |
if the calling user is locked or has a managed profile. |
resetPasswordWithToken
open fun resetPasswordWithToken(
admin: ComponentName?,
password: String!,
token: ByteArray!,
flags: Int
): Boolean
Called by device or profile owner to force set a new device unlock password or a managed profile challenge on current user. This takes effect immediately.
Unlike resetPassword
, this API can change the password even before the user or device is unlocked or decrypted. The supplied token must have been previously provisioned via setResetPasswordToken
, and in active state isResetPasswordTokenActive
.
The given password must be sufficient for the current password quality and length constraints as returned by getPasswordQuality(android.content.ComponentName)
and getPasswordMinimumLength(android.content.ComponentName)
; if it does not meet these constraints, then it will be rejected and false returned. Note that the password may be a stronger quality, for example, a password containing alphanumeric characters when the requested quality is only numeric.
Calling with a null
or empty password will clear any existing PIN, pattern or password if the current password constraints allow it.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, calling this methods has no effect - the password is always empty - and false is returned.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
password |
String!: The new password for the user. null or empty clears the password. |
token |
ByteArray!: the password reset token previously provisioned by setResetPasswordToken . |
flags |
Int: May be 0 or combination of RESET_PASSWORD_REQUIRE_ENTRY and RESET_PASSWORD_DO_NOT_ASK_CREDENTIALS_ON_BOOT . |
Return | |
---|---|
Boolean |
Returns true if the password was applied, or false if it is not acceptable for the current constraints. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
java.lang.IllegalStateException |
if the provided token is not valid. |
retrieveNetworkLogs
open fun retrieveNetworkLogs(
admin: ComponentName?,
batchToken: Long
): MutableList<NetworkEvent!>?
Called by device owner, profile owner of a managed profile or delegated app with DELEGATION_NETWORK_LOGGING
to retrieve the most recent batch of network logging events.
When network logging is enabled by a profile owner, the network logs will only include work profile network activity, not activity on the personal profile. A device owner or profile owner has to provide a batchToken provided as part of DeviceAdminReceiver.onNetworkLogsAvailable
callback. If the token doesn't match the token of the most recent available batch of logs, null
will be returned.
NetworkEvent
can be one of DnsEvent
or ConnectEvent
.
The list of network events is sorted chronologically, and contains at most 1200 events.
Access to the logs is rate limited and this method will only return a new batch of logs after the device device owner has been notified via DeviceAdminReceiver.onNetworkLogsAvailable
.
If the caller is not a profile owner and a secondary user or profile is created, calling this method will throw a SecurityException
until all users become affiliated again. It will also no longer be possible to retrieve the network logs batch with the most recent batchToken provided by DeviceAdminReceiver.onNetworkLogsAvailable
. See DevicePolicyManager.setAffiliationIds
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if called by a delegated app. |
batchToken |
Long: A token of the batch to retrieve |
Return | |
---|---|
MutableList<NetworkEvent!>? |
A new batch of network logs which is a list of NetworkEvent . Returns null if the batch represented by batchToken is no longer available or if logging is disabled. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner, profile owner or if the admin is not a profile owner and there is at least one profile or secondary user that is not affiliated with the device. |
retrievePreRebootSecurityLogs
open fun retrievePreRebootSecurityLogs(admin: ComponentName?): MutableList<SecurityLog.SecurityEvent!>?
Called by device owner or profile owner of an organization-owned managed profile to retrieve device logs from before the device's last reboot.
This API is not supported on all devices. Calling this API on unsupported devices will result in null
being returned. The device logs are retrieved from a RAM region which is not guaranteed to be corruption-free during power cycles, as a result be cautious about data corruption when parsing.
When called by a device owner, if there is any other user or profile on the device, it must be affiliated with the device. Otherwise a SecurityException
will be thrown. See isAffiliatedUser
.
Parameters | |
---|---|
admin |
ComponentName?: Which device admin this request is associated with, or null if called by a delegated app. |
Return | |
---|---|
MutableList<SecurityLog.SecurityEvent!>? |
Device logs from before the latest reboot of the system, or null if this API is not supported on the device. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not allowed to access security logging, or there is at least one profile or secondary user that is not affiliated with the device. |
See Also
retrieveSecurityLogs
open fun retrieveSecurityLogs(admin: ComponentName?): MutableList<SecurityLog.SecurityEvent!>?
Called by device owner or profile owner of an organization-owned managed profile to retrieve all new security logging entries since the last call to this API after device boots.
Access to the logs is rate limited and it will only return new logs after the admin has been notified via DeviceAdminReceiver.onSecurityLogsAvailable
.
When called by a device owner, if there is any other user or profile on the device, it must be affiliated with the device. Otherwise a SecurityException
will be thrown. See isAffiliatedUser
.
Parameters | |
---|---|
admin |
ComponentName?: Which device admin this request is associated with, or null if called by a delegated app. |
Return | |
---|---|
MutableList<SecurityLog.SecurityEvent!>? |
the new batch of security logs which is a list of SecurityEvent , or null if rate limitation is exceeded or if logging is currently disabled. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not allowed to access security logging, or there is at least one profile or secondary user that is not affiliated with the device. |
revokeKeyPairFromApp
open fun revokeKeyPairFromApp(
admin: ComponentName?,
alias: String,
packageName: String
): Boolean
Called by a device or profile owner, or delegated certificate chooser (an app that has been delegated the DELEGATION_CERT_SELECTION
privilege), to revoke an application's grant to a KeyChain key pair. Calls by the application to android.security.KeyChain#getPrivateKey
will fail after the grant is revoked. The grantee app will receive the android.security.KeyChain#ACTION_KEY_ACCESS_CHANGED
broadcast when access to a key is revoked. Starting from android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
throws an IllegalArgumentException
if alias
doesn't correspond to an existing key.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if calling from a delegated certificate chooser. |
alias |
String: The alias of the key to revoke access from. This value cannot be null . |
packageName |
String: The name of the (already installed) package to revoke access from. This value cannot be null . |
Return | |
---|---|
Boolean |
true if the grant was revoked successfully, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not a device owner, a profile owner or delegated certificate chooser. |
java.lang.IllegalArgumentException |
if packageName or alias are empty, or if packageName is not a name of an installed package. |
See Also
revokeKeyPairFromWifiAuth
open fun revokeKeyPairFromWifiAuth(alias: String): Boolean
Called by a device or profile owner, or delegated certificate chooser (an app that has been delegated the DELEGATION_CERT_SELECTION
privilege), to deny using a KeyChain key pair for authentication to Wifi networks. Configured networks using this key won't be able to authenticate. Starting from android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
throws an IllegalArgumentException
if alias
doesn't correspond to an existing key.
Parameters | |
---|---|
alias |
String: The alias of the key pair. This value cannot be null . |
Return | |
---|---|
Boolean |
true if the operation was set successfully, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not a device owner, a profile owner or delegated certificate chooser. |
See Also
setAccountManagementDisabled
open fun setAccountManagementDisabled(
admin: ComponentName?,
accountType: String!,
disabled: Boolean
): Unit
Called by a device owner or profile owner to disable account management for a specific type of account.
The calling device admin must be a device owner or profile owner. If it is not, a security exception will be thrown.
When account management is disabled for an account type, adding or removing an account of that type will not be possible.
From android.os.Build.VERSION_CODES#N
the profile or device owner can still use android.accounts.AccountManager
APIs to add or remove accounts when account management for a specific type is disabled.
This method may be called on the DevicePolicyManager
instance returned from getParentProfileInstance(android.content.ComponentName)
by the profile owner on an organization-owned device, to restrict accounts that may not be managed on the primary profile.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the account management disabled policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.ACCOUNT_MANAGEMENT_DISABLED_POLICY
- The additional policy params bundle, which contains
PolicyUpdateReceiver.EXTRA_ACCOUNT_TYPE
the account type the policy applies to - The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
accountType |
String!: For which account management is disabled or enabled. |
disabled |
Boolean: The boolean indicating that account management will be disabled (true) or enabled (false). |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setAffiliationIds
open fun setAffiliationIds(
admin: ComponentName,
ids: MutableSet<String!>
): Unit
Indicates the entity that controls the device. Two users are affiliated if the set of ids set by the device owner and the admin of the secondary user.
A user that is affiliated with the device owner user is considered to be affiliated with the device.
Note: Features that depend on user affiliation (such as security logging or #bindDeviceAdminServiceAsUser) won't be available when a secondary user is created, until it becomes affiliated. Therefore it is recommended that the appropriate affiliation ids are set by its owner as soon as possible after the user is created.
Note: This method used to be available for affiliating device owner and profile owner. However, since Android 11, this combination is not possible. This method is now only useful for affiliating the primary user with managed secondary users.
Parameters | |
---|---|
admin |
ComponentName: Which device owner, or owner of secondary user, this request is associated with. This value cannot be null . |
ids |
MutableSet<String!>: A set of opaque non-empty affiliation ids. This value cannot be null . |
Exceptions | |
---|---|
java.lang.IllegalArgumentException |
if ids is null or contains an empty string. |
See Also
setAlwaysOnVpnPackage
open fun setAlwaysOnVpnPackage(
admin: ComponentName,
vpnPackage: String?,
lockdownEnabled: Boolean
): Unit
Called by a device or profile owner to configure an always-on VPN connection through a specific application for the current user. This connection is automatically granted and persisted after a reboot.
To support the always-on feature, an app must
- declare a
android.net.VpnService
in its manifest, guarded byandroid.Manifest.permission#BIND_VPN_SERVICE
; - target
API 24
or above; and - not explicitly opt out of the feature through
android.net.VpnService#SERVICE_META_DATA_SUPPORTS_ALWAYS_ON
.
Enabling lockdown via lockdownEnabled
argument carries the risk that any failure of the VPN provider could break networking for all apps. This method clears any lockdown allowlist set by setAlwaysOnVpnPackage(android.content.ComponentName,java.lang.String,boolean,java.util.Set)
.
Starting from API 31
calling this method with vpnPackage
set to null
only removes the existing configuration if it was previously created by this admin. To remove VPN configuration created by the user use UserManager.DISALLOW_CONFIG_VPN
.
Parameters | |
---|---|
vpnPackage |
String?: The package name for an installed VPN app on the device, or null to remove an existing always-on VPN configuration. |
lockdownEnabled |
Boolean: true to disallow networking when the VPN is not connected or false otherwise. This has no effect when clearing. |
admin |
ComponentName: This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or a profile owner. |
android.content.pm.PackageManager.NameNotFoundException |
if vpnPackage is not installed. |
java.lang.UnsupportedOperationException |
if vpnPackage exists but does not support being set as always-on, or if always-on VPN is not available. |
setAlwaysOnVpnPackage
open fun setAlwaysOnVpnPackage(
admin: ComponentName,
vpnPackage: String?,
lockdownEnabled: Boolean,
lockdownAllowlist: MutableSet<String!>?
): Unit
A version of setAlwaysOnVpnPackage(android.content.ComponentName,java.lang.String,boolean)
that allows the admin to specify a set of apps that should be able to access the network directly when VPN is not connected. When VPN connects these apps switch over to VPN if allowed to use that VPN. System apps can always bypass VPN.
Note that the system doesn't update the allowlist when packages are installed or uninstalled, the admin app must call this method to keep the list up to date.
When lockdownEnabled
is false lockdownAllowlist
is ignored . When lockdownEnabled
is true
and lockdownAllowlist
is null
or empty, only system apps can bypass VPN.
Setting always-on VPN package to null
or using setAlwaysOnVpnPackage(android.content.ComponentName,java.lang.String,boolean)
clears lockdown allowlist.
Parameters | |
---|---|
vpnPackage |
String?: package name for an installed VPN app on the device, or null to remove an existing always-on VPN configuration |
lockdownEnabled |
Boolean: true to disallow networking when the VPN is not connected or false otherwise. This has no effect when clearing. |
lockdownAllowlist |
MutableSet<String!>?: Packages that will be able to access the network directly when VPN is in lockdown mode but not connected. Has no effect when clearing. This value may be null . |
admin |
ComponentName: This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or a profile owner. |
android.content.pm.PackageManager.NameNotFoundException |
if vpnPackage or one of lockdownAllowlist is not installed. |
java.lang.UnsupportedOperationException |
if vpnPackage exists but does not support being set as always-on, or if always-on VPN is not available. |
setApplicationHidden
open fun setApplicationHidden(
admin: ComponentName?,
packageName: String!,
: Boolean
): Boolean
Hide or unhide packages. When a package is hidden it is unavailable for use, but the data and actual package file remain. This function can be called by a device owner, profile owner, or by a delegate given the DELEGATION_PACKAGE_ACCESS
scope via setDelegatedScopes
.
This method can be called on the DevicePolicyManager
instance, returned by getParentProfileInstance(android.content.ComponentName)
, where the caller must be the profile owner of an organization-owned managed profile and the package must be a system package. If called on the parent instance, then the package is hidden or unhidden in the personal profile.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the application hidden policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.APPLICATION_HIDDEN_POLICY
- The additional policy params bundle, which contains
PolicyUpdateReceiver.EXTRA_PACKAGE_NAME
the package name the policy applies to - The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if the caller is not a device admin. |
packageName |
String!: The name of the package to hide or unhide. |
hidden |
Boolean: true if the package should be hidden, false if it should be unhidden. |
Return | |
---|---|
Boolean |
boolean Whether the hidden setting of the package was successfully updated. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner or if called on the parent profile and the admin is not a profile owner of an organization-owned managed profile. |
java.lang.IllegalArgumentException |
if called on the parent profile and the package provided is not a system package. |
setApplicationRestrictions
open fun setApplicationRestrictions(
admin: ComponentName?,
packageName: String!,
settings: Bundle!
): Unit
Sets the application restrictions for a given target application running in the calling user.
The caller must be a profile or device owner on that user, or the package allowed to manage application restrictions via setDelegatedScopes
with the DELEGATION_APP_RESTRICTIONS
scope; otherwise a security exception will be thrown.
The provided Bundle
consists of key-value pairs, where the types of values may be:
boolean
int
String
orString[]
- From
android.os.Build.VERSION_CODES#M
,Bundle
orBundle[]
If the restrictions are not available yet, but may be applied in the near future, the caller can notify the target application of that by adding UserManager.KEY_RESTRICTIONS_PENDING
to the settings parameter.
The application restrictions are only made visible to the target application via UserManager.getApplicationRestrictions(String)
, in addition to the profile or device owner, and the application restrictions managing package via getApplicationRestrictions
.
Starting from Android Version android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
, multiple admins can set app restrictions for the same application, the target application can get the list of app restrictions set by each admin via android.content.RestrictionsManager#getApplicationRestrictionsPerAdmin
.
Starting from Android Version android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM
, the device policy management role holder can also set app restrictions on any applications in the calling user, as well as the parent user of an organization-owned managed profile via the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
. App restrictions set by the device policy management role holder are not returned by UserManager.getApplicationRestrictions(String)
. The target application should use android.content.RestrictionsManager#getApplicationRestrictionsPerAdmin
to retrieve them, alongside any app restrictions the profile or device owner might have set.
NOTE: The method performs disk I/O and shouldn't be called on the main thread
This method may take several seconds to complete, so it should only be called from a worker thread.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if called by the application restrictions managing package. |
packageName |
String!: The name of the package to update restricted settings for. |
settings |
Bundle!: A Bundle to be parsed by the receiving application, conveying a new set of active restrictions. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setApplicationRestrictionsManagingPackage
open funsetApplicationRestrictionsManagingPackage(
admin: ComponentName,
packageName: String?
): Unit
Deprecated: From android.os.Build.VERSION_CODES#O
. Use setDelegatedScopes
with the DELEGATION_APP_RESTRICTIONS
scope instead.
Called by a profile owner or device owner to grant permission to a package to manage application restrictions for the calling user via setApplicationRestrictions
and getApplicationRestrictions
.
This permission is persistent until it is later cleared by calling this method with a null
value or uninstalling the managing package.
The supplied application restriction managing package must be installed when calling this API, otherwise an NameNotFoundException
will be thrown.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
packageName |
String?: The package name which will be given access to application restrictions APIs. If null is given the current package will be cleared. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
android.content.pm.PackageManager.NameNotFoundException |
if packageName is not found |
setAutoTimeEnabled
open fun setAutoTimeEnabled(
admin: ComponentName?,
enabled: Boolean
): Unit
Called by a device owner, a profile owner for the primary user or a profile owner of an organization-owned managed profile to turn auto time on and off.
Callers are recommended to use UserManager.DISALLOW_CONFIG_DATE_TIME
to prevent the user from changing this setting, that way no user will be able set the date and time zone.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
enabled |
Boolean: Whether time should be obtained automatically from the network or not. |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a device owner, a profile owner for the primary user, or a profile owner of an organization-owned managed profile. |
setAutoTimeRequired
open funsetAutoTimeRequired(
admin: ComponentName,
required: Boolean
): Unit
Deprecated: From android.os.Build.VERSION_CODES#R
. Use setAutoTimeEnabled
to turn auto time on or off and use UserManager.DISALLOW_CONFIG_DATE_TIME
to prevent the user from changing this setting.
Called by a device owner, or alternatively a profile owner from Android 8.0 (API level 26) or higher, to set whether auto time is required. If auto time is required, no user will be able set the date and time and network date and time will be used.
Note: If auto time is required the user can still manually set the time zone. Staring from Android 11, if auto time is required, the user cannot manually set the time zone.
The calling device admin must be a device owner, or alternatively a profile owner from Android 8.0 (API level 26) or higher. If it is not, a security exception will be thrown.
Staring from Android 11, this API switches to use UserManager.DISALLOW_CONFIG_DATE_TIME
to enforce the auto time settings. Calling this API to enforce auto time will result in UserManager.DISALLOW_CONFIG_DATE_TIME
being set, while calling this API to lift the requirement will result in UserManager.DISALLOW_CONFIG_DATE_TIME
being cleared. From Android 11, this API can also no longer be called on a managed profile.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
required |
Boolean: Whether auto time is set required or not. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner, not a profile owner or if this API is called on a managed profile. |
setAutoTimeZoneEnabled
open fun setAutoTimeZoneEnabled(
admin: ComponentName?,
enabled: Boolean
): Unit
Called by a device owner, a profile owner for the primary user or a profile owner of an organization-owned managed profile to turn auto time zone on and off.
Callers are recommended to use UserManager.DISALLOW_CONFIG_DATE_TIME
to prevent the user from changing this setting, that way no user will be able set the date and time zone.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with or Null if the caller is not a device admin. This value may be null . |
enabled |
Boolean: Whether time zone should be obtained automatically from the network or not. |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a device owner, a profile owner for the primary user, or a profile owner of an organization-owned managed profile. |
setBackupServiceEnabled
open fun setBackupServiceEnabled(
admin: ComponentName,
enabled: Boolean
): Unit
Allows the device owner or profile owner to enable or disable the backup service.
Each user has its own backup service which manages the backup and restore mechanisms in that user. Disabling the backup service will prevent data from being backed up or restored.
Device owner calls this API to control backup services across all users on the device. Profile owner can use this API to enable or disable the profile's backup service. However, for a managed profile its backup functionality is only enabled if both the device owner and the profile owner have enabled the backup service.
By default, backup service is disabled on a device with device owner, and within a managed profile.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
enabled |
Boolean: true to enable the backup service, false to disable it. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner or a profile owner. |
setBluetoothContactSharingDisabled
open fun setBluetoothContactSharingDisabled(
admin: ComponentName,
disabled: Boolean
): Unit
Called by a profile owner of a managed profile to set whether bluetooth devices can access enterprise contacts.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
This API works on managed profile only.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
disabled |
Boolean: If true, bluetooth devices cannot access enterprise contacts. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner. |
setCameraDisabled
open fun setCameraDisabled(
admin: ComponentName?,
disabled: Boolean
): Unit
Called by an application that is administering the device to disable all cameras on the device, for this user. After setting this, no applications running as this user will be able to access any cameras on the device.
This method can be called on the DevicePolicyManager
instance, returned by getParentProfileInstance(android.content.ComponentName)
, where the caller must be the profile owner of an organization-owned managed profile.
If the caller is device owner, then the restriction will be applied to all users. If called on the parent instance, then the restriction will be applied on the personal profile.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_DISABLE_CAMERA
to be able to call this method; if it has not, a security exception will be thrown.
Note, this policy type is deprecated for legacy device admins since android.os.Build.VERSION_CODES#Q
. On Android android.os.Build.VERSION_CODES#Q
devices, legacy device admins targeting SDK version android.os.Build.VERSION_CODES#P
or below can still call this API to disable camera, while legacy device admins targeting SDK version android.os.Build.VERSION_CODES#Q
will receive a SecurityException. Starting from Android android.os.Build.VERSION_CODES#R
, requests to disable camera from legacy device admins targeting SDK version android.os.Build.VERSION_CODES#P
or below will be silently ignored.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the camera disabled policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier: userRestriction_no_camera
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with or null if the caller is not a device admin |
disabled |
Boolean: Whether or not the camera should be disabled. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or does not use DeviceAdminInfo.USES_POLICY_DISABLE_CAMERA . |
setCertInstallerPackage
open funsetCertInstallerPackage(
admin: ComponentName,
installerPackage: String?
): Unit
Deprecated: From android.os.Build.VERSION_CODES#O
. Use setDelegatedScopes
with the DELEGATION_CERT_INSTALL
scope instead.
Called by a profile owner or device owner to grant access to privileged certificate manipulation APIs to a third-party certificate installer app. Granted APIs include getInstalledCaCerts
, hasCaCertInstalled
, installCaCert
, uninstallCaCert
, uninstallAllUserCaCerts
and #installKeyPair.
Delegated certificate installer is a per-user state. The delegated access is persistent until it is later cleared by calling this method with a null value or uninstallling the certificate installer.
Note:Starting from android.os.Build.VERSION_CODES#N
, if the caller application's target SDK version is android.os.Build.VERSION_CODES#N
or newer, the supplied certificate installer package must be installed when calling this API, otherwise an IllegalArgumentException
will be thrown.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
installerPackage |
String?: The package name of the certificate installer which will be given access. If null is given the current package will be cleared. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or a profile owner. |
setCommonCriteriaModeEnabled
open fun setCommonCriteriaModeEnabled(
admin: ComponentName?,
enabled: Boolean
): Unit
Called by device owner or profile owner of an organization-owned managed profile to toggle Common Criteria mode for the device. When the device is in Common Criteria mode, certain device functionalities are tuned to meet the higher security level required by Common Criteria certification. For example:
- Bluetooth long term key material is additionally integrity-protected with AES-GCM.
- WiFi configuration store is additionally integrity-protected with AES-GCM.
Note: if Common Critera mode is turned off after being enabled previously, all existing WiFi configurations will be lost.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
enabled |
Boolean: whether Common Criteria mode should be enabled or not. |
setConfiguredNetworksLockdownState
open fun setConfiguredNetworksLockdownState(
admin: ComponentName?,
lockdown: Boolean
): Unit
Called by a device owner or a profile owner of an organization-owned managed profile to control whether the user can change networks configured by the admin. When this lockdown is enabled, the user can still configure and connect to other Wi-Fi networks, or use other Wi-Fi capabilities such as tethering.
WiFi network configuration lockdown is controlled by a global settings android.provider.Settings.Global#WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN
and calling this API effectively modifies the global settings. Previously device owners can also control this directly via setGlobalSetting
but they are recommended to switch to this API.
Parameters | |
---|---|
admin |
ComponentName?: admin Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
lockdown |
Boolean: Whether the admin configured networks should be unmodifiable by the user. |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a device owner or a profile owner of an organization-owned managed profile. |
setContentProtectionPolicy
open fun setContentProtectionPolicy(
admin: ComponentName?,
policy: Int
): Unit
Sets the content protection policy which controls scanning for deceptive apps.
This function can only be called by the device owner, a profile owner of an affiliated user or profile, or the profile owner when no device owner is set or holders of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_CONTENT_PROTECTION
. See isAffiliatedUser
. Any policy set via this method will be cleared if the user becomes unaffiliated.
After the content protection policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String, Bundle, TargetUser,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.CONTENT_PROTECTION_POLICY
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
policy |
Int: The content protection policy to set. One of CONTENT_PROTECTION_NOT_CONTROLLED_BY_POLICY , CONTENT_PROTECTION_DISABLED or CONTENT_PROTECTION_ENABLED . Value is android.app.admin.DevicePolicyManager#CONTENT_PROTECTION_NOT_CONTROLLED_BY_POLICY , android.app.admin.DevicePolicyManager#CONTENT_PROTECTION_DISABLED , or android.app.admin.DevicePolicyManager#CONTENT_PROTECTION_ENABLED |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not the device owner, the profile owner of an affiliated user or profile, or the profile owner when no device owner is set or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_CONTENT_PROTECTION . |
See Also
setCredentialManagerPolicy
open fun setCredentialManagerPolicy(policy: PackagePolicy?): Unit
Called by a device owner or profile owner of a managed profile to set the credential manager policy.
Affects APIs exposed by android.credentials.CredentialManager
.
A PackagePolicy.PACKAGE_POLICY_ALLOWLIST
policy type will limit the credential providers that the user can use to the list of packages in the policy.
A PackagePolicy.PACKAGE_POLICY_ALLOWLIST_AND_SYSTEM
policy type allows access from the OEM default credential providers and the allowlist of credential providers.
A PackagePolicy.PACKAGE_POLICY_BLOCKLIST
policy type will block the credential providers listed in the policy from being used by the user.
Parameters | |
---|---|
policy |
PackagePolicy?: the policy to set, setting this value to null will allow all packages |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a device owner or profile owner of a managed profile |
setCrossProfileCalendarPackages
open funsetCrossProfileCalendarPackages(
admin: ComponentName,
packageNames: MutableSet<String!>?
): Unit
Deprecated: Use setCrossProfilePackages(android.content.ComponentName,java.util.Set)
.
Allows a set of packages to access cross-profile calendar APIs.
Called by a profile owner of a managed profile.
Calling with a null
value for the set disables the restriction so that all packages are allowed to access cross-profile calendar APIs. Calling with an empty set disallows all packages from accessing cross-profile calendar APIs. If this method isn't called, no package is allowed to access cross-profile calendar APIs by default.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with This value cannot be null . |
packageNames |
MutableSet<String!>?: set of packages to be allowlisted This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner |
setCrossProfileCallerIdDisabled
open funsetCrossProfileCallerIdDisabled(
admin: ComponentName,
disabled: Boolean
): Unit
Deprecated: starting with android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
, use setManagedProfileCallerIdAccessPolicy(android.app.admin.PackagePolicy)
instead
Called by a profile owner of a managed profile to set whether caller-Id information from the managed profile will be shown in the parent profile, for incoming calls.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown.
Starting with android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
, calling this function is similar to calling setManagedProfileCallerIdAccessPolicy(android.app.admin.PackagePolicy)
with a PackagePolicy.PACKAGE_POLICY_BLOCKLIST
policy type when disabled
is false or a PackagePolicy.PACKAGE_POLICY_ALLOWLIST
policy type when disabled
is true.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
disabled |
Boolean: If true caller-Id information in the managed profile is not displayed. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner. |
setCrossProfileContactsSearchDisabled
open funsetCrossProfileContactsSearchDisabled(
admin: ComponentName,
disabled: Boolean
): Unit
Deprecated: From android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
use setManagedProfileContactsAccessPolicy(android.app.admin.PackagePolicy)
Called by a profile owner of a managed profile to set whether contacts search from the managed profile will be shown in the parent profile, for incoming calls.
The calling device admin must be a profile owner. If it is not, a security exception will be thrown. Starting with android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
, calling this function is similar to calling setManagedProfileContactsAccessPolicy(android.app.admin.PackagePolicy)
with a PackagePolicy.PACKAGE_POLICY_BLOCKLIST
policy type when disabled
is false or a PackagePolicy.PACKAGE_POLICY_ALLOWLIST
policy type when disabled
is true.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
disabled |
Boolean: If true contacts search in the managed profile is not displayed. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner. |
setCrossProfilePackages
open fun setCrossProfilePackages(
admin: ComponentName,
packageNames: MutableSet<String!>
): Unit
Sets the set of admin-allowlisted package names that are allowed to request user consent for cross-profile communication.
Assumes that the caller is a profile owner and is the given admin
.
Previous calls are overridden by each subsequent call to this method.
Note that other apps may be able to request user consent for cross-profile communication if they have been explicitly allowlisted by the OEM.
When previously-set cross-profile packages are missing from packageNames
, the app-op for INTERACT_ACROSS_PROFILES
will be reset for those packages. This will not occur for packages that are allowlisted by the OEM.
Parameters | |
---|---|
admin |
ComponentName: the DeviceAdminReceiver this request is associated with This value cannot be null . |
packageNames |
MutableSet<String!>: the new cross-profile package names This value cannot be null . |
setDefaultDialerApplication
open fun setDefaultDialerApplication(packageName: String): Unit
Must be called by a device owner or a profile owner of an organization-owned managed profile to set the default dialer application for the calling user.
When the profile owner of an organization-owned managed profile calls this method, it sets the default dialer application in the work profile. This is only meaningful when work profile telephony is enabled by setManagedSubscriptionsPolicy
.
If the device does not support telephony (PackageManager.FEATURE_TELEPHONY
), calling this method will do nothing.
Parameters | |
---|---|
packageName |
String: The name of the package to set as the default dialer application. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner or a profile owner of an organization-owned managed profile. |
java.lang.IllegalArgumentException |
if the package cannot be set as the default dialer, for example if the package is not installed or does not expose the expected activities or services that a dialer app is required to have. |
setDefaultSmsApplication
open fun setDefaultSmsApplication(
admin: ComponentName?,
packageName: String
): Unit
Must be called by a device owner or a profile owner of an organization-owned managed profile to set the default SMS application.
This method can be called on the DevicePolicyManager
instance, returned by getParentProfileInstance(android.content.ComponentName)
, where the caller must be the profile owner of an organization-owned managed profile and the package must be a pre-installed system package. If called on the parent instance, then the default SMS application is set on the personal profile.
Starting from Android android.os.Build.VERSION_CODES#UPSIDE_DOWN_CAKE
, the profile owner of an organization-owned managed profile can also call this method directly (not on the parent profile instance) to set the default SMS application in the work profile. This is only meaningful when work profile telephony is enabled by setManagedSubscriptionsPolicy
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
packageName |
String: The name of the package to set as the default SMS application. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner or if called on the parent profile and the admin is not a profile owner of an organization-owned managed profile. |
java.lang.IllegalArgumentException |
if called on the parent profile and the package provided is not a pre-installed system package. |
java.lang.IllegalStateException |
while trying to set default sms app on the profile and ManagedSubscriptionsPolicy.TYPE_ALL_MANAGED_SUBSCRIPTIONS policy is not set. |
setDelegatedScopes
open fun setDelegatedScopes(
admin: ComponentName,
delegatePackage: String,
scopes: MutableList<String!>
): Unit
Called by a profile owner or device owner to grant access to privileged APIs to another app. Granted APIs are determined by scopes
, which is a list of the DELEGATION_*
constants.
A broadcast with the ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED
action will be sent to the delegatePackage
with its new scopes in an ArrayList<String>
extra under the EXTRA_DELEGATION_SCOPES
key. The broadcast is sent with the Intent.FLAG_RECEIVER_REGISTERED_ONLY
flag.
Delegated scopes are a per-user state. The delegated access is persistent until it is later cleared by calling this method with an empty scopes
list or uninstalling the delegatePackage
.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
delegatePackage |
String: The package name of the app which will be given access. This value cannot be null . |
scopes |
MutableList<String!>: The groups of privileged APIs whose access should be granted to delegatedPackage . This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or a profile owner. |
setDeviceOwnerLockScreenInfo
open fun setDeviceOwnerLockScreenInfo(
admin: ComponentName,
info: CharSequence!
): Unit
Sets the device owner information to be shown on the lock screen.
Device owner information set using this method overrides any owner information manually set by the user and prevents the user from further changing it.
If the device owner information is null
or empty then the device owner info is cleared and the user owner info is shown on the lock screen if it is set.
If the device owner information contains only whitespaces then the message on the lock screen will be blank and the user will not be allowed to change it.
If the device owner information needs to be localized, it is the responsibility of the DeviceAdminReceiver
to listen to the Intent.ACTION_LOCALE_CHANGED
broadcast and set a new version of this string accordingly.
May be called by the device owner or the profile owner of an organization-owned device.
Parameters | |
---|---|
admin |
ComponentName: The name of the admin component to check. This value cannot be null . |
info |
CharSequence!: Device owner information which will be displayed instead of the user owner info. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
setEndUserSessionMessage
open fun setEndUserSessionMessage(
admin: ComponentName,
endUserSessionMessage: CharSequence?
): Unit
Called by a device owner to specify the user session end message. This may be displayed during a user switch.
The message should be limited to a short statement or it may be truncated.
If the message needs to be localized, it is the responsibility of the DeviceAdminReceiver
to listen to the Intent.ACTION_LOCALE_CHANGED
broadcast and set a new version of this message accordingly.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with. This value cannot be null . |
endUserSessionMessage |
CharSequence?: message for ending user session, or null to use system default message. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
setFactoryResetProtectionPolicy
open fun setFactoryResetProtectionPolicy(
admin: ComponentName?,
policy: FactoryResetProtectionPolicy?
): Unit
Callable by device owner or profile owner of an organization-owned device, to set a factory reset protection (FRP) policy. When a new policy is set, the system notifies the FRP management agent of a policy change by broadcasting ACTION_RESET_PROTECTION_POLICY_CHANGED
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin This value may be null . |
policy |
FactoryResetProtectionPolicy?: the new FRP policy, or null to clear the current policy. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner or a profile owner of an organization-owned device. |
java.lang.UnsupportedOperationException |
if factory reset protection is not supported on the device. |
setGlobalPrivateDnsModeOpportunistic
open fun setGlobalPrivateDnsModeOpportunistic(admin: ComponentName): Int
Sets the global Private DNS mode to opportunistic. May only be called by the device owner.
In this mode, the DNS subsystem will attempt a TLS handshake to the network-supplied resolver prior to attempting name resolution in cleartext.
Note: The device owner won't be able to set the global private DNS mode if there are unaffiliated secondary users or profiles on the device. It's recommended that affiliation ids are set for new users as soon as possible after provisioning via setAffiliationIds
.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Return | |
---|---|
Int |
PRIVATE_DNS_SET_NO_ERROR if the mode was set successfully, or PRIVATE_DNS_SET_ERROR_FAILURE_SETTING if it could not be set. Value is android.app.admin.DevicePolicyManager#PRIVATE_DNS_SET_NO_ERROR , android.app.admin.DevicePolicyManager#PRIVATE_DNS_SET_ERROR_HOST_NOT_SERVING , or android.app.admin.DevicePolicyManager#PRIVATE_DNS_SET_ERROR_FAILURE_SETTING |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not the device owner. |
setGlobalPrivateDnsModeSpecifiedHost
open fun setGlobalPrivateDnsModeSpecifiedHost(
admin: ComponentName,
privateDnsHost: String
): Int
Sets the global Private DNS host to be used. May only be called by the device owner.
Note that the method is blocking as it will perform a connectivity check to the resolver, to ensure it is valid. Because of that, the method should not be called on any thread that relates to user interaction, such as the UI thread.
In case a VPN is used in conjunction with Private DNS resolver, the Private DNS resolver must be reachable both from within and outside the VPN. Otherwise, the device may lose the ability to resolve hostnames as system traffic to the resolver may not go through the VPN.
Note: The device owner won't be able to set the global private DNS mode if there are unaffiliated secondary users or profiles on the device. It's recommended that affiliation ids are set for new users as soon as possible after provisioning via setAffiliationIds
.
This method may take several seconds to complete, so it should only be called from a worker thread.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with. This value cannot be null . |
privateDnsHost |
String: The hostname of a server that implements DNS over TLS (RFC7858). This value cannot be null . |
Return | |
---|---|
Int |
PRIVATE_DNS_SET_NO_ERROR if the mode was set successfully, PRIVATE_DNS_SET_ERROR_FAILURE_SETTING if it could not be set or PRIVATE_DNS_SET_ERROR_HOST_NOT_SERVING if the specified host does not implement RFC7858. Value is android.app.admin.DevicePolicyManager#PRIVATE_DNS_SET_NO_ERROR , android.app.admin.DevicePolicyManager#PRIVATE_DNS_SET_ERROR_HOST_NOT_SERVING , or android.app.admin.DevicePolicyManager#PRIVATE_DNS_SET_ERROR_FAILURE_SETTING |
Exceptions | |
---|---|
java.lang.IllegalArgumentException |
if the privateDnsHost is not a valid hostname. |
java.lang.SecurityException |
if the caller is not the device owner. |
setGlobalSetting
open fun setGlobalSetting(
admin: ComponentName,
setting: String!,
value: String!
): Unit
This method is mostly deprecated. Most of the settings that still have an effect have dedicated setter methods or user restrictions. See individual settings for details.
Called by device owner to update android.provider.Settings.Global
settings. Validation that the value of the setting is in the correct form for the setting type should be performed by the caller.
The settings that can be updated with this method are:
android.provider.Settings.Global#ADB_ENABLED
: useUserManager.DISALLOW_DEBUGGING_FEATURES
instead to restrict users from enabling debugging features and this setting to turn adb on.android.provider.Settings.Global#USB_MASS_STORAGE_ENABLED
android.provider.Settings.Global#STAY_ON_WHILE_PLUGGED_IN
This setting is only available fromandroid.os.Build.VERSION_CODES#M
onwards and can only be set ifsetMaximumTimeToLock
is not used to set a timeout.android.provider.Settings.Global#WIFI_DEVICE_OWNER_CONFIGS_LOCKDOWN
This setting is only available from
android.os.Build.VERSION_CODES#M
onwards. The following settings used to be supported, but can be controlled in other ways:
android.provider.Settings.Global#AUTO_TIME
: UsesetAutoTimeEnabled
andUserManager.DISALLOW_CONFIG_DATE_TIME
instead.android.provider.Settings.Global#AUTO_TIME_ZONE
: UsesetAutoTimeZoneEnabled
andUserManager.DISALLOW_CONFIG_DATE_TIME
instead.android.provider.Settings.Global#DATA_ROAMING
: UseUserManager.DISALLOW_DATA_ROAMING
instead.
Changing the following settings has no effect as of android.os.Build.VERSION_CODES#M
:
android.provider.Settings.Global#BLUETOOTH_ON
. Useandroid.bluetooth.BluetoothAdapter#enable()
andandroid.bluetooth.BluetoothAdapter#disable()
instead.android.provider.Settings.Global#DEVELOPMENT_SETTINGS_ENABLED
android.provider.Settings.Global#MODE_RINGER
. Useandroid.media.AudioManager#setRingerMode(int)
instead.android.provider.Settings.Global#NETWORK_PREFERENCE
android.provider.Settings.Global#WIFI_ON
. Useandroid.net.wifi.WifiManager#setWifiEnabled(boolean)
instead.android.provider.Settings.Global#WIFI_SLEEP_POLICY
. No longer has effect.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
setting |
String!: The name of the setting to update. |
value |
String!: The value to update the setting to. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
setKeepUninstalledPackages
open fun setKeepUninstalledPackages(
admin: ComponentName?,
packageNames: MutableList<String!>
): Unit
Set a list of apps to keep around as APKs even if no user has currently installed it. This function can be called by a device owner or by a delegate given the DELEGATION_KEEP_UNINSTALLED_PACKAGES
scope via setDelegatedScopes
.
Please note that setting this policy does not imply that specified apps will be automatically pre-cached.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if the caller is a keep uninstalled packages delegate. |
packageNames |
MutableList<String!>: List of package names to keep cached. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
setKeyPairCertificate
open fun setKeyPairCertificate(
admin: ComponentName?,
alias: String,
certs: MutableList<Certificate!>,
isUserSelectable: Boolean
): Boolean
This API can be called by the following to associate certificates with a key pair that was generated using generateKeyPair
, and set whether the key is available for the user to choose in the certificate selection prompt:
- Device owner
- Profile owner
- Delegated certificate installer
- Credential management app
From Android android.os.Build.VERSION_CODES#S
, the credential management app can call this API. If called by the credential management app, the componentName must be null
. Note, there can only be a credential management app on an unmanaged device.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if the caller is not a device admin. |
alias |
String: The private key alias under which to install the certificate. The alias should denote an existing private key. If a certificate with that alias already exists, it will be overwritten. This value cannot be null . |
certs |
MutableList<Certificate!>: The certificate chain to install. The chain should start with the leaf certificate and include the chain of trust in order. This will be returned by android.security.KeyChain#getCertificateChain . This value cannot be null . |
isUserSelectable |
Boolean: true to indicate that a user can select this key via the certificate selection prompt, false to indicate that this key can only be granted access by implementing android.app.admin.DeviceAdminReceiver#onChoosePrivateKeyAlias . |
Return | |
---|---|
Boolean |
true if the provided alias exists and the certificates has been successfully associated with it, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not null and not a device or profile owner, or admin is null but the calling application is not a delegated certificate installer or credential management app. |
setKeyguardDisabled
open fun setKeyguardDisabled(
admin: ComponentName,
disabled: Boolean
): Boolean
Called by a device owner or profile owner of secondary users that is affiliated with the device to disable the keyguard altogether.
Setting the keyguard to disabled has the same effect as choosing "None" as the screen lock type. However, this call has no effect if a password, pin or pattern is currently set. If a password, pin or pattern is set after the keyguard was disabled, the keyguard stops being disabled.
As of android.os.Build.VERSION_CODES#P
, this call also dismisses the keyguard if it is currently shown.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
disabled |
Boolean: true disables the keyguard, false reenables it. |
Return | |
---|---|
Boolean |
false if attempting to disable the keyguard while a lock password was in place. true otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not the device owner, or a profile owner of secondary user that is affiliated with the device. |
See Also
setKeyguardDisabledFeatures
open fun setKeyguardDisabledFeatures(
admin: ComponentName?,
which: Int
): Unit
Called by an application that is administering the device to disable keyguard customizations, such as widgets. After setting this, keyguard features will be disabled according to the provided feature list.
A calling device admin must have requested DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES
to be able to call this method; if it has not, a security exception will be thrown.
Calling this from a managed profile before version android.os.Build.VERSION_CODES#M
will throw a security exception. From version android.os.Build.VERSION_CODES#M
the profile owner of a managed profile can set:
KEYGUARD_DISABLE_TRUST_AGENTS
, which affects the parent user, but only if there is no separate challenge set on the managed profile.KEYGUARD_DISABLE_FINGERPRINT
,KEYGUARD_DISABLE_FACE
orKEYGUARD_DISABLE_IRIS
which affects the managed profile challenge if there is one, or the parent user otherwise.KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS
which affects notifications generated by applications in the managed profile.
From version android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM
, the profile owner of a managed profile can also set KEYGUARD_DISABLE_WIDGETS_ALL
which disables keyguard widgets for the managed profile.
From version android.os.Build.VERSION_CODES#R
the profile owner of an organization-owned managed profile can set:
KEYGUARD_DISABLE_SECURE_CAMERA
which affects the parent user when called on the parent profile.KEYGUARD_DISABLE_SECURE_NOTIFICATIONS
which affects the parent user when called on the parent profile.
android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM
the profile owner of an organization-owned managed profile can set:
KEYGUARD_DISABLE_WIDGETS_ALL
which affects the parent user when called on the parent profile.
KEYGUARD_DISABLE_TRUST_AGENTS
, KEYGUARD_DISABLE_FINGERPRINT
, KEYGUARD_DISABLE_FACE
, KEYGUARD_DISABLE_IRIS
, KEYGUARD_DISABLE_SECURE_CAMERA
and KEYGUARD_DISABLE_SECURE_NOTIFICATIONS
can also be set on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile. KEYGUARD_DISABLE_SECURE_CAMERA
can only be set on the parent profile instance if the calling device admin is the profile owner of an organization-owned managed profile.
Requests to disable other features on a managed profile will be ignored.
The admin can check which features have been disabled by calling getKeyguardDisabledFeatures(android.content.ComponentName)
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin This value may be null . |
which |
Int: The disabled features flag which can be either KEYGUARD_DISABLE_FEATURES_NONE (default), KEYGUARD_DISABLE_FEATURES_ALL , or a combination of KEYGUARD_DISABLE_WIDGETS_ALL , KEYGUARD_DISABLE_SECURE_CAMERA , KEYGUARD_DISABLE_SECURE_NOTIFICATIONS , KEYGUARD_DISABLE_TRUST_AGENTS , KEYGUARD_DISABLE_UNREDACTED_NOTIFICATIONS , KEYGUARD_DISABLE_FINGERPRINT , KEYGUARD_DISABLE_FACE , KEYGUARD_DISABLE_IRIS , KEYGUARD_DISABLE_SHORTCUTS_ALL . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or does not use DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES |
setLocationEnabled
open fun setLocationEnabled(
admin: ComponentName,
locationEnabled: Boolean
): Unit
Called by device owners to set the user's global location setting.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with This value cannot be null . |
locationEnabled |
Boolean: whether location should be enabled or disabled. Note: on automotive builds , calls to disable will be ignored. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
setLockTaskFeatures
open fun setLockTaskFeatures(
admin: ComponentName?,
flags: Int
): Unit
Sets which system features are enabled when the device runs in lock task mode. This method doesn't affect the features when lock task mode is inactive. Any system features not included in flags
are implicitly disabled when calling this method. By default, only LOCK_TASK_FEATURE_GLOBAL_ACTIONS
is enabled; all the other features are disabled. To disable the global actions dialog, call this method omitting LOCK_TASK_FEATURE_GLOBAL_ACTIONS
.
This method can only be called by the device owner, a profile owner of an affiliated user or profile, or the profile owner when no device owner is set or holders of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_LOCK_TASK
. See isAffiliatedUser
. Any features set using this method are cleared if the user becomes unaffiliated.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the lock task features policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String, Bundle,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.LOCK_TASK_POLICY
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, lock task features and lock task packages are bundled as one policy. A failure to apply one will result in a failure to apply the other.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
flags |
Int: The system features enabled during lock task mode. Value is either 0 or a combination of android.app.admin.DevicePolicyManager#LOCK_TASK_FEATURE_NONE , android.app.admin.DevicePolicyManager#LOCK_TASK_FEATURE_SYSTEM_INFO , android.app.admin.DevicePolicyManager#LOCK_TASK_FEATURE_NOTIFICATIONS , android.app.admin.DevicePolicyManager#LOCK_TASK_FEATURE_HOME , android.app.admin.DevicePolicyManager#LOCK_TASK_FEATURE_OVERVIEW , android.app.admin.DevicePolicyManager#LOCK_TASK_FEATURE_GLOBAL_ACTIONS , android.app.admin.DevicePolicyManager#LOCK_TASK_FEATURE_KEYGUARD , and android.app.admin.DevicePolicyManager#LOCK_TASK_FEATURE_BLOCK_ACTIVITY_START_IN_TASK |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not the device owner, the profile owner of an affiliated user or profile, or the profile owner when no device owner is set or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_LOCK_TASK . |
See Also
setLockTaskPackages
open fun setLockTaskPackages(
admin: ComponentName?,
packages: Array<String!>
): Unit
Sets which packages may enter lock task mode.
Any packages that share uid with an allowed package will also be allowed to activate lock task. From android.os.Build.VERSION_CODES#M
removing packages from the lock task package list results in locked tasks belonging to those packages to be finished.
This function can only be called by the device owner, a profile owner of an affiliated user or profile, or the profile owner when no device owner is set or holders of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_LOCK_TASK
. See isAffiliatedUser
. Any package set via this method will be cleared if the user becomes unaffiliated.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the lock task policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String, Bundle, TargetUser,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.LOCK_TASK_POLICY
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, lock task features and lock task packages are bundled as one policy. A failure to apply one will result in a failure to apply the other.
Parameters | |
---|---|
packages |
Array<String!>: The list of packages allowed to enter lock task mode This value cannot be null . |
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not the device owner, the profile owner of an affiliated user or profile, or the profile owner when no device owner is set or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_LOCK_TASK . |
setLogoutEnabled
open fun setLogoutEnabled(
admin: ComponentName,
enabled: Boolean
): Unit
Called by a device owner to specify whether logout is enabled for all secondary users. The system may show a logout button that stops the user and switches back to the primary user.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
enabled |
Boolean: whether logout should be enabled or not. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
setLongSupportMessage
open fun setLongSupportMessage(
admin: ComponentName,
message: CharSequence?
): Unit
Called by a device admin to set the long support message. This will be displayed to the user in the device administrators settings screen. If the message is longer than 20000 characters it may be truncated.
If the long support message needs to be localized, it is the responsibility of the DeviceAdminReceiver
to listen to the Intent.ACTION_LOCALE_CHANGED
broadcast and set a new version of this string accordingly.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
message |
CharSequence?: Long message to be displayed to the user in settings or null to clear the existing message. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator. |
See Also
setManagedProfileCallerIdAccessPolicy
open fun setManagedProfileCallerIdAccessPolicy(policy: PackagePolicy?): Unit
Called by a profile owner of a managed profile to set the packages that are allowed to lookup contacts in the managed profile based on caller id information.
For example, the policy determines if a dialer app in the parent profile resolving an incoming call can search the caller id data, such as phone number, of managed contacts and return managed contacts that match.
The calling device admin must be a profile owner of a managed profile. If it is not, a SecurityException
will be thrown.
A PackagePolicy.PACKAGE_POLICY_ALLOWLIST_AND_SYSTEM
policy type allows access from the OEM default packages for the Sms, Dialer and Contact roles, in addition to the packages specified in PackagePolicy.getPackageNames()
Parameters | |
---|---|
policy |
PackagePolicy?: the policy to set, setting this value to null will allow all packages |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a profile owner of a managed profile |
setManagedProfileContactsAccessPolicy
open fun setManagedProfileContactsAccessPolicy(policy: PackagePolicy?): Unit
Called by a profile owner of a managed profile to set the packages that are allowed access to the managed profile contacts from the parent user.
For example, the system will enforce the provided policy and determine if contacts in the managed profile are shown when queried by an application in the parent user.
The calling device admin must be a profile owner of a managed profile. If it is not, a SecurityException
will be thrown.
A PackagePolicy.PACKAGE_POLICY_ALLOWLIST_AND_SYSTEM
policy type allows access from the OEM default packages for the Sms, Dialer and Contact roles, in addition to the packages specified in PackagePolicy.getPackageNames()
Parameters | |
---|---|
policy |
PackagePolicy?: the policy to set, setting this value to null will allow all packages |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a profile owner of a managed profile |
setManagedProfileMaximumTimeOff
open fun setManagedProfileMaximumTimeOff(
admin: ComponentName,
timeoutMillis: Long
): Unit
Called by a profile owner of an organization-owned managed profile to set maximum time the profile is allowed to be turned off. If the profile is turned off for longer, personal apps are suspended on the device.
When personal apps are suspended, an ongoing notification about that is shown to the user. When the user taps the notification, system invokes ACTION_CHECK_POLICY_COMPLIANCE
in the profile owner package. Profile owner implementation that uses personal apps suspension must handle this intent.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with This value cannot be null . |
timeoutMillis |
Long: Maximum time the profile is allowed to be off in milliseconds or 0 if not limited. The minimum non-zero value corresponds to 72 hours. If an admin sets a smaller non-zero vaulue, 72 hours will be set instead. |
Exceptions | |
---|---|
java.lang.IllegalStateException |
if the profile owner doesn't have an activity that handles ACTION_CHECK_POLICY_COMPLIANCE |
See Also
setManagedSubscriptionsPolicy
open fun setManagedSubscriptionsPolicy(policy: ManagedSubscriptionsPolicy?): Unit
Called by a profile owner of an organization-owned device to specify ManagedSubscriptionsPolicy
Managed subscriptions policy controls how SIMs would be associated with the managed profile. For example a policy of type ManagedSubscriptionsPolicy.TYPE_ALL_MANAGED_SUBSCRIPTIONS
assigns all SIM-based subscriptions to the managed profile. In this case OEM default dialer and messages app are automatically installed in the managed profile and all incoming and outgoing calls and text messages are handled by them.
This API can only be called during device setup.
Parameters | |
---|---|
policy |
ManagedSubscriptionsPolicy?: ManagedSubscriptionsPolicy policy, passing null for this resets the policy to be the default. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not a profile owner on an organization-owned managed profile. |
java.lang.IllegalStateException |
if called after the device setup has been completed. |
java.lang.UnsupportedOperationException |
if managed subscriptions policy is not explicitly enabled by the device policy management role holder during device setup. |
setMasterVolumeMuted
open fun setMasterVolumeMuted(
admin: ComponentName,
on: Boolean
): Unit
Called by profile or device owners to set the global volume mute on or off. This has no effect when set on a managed profile.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
on |
Boolean: true to mute global volume, false to turn mute off. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setMaximumFailedPasswordsForWipe
open fun setMaximumFailedPasswordsForWipe(
admin: ComponentName?,
num: Int
): Unit
Setting this to a value greater than zero enables a policy that will perform a device or profile wipe after too many incorrect device-unlock passwords have been entered. This policy combines watching for failed passwords and wiping the device, and requires that calling Device Admins request both DeviceAdminInfo.USES_POLICY_WATCH_LOGIN
and DeviceAdminInfo.USES_POLICY_WIPE_DATA
}.
When this policy is set on the system or the main user, the device will be factory reset after too many incorrect password attempts. When set on any other user, only the corresponding user or profile will be wiped.
To implement any other policy (e.g. wiping data for a particular application only, erasing or revoking credentials, or reporting the failure to a server), you should implement DeviceAdminReceiver.onPasswordFailed(Context, android.content.Intent)
instead. Do not use this API, because if the maximum count is reached, the device or profile will be wiped immediately, and your callback will not be invoked.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set a value on the parent profile. This allows a profile wipe after too many incorrect device-unlock password have been entered on the parent profile even if each profile has a separate challenge.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always empty and this method has no effect - i.e. the policy is not set.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
num |
Int: The number of failed password attempts at which point the device or profile will be wiped. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not null, and admin is not an active administrator or does not use both DeviceAdminInfo.USES_POLICY_WATCH_LOGIN and DeviceAdminInfo.USES_POLICY_WIPE_DATA , or if admin is null and the caller does not have permission to wipe the device. |
setMaximumTimeToLock
open fun setMaximumTimeToLock(
admin: ComponentName?,
timeMs: Long
): Unit
Called by an application that is administering the device to set the maximum time for user activity until the device will lock. This limits the length that the user can set. It takes effect immediately.
A calling device admin must have requested DeviceAdminInfo.USES_POLICY_FORCE_LOCK
to be able to call this method; if it has not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin This value may be null . |
timeMs |
Long: The new desired maximum time to lock in milliseconds. A value of 0 means there is no restriction. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or it does not use DeviceAdminInfo.USES_POLICY_FORCE_LOCK |
setMeteredDataDisabledPackages
open fun setMeteredDataDisabledPackages(
admin: ComponentName,
packageNames: MutableList<String!>
): MutableList<String!>
Called by a device or profile owner to restrict packages from using metered data.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with. This value cannot be null . |
packageNames |
MutableList<String!>: the list of package names to be restricted. This value cannot be null . |
Return | |
---|---|
MutableList<String!> |
a list of package names which could not be restricted. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setMinimumRequiredWifiSecurityLevel
open fun setMinimumRequiredWifiSecurityLevel(level: Int): Unit
Called by device owner or profile owner of an organization-owned managed profile to specify the minimum security level required for Wi-Fi networks. The device may not connect to networks that do not meet the minimum security level. If the current network does not meet the minimum security level set, it will be disconnected. The following shows the Wi-Fi security levels from the lowest to the highest security level: WIFI_SECURITY_OPEN
WIFI_SECURITY_PERSONAL
WIFI_SECURITY_ENTERPRISE_EAP
WIFI_SECURITY_ENTERPRISE_192
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not permitted to set this policy |
setMtePolicy
open fun setMtePolicy(policy: Int): Unit
Called by a device owner, profile owner of an organization-owned device, to set the Memory Tagging Extension (MTE) policy. MTE is a CPU extension that allows to protect against certain classes of security problems at a small runtime performance cost overhead.
The MTE policy can only be set to MTE_DISABLED
if called by a device owner. Otherwise a SecurityException
will be thrown.
The device needs to be rebooted to apply changes to the MTE policy.
Parameters | |
---|---|
policy |
Int: the MTE policy to be set Value is android.app.admin.DevicePolicyManager#MTE_ENABLED , android.app.admin.DevicePolicyManager#MTE_DISABLED , or android.app.admin.DevicePolicyManager#MTE_NOT_CONTROLLED_BY_POLICY |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not permitted to set Mte policy |
java.lang.UnsupportedOperationException |
if the device does not support MTE |
setNearbyAppStreamingPolicy
open fun setNearbyAppStreamingPolicy(policy: Int): Unit
Called by a device/profile owner to set nearby app streaming policy. App streaming is when the device starts an app on a virtual display and sends a video stream of the app to nearby devices.
Parameters | |
---|---|
policy |
Int: One of the NearbyStreamingPolicy constants. Value is android.app.admin.DevicePolicyManager#NEARBY_STREAMING_NOT_CONTROLLED_BY_POLICY , android.app.admin.DevicePolicyManager#NEARBY_STREAMING_DISABLED , android.app.admin.DevicePolicyManager#NEARBY_STREAMING_ENABLED , or android.app.admin.DevicePolicyManager#NEARBY_STREAMING_SAME_MANAGED_ACCOUNT_ONLY |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a device or profile owner. |
setNearbyNotificationStreamingPolicy
open fun setNearbyNotificationStreamingPolicy(policy: Int): Unit
Called by a device/profile owner to set nearby notification streaming policy. Notification streaming is sending notification data from pre-installed apps to nearby devices.
Parameters | |
---|---|
policy |
Int: One of the NearbyStreamingPolicy constants. Value is android.app.admin.DevicePolicyManager#NEARBY_STREAMING_NOT_CONTROLLED_BY_POLICY , android.app.admin.DevicePolicyManager#NEARBY_STREAMING_DISABLED , android.app.admin.DevicePolicyManager#NEARBY_STREAMING_ENABLED , or android.app.admin.DevicePolicyManager#NEARBY_STREAMING_SAME_MANAGED_ACCOUNT_ONLY |
Exceptions | |
---|---|
java.lang.SecurityException |
if caller is not a device or profile owner |
setNetworkLoggingEnabled
open fun setNetworkLoggingEnabled(
admin: ComponentName?,
enabled: Boolean
): Unit
Called by a device owner, profile owner of a managed profile or delegated app with DELEGATION_NETWORK_LOGGING
to control the network logging feature.
Supported for a device owner from Android 8 and a delegated app granted by a device owner from Android 10. Supported for a profile owner of a managed profile and a delegated app granted by a profile owner from Android 12. When network logging is enabled by a profile owner, the network logs will only include work profile network activity, not activity on the personal profile.
Network logs contain DNS lookup and connect() library call events. The following library functions are recorded while network logging is active:
getaddrinfo()
gethostbyname()
connect()
Network logging is a low-overhead tool for forensics but it is not guaranteed to use full system call logging; event reporting is enabled by default for all processes but not strongly enforced. Events from applications using alternative implementations of libc, making direct kernel calls, or deliberately obfuscating traffic may not be recorded.
Some common network events may not be reported. For example:
- Applications may hardcode IP addresses to reduce the number of DNS lookups, or use an alternative system for name resolution, and so avoid calling
getaddrinfo()
orgethostbyname
. - Applications may use datagram sockets for performance reasons, for example for a game client. Calling
connect()
is unnecessary for this kind of socket, so it will not trigger a network event.
It is possible to directly intercept layer 3 traffic leaving the device using an always-on VPN service. See setAlwaysOnVpnPackage(android.content.ComponentName,java.lang.String,boolean)
and android.net.VpnService
for details.
Note: The device owner won't be able to retrieve network logs if there are unaffiliated secondary users or profiles on the device, regardless of whether the feature is enabled. Logs will be discarded if the internal buffer fills up while waiting for all users to become affiliated. Therefore it's recommended that affiliation ids are set for new users as soon as possible after provisioning via setAffiliationIds
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if called by a delegated app. |
enabled |
Boolean: whether network logging should be enabled or not. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner or profile owner. |
See Also
setOrganizationColor
open funsetOrganizationColor(
admin: ComponentName,
color: Int
): Unit
Deprecated: From android.os.Build.VERSION_CODES#R
, the organization color is never used as the background color of the confirm credentials screen.
Called by a profile owner of a managed profile to set the color used for customization. This color is used as background color of the confirm credentials screen for that user. The default color is teal (#00796B).
The confirm credentials screen can be created using android.app.KeyguardManager#createConfirmDeviceCredentialIntent
.
Starting from Android R, the organization color will no longer be used as the background color of the confirm credentials screen.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
color |
Int: The 24bit (0xRRGGBB) representation of the color to be used. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner. |
setOrganizationId
open fun setOrganizationId(enterpriseId: String): Unit
Sets the Enterprise ID for the work profile or managed device. This is a requirement for generating an enrollment-specific ID for the device, see getEnrollmentSpecificId()
. It is recommended that the Enterprise ID is at least 6 characters long, and no more than 64 characters.
Parameters | |
---|---|
enterpriseId |
String: An identifier of the organization this work profile or device is enrolled into. This value cannot be null . |
setOrganizationName
open fun setOrganizationName(
admin: ComponentName?,
title: CharSequence?
): Unit
Called by the device owner (since API 26) or profile owner (since API 24) to set the name of the organization under management.
If the organization name needs to be localized, it is the responsibility of the caller to listen to the Intent.ACTION_LOCALE_CHANGED
broadcast and set a new version of this string accordingly.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
title |
CharSequence?: The organization name or null to clear a previously set name. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setOverrideApnsEnabled
open fun setOverrideApnsEnabled(
admin: ComponentName,
enabled: Boolean
): Unit
Called by device owner to set if override APNs should be enabled.
Override APNs are separated from other APNs on the device, and can only be inserted or modified by the device owner. When enabled, only override APNs are in use, any other APNs are ignored.
Note: Enterprise APNs added by managed profile owners do not need to be enabled by this API. They are part of the preferential network service config and is controlled by setPreferentialNetworkServiceConfigs
.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with This value cannot be null . |
enabled |
Boolean: true if override APNs should be enabled, false otherwise |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
setPackagesSuspended
open fun setPackagesSuspended(
admin: ComponentName?,
packageNames: Array<String!>,
suspended: Boolean
): Array<String!>
Called by device or profile owners to suspend packages for this user. This function can be called by a device owner, profile owner, or by a delegate given the DELEGATION_PACKAGE_ACCESS
scope via setDelegatedScopes
.
A suspended package will not be able to start activities. Its notifications will be hidden, it will not show up in recents, will not be able to show toasts or dialogs or ring the device.
The package must already be installed. If the package is uninstalled while suspended the package will no longer be suspended. The admin can block this by using setUninstallBlocked
.
Some apps cannot be suspended, such as device admins, the active launcher, the required package installer, the required package uninstaller, the required package verifier, the default dialer, and the permission controller.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
packageNames |
Array<String!>: The package names to suspend or unsuspend. This value cannot be null . |
suspended |
Boolean: If set to true than the packages will be suspended, if set to false the packages will be unsuspended. |
Return | |
---|---|
Array<String!> |
an array of package names for which the suspended status is not set as requested in this method. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setPasswordExpirationTimeout
open fun setPasswordExpirationTimeout(
admin: ComponentName?,
timeout: Long
): Unit
Called by a device admin to set the password expiration timeout. Calling this method will restart the countdown for password expiration for the given admin, as will changing the device password (for all admins).
The provided timeout is the time delta in ms and will be added to the current time. For example, to have the password expire 5 days from now, timeout would be 5 * 86400 * 1000 = 432000000 ms for timeout.
To disable password expiration, a value of 0 may be used for timeout.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password expiration is always disabled.
A calling device admin must have requested DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD
to be able to call this method; if it has not, a security exception will be thrown.
Note that setting the password will automatically reset the expiration time for all active admins. Active admins do not need to explicitly call this method in that case.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin This value may be null . |
timeout |
Long: The limit (in ms) that a password can remain in effect. A value of 0 means there is no restriction (unlimited). |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or admin does not use DeviceAdminInfo.USES_POLICY_EXPIRE_PASSWORD |
setPasswordHistoryLength
open fun setPasswordHistoryLength(
admin: ComponentName,
length: Int
): Unit
Called by an application that is administering the device to set the length of the password history. After setting this, the user will not be able to enter a new password that is the same as any password in the history. Note that the current password will remain until the user has set a new one, so the change does not take place immediately. To prompt the user for a new password, use ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after setting this value.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password history length is always 0.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
length |
Int: The new desired length of password history. A value of 0 means there is no restriction. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or admin does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD |
setPasswordMinimumLength
open funsetPasswordMinimumLength(
admin: ComponentName,
length: Int
): Unit
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Called by an application that is administering the device to set the minimum allowed password length. After setting this, the user will not be able to enter a new password that is not at least as restrictive as what has been set. Note that the current password will remain until the user has set a new one, so the change does not take place immediately. To prompt the user for a new password, use ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after setting this value. This constraint is only imposed if the administrator has also requested either PASSWORD_QUALITY_NUMERIC
, PASSWORD_QUALITY_NUMERIC_COMPLEX
, PASSWORD_QUALITY_ALPHABETIC
, PASSWORD_QUALITY_ALPHANUMERIC
, or PASSWORD_QUALITY_COMPLEX
with setPasswordQuality
. If an app targeting SDK level android.os.Build.VERSION_CODES#R
and above enforces this constraint without settings password quality to one of these values first, this method will throw IllegalStateException
.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has not, a security exception will be thrown.
Apps targeting android.os.Build.VERSION_CODES#R
and below can call this method on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile.
Note: this method is ignored on {PackageManager#FEATURE_AUTOMOTIVE automotive builds}.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
length |
Int: The new desired minimum password length. A value of 0 means there is no restriction. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or admin does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD |
java.lang.IllegalStateException |
if the calling app is targeting SDK level android.os.Build.VERSION_CODES#R and above and didn't set a sufficient password quality requirement prior to calling this method. |
setPasswordMinimumLetters
open funsetPasswordMinimumLetters(
admin: ComponentName,
length: Int
): Unit
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Called by an application that is administering the device to set the minimum number of letters required in the password. After setting this, the user will not be able to enter a new password that is not at least as restrictive as what has been set. Note that the current password will remain until the user has set a new one, so the change does not take place immediately. To prompt the user for a new password, use ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after setting this value. This constraint is only imposed if the administrator has also requested PASSWORD_QUALITY_COMPLEX
with setPasswordQuality
. If an app targeting SDK level android.os.Build.VERSION_CODES#R
and above enforces this constraint without settings password quality to PASSWORD_QUALITY_COMPLEX
first, this method will throw IllegalStateException
. The default value is 1.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has not, a security exception will be thrown.
Apps targeting android.os.Build.VERSION_CODES#R
and below can call this method on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile.
Note: this method is ignored on {PackageManager#FEATURE_AUTOMOTIVE automotive builds}.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
length |
Int: The new desired minimum number of letters required in the password. A value of 0 means there is no restriction. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or admin does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD |
java.lang.IllegalStateException |
if the calling app is targeting SDK level android.os.Build.VERSION_CODES#R and above and didn't set a sufficient password quality requirement prior to calling this method. |
setPasswordMinimumLowerCase
open funsetPasswordMinimumLowerCase(
admin: ComponentName,
length: Int
): Unit
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Called by an application that is administering the device to set the minimum number of lower case letters required in the password. After setting this, the user will not be able to enter a new password that is not at least as restrictive as what has been set. Note that the current password will remain until the user has set a new one, so the change does not take place immediately. To prompt the user for a new password, use ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after setting this value. This constraint is only imposed if the administrator has also requested PASSWORD_QUALITY_COMPLEX
with setPasswordQuality
. If an app targeting SDK level android.os.Build.VERSION_CODES#R
and above enforces this constraint without settings password quality to PASSWORD_QUALITY_COMPLEX
first, this method will throw IllegalStateException
. The default value is 0.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has not, a security exception will be thrown.
Apps targeting android.os.Build.VERSION_CODES#R
and below can call this method on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile.
Note: this method is ignored on {PackageManager#FEATURE_AUTOMOTIVE automotive builds}.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
length |
Int: The new desired minimum number of lower case letters required in the password. A value of 0 means there is no restriction. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or admin does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD |
java.lang.IllegalStateException |
if the calling app is targeting SDK level android.os.Build.VERSION_CODES#R and above and didn't set a sufficient password quality requirement prior to calling this method. |
setPasswordMinimumNonLetter
open funsetPasswordMinimumNonLetter(
admin: ComponentName,
length: Int
): Unit
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Called by an application that is administering the device to set the minimum number of non-letter characters (numerical digits or symbols) required in the password. After setting this, the user will not be able to enter a new password that is not at least as restrictive as what has been set. Note that the current password will remain until the user has set a new one, so the change does not take place immediately. To prompt the user for a new password, use ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after setting this value. This constraint is only imposed if the administrator has also requested PASSWORD_QUALITY_COMPLEX
with setPasswordQuality
. If an app targeting SDK level android.os.Build.VERSION_CODES#R
and above enforces this constraint without settings password quality to PASSWORD_QUALITY_COMPLEX
first, this method will throw IllegalStateException
. The default value is 0.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has not, a security exception will be thrown.
Apps targeting android.os.Build.VERSION_CODES#R
and below can call this method on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile.
Note: this method is ignored on {PackageManager#FEATURE_AUTOMOTIVE automotive builds}.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
length |
Int: The new desired minimum number of letters required in the password. A value of 0 means there is no restriction. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or admin does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD |
java.lang.IllegalStateException |
if the calling app is targeting SDK level android.os.Build.VERSION_CODES#R and above and didn't set a sufficient password quality requirement prior to calling this method. |
setPasswordMinimumNumeric
open funsetPasswordMinimumNumeric(
admin: ComponentName,
length: Int
): Unit
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Called by an application that is administering the device to set the minimum number of numerical digits required in the password. After setting this, the user will not be able to enter a new password that is not at least as restrictive as what has been set. Note that the current password will remain until the user has set a new one, so the change does not take place immediately. To prompt the user for a new password, use ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after setting this value. This constraint is only imposed if the administrator has also requested PASSWORD_QUALITY_COMPLEX
with setPasswordQuality
. If an app targeting SDK level android.os.Build.VERSION_CODES#R
and above enforces this constraint without settings password quality to PASSWORD_QUALITY_COMPLEX
first, this method will throw IllegalStateException
. The default value is 1.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has not, a security exception will be thrown.
Apps targeting android.os.Build.VERSION_CODES#R
and below can call this method on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile.
Note: this method is ignored on {PackageManager#FEATURE_AUTOMOTIVE automotive builds}.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
length |
Int: The new desired minimum number of numerical digits required in the password. A value of 0 means there is no restriction. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or admin does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD |
java.lang.IllegalStateException |
if the calling app is targeting SDK level android.os.Build.VERSION_CODES#R and above and didn't set a sufficient password quality requirement prior to calling this method. |
setPasswordMinimumSymbols
open funsetPasswordMinimumSymbols(
admin: ComponentName,
length: Int
): Unit
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Called by an application that is administering the device to set the minimum number of symbols required in the password. After setting this, the user will not be able to enter a new password that is not at least as restrictive as what has been set. Note that the current password will remain until the user has set a new one, so the change does not take place immediately. To prompt the user for a new password, use ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after setting this value. This constraint is only imposed if the administrator has also requested PASSWORD_QUALITY_COMPLEX
with setPasswordQuality
. If an app targeting SDK level android.os.Build.VERSION_CODES#R
and above enforces this constraint without settings password quality to PASSWORD_QUALITY_COMPLEX
first, this method will throw IllegalStateException
. The default value is 1.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has not, a security exception will be thrown.
Apps targeting android.os.Build.VERSION_CODES#R
and below can call this method on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile.
Note: this method is ignored on {PackageManager#FEATURE_AUTOMOTIVE automotive builds}.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
length |
Int: The new desired minimum number of symbols required in the password. A value of 0 means there is no restriction. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or admin does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD |
java.lang.IllegalStateException |
if the calling app is targeting SDK level android.os.Build.VERSION_CODES#R and above and didn't set a sufficient password quality requirement prior to calling this method. |
setPasswordMinimumUpperCase
open funsetPasswordMinimumUpperCase(
admin: ComponentName,
length: Int
): Unit
Deprecated: see setPasswordQuality(android.content.ComponentName,int)
for details.
Called by an application that is administering the device to set the minimum number of upper case letters required in the password. After setting this, the user will not be able to enter a new password that is not at least as restrictive as what has been set. Note that the current password will remain until the user has set a new one, so the change does not take place immediately. To prompt the user for a new password, use ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after setting this value. This constraint is only imposed if the administrator has also requested PASSWORD_QUALITY_COMPLEX
with setPasswordQuality
. If an app targeting SDK level android.os.Build.VERSION_CODES#R
and above enforces this constraint without settings password quality to PASSWORD_QUALITY_COMPLEX
first, this method will throw IllegalStateException
. The default value is 0.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has not, a security exception will be thrown.
Apps targeting android.os.Build.VERSION_CODES#R
and below can call this method on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile.
Note: this method is ignored on {PackageManager#FEATURE_AUTOMOTIVE automotive builds}.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
length |
Int: The new desired minimum number of upper case letters required in the password. A value of 0 means there is no restriction. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or admin does not use DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD |
java.lang.IllegalStateException |
if the calling app is targeting SDK level android.os.Build.VERSION_CODES#R and above and didn't set a sufficient password quality requirement prior to calling this method. |
setPasswordQuality
open funsetPasswordQuality(
admin: ComponentName,
quality: Int
): Unit
Deprecated: Deprecated in Java.
Called by an application that is administering the device to set the password restrictions it is imposing. After setting this, the user will not be able to enter a new password that is not at least as restrictive as what has been set. Note that the current password will remain until the user has set a new one, so the change does not take place immediately. To prompt the user for a new password, use ACTION_SET_NEW_PASSWORD
or ACTION_SET_NEW_PARENT_PROFILE_PASSWORD
after calling this method.
Quality constants are ordered so that higher values are more restrictive; thus the highest requested quality constant (between the policy set here, the user's preference, and any other considerations) is the one that is in effect.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the password is always treated as empty.
The calling device admin must have requested DeviceAdminInfo.USES_POLICY_LIMIT_PASSWORD
to be able to call this method; if it has not, a security exception will be thrown.
Apps targeting android.os.Build.VERSION_CODES#R
and below can call this method on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile. Apps targeting android.os.Build.VERSION_CODES#S
and above, with the exception of a profile owner on an organization-owned device (as can be identified by isOrganizationOwnedDeviceWithManagedProfile
), will get a IllegalArgumentException
when calling this method on the parent DevicePolicyManager
instance.
Note: Specifying password requirements using this method clears the password complexity requirements set using setRequiredPasswordComplexity(int)
. If this method is called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
, then password complexity requirements set on the primary DevicePolicyManager
must be cleared first by calling setRequiredPasswordComplexity
with ) first.
setPermissionGrantState
open fun setPermissionGrantState(
admin: ComponentName?,
packageName: String,
permission: String,
grantState: Int
): Boolean
Sets the grant state of a runtime permission for a specific application. The state can be in which a user can manage it through the UI, denied
, in which the permission is denied and the user cannot manage it through the UI, and granted
in which the permission is granted and the user cannot manage it through the UI. This method can only be called by a profile owner, device owner, or a delegate given the DELEGATION_PERMISSION_GRANT
scope via setDelegatedScopes
default
does not revoke the permission. It retains the previous grant, if any.
Device admins with a targetSdkVersion
< android.os.Build.VERSION_CODES#Q
cannot grant and revoke permissions for applications built with a targetSdkVersion
< android.os.Build.VERSION_CODES#M
.
Admins with a targetSdkVersion
≥ android.os.Build.VERSION_CODES#Q
can grant and revoke permissions of all apps. Similar to the user revoking a permission from a application built with a targetSdkVersion
< android.os.Build.VERSION_CODES#M
the app-op matching the permission is set to android.app.AppOpsManager#MODE_IGNORED
, but the permission stays granted.
NOTE: On devices running android.os.Build.VERSION_CODES#S
and above, control over the following, sensors-related, permissions is restricted:
- Manifest.permission.ACCESS_FINE_LOCATION
- Manifest.permission.ACCESS_BACKGROUND_LOCATION
- Manifest.permission.ACCESS_COARSE_LOCATION
- Manifest.permission.CAMERA
- Manifest.permission.RECORD_AUDIO
- Manifest.permission.RECORD_BACKGROUND_AUDIO
- Manifest.permission.ACTIVITY_RECOGNITION
- Manifest.permission.BODY_SENSORS
A profile owner may not grant these permissions (i.e. call this method with any of the permissions listed above and grantState
of PERMISSION_GRANT_STATE_GRANTED
), but may deny them.
A device owner, by default, may continue granting these permissions. However, for increased user control, the admin may opt out of controlling grants for these permissions by including EXTRA_PROVISIONING_SENSORS_PERMISSION_GRANT_OPT_OUT
in the provisioning parameters. In that case the device owner's control will be limited to denying these permissions.
When sensor-related permissions aren't grantable due to the above cases, calling this method to grant these permissions will silently fail, if device admins are built with targetSdkVersion
< android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM
. If they are built with targetSdkVersion
>= android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM
, this method will throw a SecurityException
.
NOTE: On devices running android.os.Build.VERSION_CODES#S
and above, control over the following permissions are restricted for managed profile owners:
- Manifest.permission.READ_SMS
A managed profile owner may not grant these permissions (i.e. call this method with any of the permissions listed above and grantState
of PERMISSION_GRANT_STATE_GRANTED
), but may deny them.
Attempts by the admin to grant these permissions, when the admin is restricted from doing so, will be silently ignored (no exception will be thrown). Control over the following permissions are restricted for managed profile owners:
- Manifest.permission.READ_SMS
A managed profile owner may not grant these permissions (i.e. call this method with any of the permissions listed above and grantState
of PERMISSION_GRANT_STATE_GRANTED
), but may deny them.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
packageName |
String: The application to grant or revoke a permission to. This value cannot be null . |
permission |
String: The permission to grant or revoke. This value cannot be null . |
grantState |
Int: The permission grant state which is one of PERMISSION_GRANT_STATE_DENIED , PERMISSION_GRANT_STATE_DEFAULT , PERMISSION_GRANT_STATE_GRANTED , Value is android.app.admin.DevicePolicyManager#PERMISSION_GRANT_STATE_DEFAULT , android.app.admin.DevicePolicyManager#PERMISSION_GRANT_STATE_GRANTED , or android.app.admin.DevicePolicyManager#PERMISSION_GRANT_STATE_DENIED |
Return | |
---|---|
Boolean |
whether the permission was successfully granted or revoked. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setPermissionPolicy
open fun setPermissionPolicy(
admin: ComponentName,
policy: Int
): Unit
Set the default response for future runtime permission requests by applications. This function can be called by a device owner, profile owner, or by a delegate given the DELEGATION_PERMISSION_GRANT
scope via setDelegatedScopes
. The policy can allow for normal operation which prompts the user to grant a permission, or can allow automatic granting or denying of runtime permission requests by an application. This also applies to new permissions declared by app updates. When a permission is denied or granted this way, the effect is equivalent to setting the permission * grant state via setPermissionGrantState
.
targetSdkVersion
of android.os.Build.VERSION_CODES#M
or later.
NOTE: On devices running android.os.Build.VERSION_CODES#S
and above, an auto-grant policy will not apply to certain sensors-related permissions on some configurations. See setPermissionGrantState(android.content.ComponentName,java.lang.String,java.lang.String,int)
for the list of permissions affected, and the behavior change for managed profiles and fully-managed devices.
Parameters | |
---|---|
admin |
ComponentName: Which profile or device owner this request is associated with. This value cannot be null . |
policy |
Int: One of the policy constants PERMISSION_POLICY_PROMPT , PERMISSION_POLICY_AUTO_GRANT and PERMISSION_POLICY_AUTO_DENY . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setPermittedAccessibilityServices
open fun setPermittedAccessibilityServices(
admin: ComponentName,
packageNames: MutableList<String!>!
): Boolean
Called by a profile or device owner to set the permitted android.accessibilityservice.AccessibilityService
. When set by a device owner or profile owner the restriction applies to all profiles of the user the device owner or profile owner is an admin for. By default, the user can use any accessibility service. When zero or more packages have been added, accessibility services that are not in the list and not part of the system can not be enabled by the user.
Calling with a null
value for the list disables the restriction so that all services can be used, calling with an empty list only allows the built-in system services. Any non-system accessibility service that's currently enabled must be included in the list.
System accessibility services are always available to the user and this method can't disable them.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
packageNames |
MutableList<String!>!: List of accessibility service package names. |
Return | |
---|---|
Boolean |
true if the operation succeeded, or false if the list didn't contain every enabled non-system accessibility service. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setPermittedCrossProfileNotificationListeners
open fun setPermittedCrossProfileNotificationListeners(
admin: ComponentName,
packageList: MutableList<String!>?
): Boolean
Called by a profile owner of a managed profile to set the packages that are allowed to use a android.service.notification.NotificationListenerService
in the primary user to see notifications from the managed profile. By default all packages are permitted by this policy. When zero or more packages have been added, notification listeners installed on the primary user that are not in the list and are not part of the system won't receive events for managed profile notifications.
Calling with a null
value for the list disables the restriction so that all notification listener services be used. Calling with an empty list disables all but the system's own notification listeners. System notification listener services are always available to the user.
If a device or profile owner want to stop notification listeners in their user from seeing that user's notifications they should prevent that service from running instead (e.g. via setApplicationHidden(android.content.ComponentName,java.lang.String,boolean)
)
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
packageList |
MutableList<String!>?: List of package names to allowlist This value may be null . |
Return | |
---|---|
Boolean |
true if setting the restriction succeeded. It will fail if called outside a managed profile |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner. |
setPermittedInputMethods
open fun setPermittedInputMethods(
admin: ComponentName?,
packageNames: MutableList<String!>!
): Boolean
Called by a profile or device owner or holder of the android.Manifest.permission#MANAGE_DEVICE_POLICY_INPUT_METHODS
permission to set the permitted input methods services for this user. By default, the user can use any input method.
This method can be called on the DevicePolicyManager
instance, returned by getParentProfileInstance(android.content.ComponentName)
, where the caller must be a profile owner of an organization-owned device.
If called on the parent instance:
- The permitted input methods will be applied on the personal profile
- Can only permit all input methods (calling this method with a
null
package list) or only permit system input methods (calling this method with an empty package list). This is to prevent the caller from learning which packages are installed on the personal side
When zero or more packages have been added, input method that are not in the list and not part of the system can not be enabled by the user. This method will fail if it is called for a admin that is not for the foreground user or a profile of the foreground user. Any non-system input method service that's currently enabled must be included in the list.
Calling with a null value for the list disables the restriction so that all input methods can be used, calling with an empty list disables all but the system's own input methods.
System input methods are always available to the user - this method can't modify this.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin This value may be null . |
packageNames |
MutableList<String!>!: List of input method package names. |
Return | |
---|---|
Boolean |
true if the operation succeeded, or false if the list didn't contain every enabled non-system input method service. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner and does not hold the android.Manifest.permission#MANAGE_DEVICE_POLICY_INPUT_METHODS permission, or if called on the parent profile and the admin is not a profile owner of an organization-owned managed profile. |
java.lang.IllegalArgumentException |
if called on the parent profile, the admin is a profile owner of an organization-owned managed profile and the list of permitted input method package names is not null or empty. |
setPersonalAppsSuspended
open fun setPersonalAppsSuspended(
admin: ComponentName,
suspended: Boolean
): Unit
Called by a profile owner of an organization-owned managed profile to suspend personal apps on the device. When personal apps are suspended the device can only be used for calls.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with This value cannot be null . |
suspended |
Boolean: Whether personal apps should be suspended. |
Exceptions | |
---|---|
java.lang.IllegalStateException |
if the profile owner doesn't have an activity that handles ACTION_CHECK_POLICY_COMPLIANCE |
setPreferentialNetworkServiceConfigs
open fun setPreferentialNetworkServiceConfigs(preferentialNetworkServiceConfigs: MutableList<PreferentialNetworkServiceConfig!>): Unit
Sets preferential network configurations. {@see PreferentialNetworkServiceConfig} An example of a supported preferential network service is the Enterprise slice on 5G networks. For devices on 4G networks, the profile owner needs to additionally configure enterprise APN to set up data call for the preferential network service. These APNs can be added using addOverrideApn
. By default, preferential network service is disabled on the work profile and fully managed devices, on supported carriers and devices. Admins can explicitly enable it with this API. If admin wants to have multiple enterprise slices, it can be configured by passing list of PreferentialNetworkServiceConfig
objects.
Parameters | |
---|---|
preferentialNetworkServiceConfigs |
MutableList<PreferentialNetworkServiceConfig!>: list of preferential network configurations. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not the profile owner or device owner. |
setPreferentialNetworkServiceEnabled
open fun setPreferentialNetworkServiceEnabled(enabled: Boolean): Unit
Sets whether preferential network service is enabled. For example, an organization can have a deal/agreement with a carrier that all of the work data from its employees’ devices will be sent via a network service dedicated for enterprise use. An example of a supported preferential network service is the Enterprise slice on 5G networks. For devices on 4G networks, the profile owner needs to additionally configure enterprise APN to set up data call for the preferential network service. These APNs can be added using addOverrideApn
. By default, preferential network service is disabled on the work profile and fully managed devices, on supported carriers and devices. Admins can explicitly enable it with this API.
This method enables preferential network service with a default configuration. To fine-tune the configuration, use ) instead.
setProfileEnabled
open fun setProfileEnabled(admin: ComponentName): Unit
Sets the enabled state of the profile. A profile should be enabled only once it is ready to be used. Only the profile owner can call this.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a profile owner. |
See Also
setProfileName
open fun setProfileName(
admin: ComponentName,
profileName: String!
): Unit
Sets the name of the profile. In the device owner case it sets the name of the user which it is called from. Only a profile owner or device owner can call this. If this is never called by the profile or device owner, the name will be set to default values.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associate with. This value cannot be null . |
profileName |
String!: The name of the profile. If the name is longer than 200 characters it will be truncated. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
See Also
setRecommendedGlobalProxy
open fun setRecommendedGlobalProxy(
admin: ComponentName,
proxyInfo: ProxyInfo?
): Unit
Set a network-independent global HTTP proxy. This is not normally what you want for typical HTTP proxies - they are generally network dependent. However if you're doing something unusual like general internal filtering this may be useful. On a private network where the proxy is not accessible, you may break HTTP using this.
This method requires the caller to be the device owner.
This proxy is only a recommendation and it is possible that some apps will ignore it.
Note: The device owner won't be able to set a global HTTP proxy if there are unaffiliated secondary users or profiles on the device. It's recommended that affiliation ids are set for new users as soon as possible after provisioning via setAffiliationIds
.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
proxyInfo |
ProxyInfo?: The a ProxyInfo object defining the new global HTTP proxy. A null value will clear the global HTTP proxy. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not the device owner. |
See Also
setRequiredPasswordComplexity
open fun setRequiredPasswordComplexity(passwordComplexity: Int): Unit
Sets a minimum password complexity requirement for the user's screen lock. The complexity level is one of the pre-defined levels, and the user is unable to set a password with a lower complexity level.
Note that when called on a profile which uses an unified challenge with its parent, the complexity would apply to the unified challenge.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile.
Note: Specifying password requirements using this method clears any password requirements set using the obsolete setPasswordQuality(android.content.ComponentName,int)
and any of its associated methods. Additionally, if there are password requirements set using the obsolete setPasswordQuality(android.content.ComponentName,int)
on the parent DevicePolicyManager
instance, they must be cleared by calling setPasswordQuality(android.content.ComponentName,int)
with PASSWORD_QUALITY_UNSPECIFIED
on that instance prior to setting complexity requirement for the managed profile. Starting from Build.VERSION_CODES.VANILLA_ICE_CREAM
, after the password requirement has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.PASSWORD_COMPLEXITY_POLICY
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Exceptions | |
---|---|
java.lang.SecurityException |
if the calling application is not a device owner or a profile owner. |
java.lang.IllegalArgumentException |
if the complexity level is not one of the four above. |
java.lang.IllegalStateException |
if the caller is trying to set password complexity while there are password requirements specified using setPasswordQuality(android.content.ComponentName,int) on the parent DevicePolicyManager instance. |
setRequiredStrongAuthTimeout
open fun setRequiredStrongAuthTimeout(
admin: ComponentName?,
timeoutMs: Long
): Unit
Called by a device/profile owner to set the timeout after which unlocking with secondary, non strong auth (e.g. fingerprint, face, trust agents) times out, i.e. the user has to use a strong authentication method like password, pin or pattern.
This timeout is used internally to reset the timer to require strong auth again after specified timeout each time it has been successfully used.
Fingerprint can also be disabled altogether using KEYGUARD_DISABLE_FINGERPRINT
.
Trust agents can also be disabled altogether using KEYGUARD_DISABLE_TRUST_AGENTS
.
A calling device admin can verify the value it has set by calling getRequiredStrongAuthTimeout(android.content.ComponentName)
and passing in its instance.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set restrictions on the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, calling this methods has no effect - i.e. the timeout is not set.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin This value may be null . |
timeoutMs |
Long: The new timeout in milliseconds, after which the user will have to unlock with strong authentication method. A value of 0 means the admin is not participating in controlling the timeout. The minimum and maximum timeouts are platform-defined and are typically 1 hour and 72 hours, respectively. Though discouraged, the admin may choose to require strong auth at all times using KEYGUARD_DISABLE_FINGERPRINT and/or KEYGUARD_DISABLE_TRUST_AGENTS . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setResetPasswordToken
open fun setResetPasswordToken(
admin: ComponentName?,
token: ByteArray!
): Boolean
Called by a profile or device owner to provision a token which can later be used to reset the device lockscreen password (if called by device owner), or managed profile challenge (if called by profile owner), via resetPasswordWithToken
.
If the user currently has a lockscreen password, the provisioned token will not be immediately usable; it only becomes active after the user performs a confirm credential operation, which can be triggered by KeyguardManager.createConfirmDeviceCredentialIntent
. If the user has no lockscreen password, the token is activated immediately. In all cases, the active state of the current token can be checked by isResetPasswordTokenActive
. For security reasons, un-activated tokens are only stored in memory and will be lost once the device reboots. In this case a new token needs to be provisioned again.
Once provisioned and activated, the token will remain effective even if the user changes or clears the lockscreen password.
This token is highly sensitive and should be treated at the same level as user credentials. In particular, NEVER store this token on device in plaintext. Do not store the plaintext token in device-encrypted storage if it will be needed to reset password on file-based encryption devices before user unlocks. Consider carefully how any password token will be stored on your server and who will need access to them. Tokens may be the subject of legal access requests.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, the reset token is not set and this method returns false.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
token |
ByteArray!: a secure token a least 32-byte long, which must be generated by a cryptographically strong random number generator. |
Return | |
---|---|
Boolean |
true if the operation is successful, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
java.lang.IllegalArgumentException |
if the supplied token is invalid. |
setRestrictionsProvider
open fun setRestrictionsProvider(
admin: ComponentName,
provider: ComponentName?
): Unit
Designates a specific service component as the provider for making permission requests of a local or remote administrator of the user.
Only a device owner or profile owner can designate the restrictions provider.Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
provider |
ComponentName?: The component name of the service that implements RestrictionsReceiver . If this param is null, it removes the restrictions provider previously assigned. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setScreenCaptureDisabled
open fun setScreenCaptureDisabled(
admin: ComponentName?,
disabled: Boolean
): Unit
Called by a device/profile owner to set whether the screen capture is disabled. Disabling screen capture also prevents the content from being shown on display devices that do not have a secure video output. See android.view.Display#FLAG_SECURE
for more details about secure surfaces and secure displays.
This method can be called on the DevicePolicyManager
instance, returned by getParentProfileInstance(android.content.ComponentName)
, where the calling device admin must be the profile owner of an organization-owned managed profile. If it is not, a security exception will be thrown.
If the caller is device owner or called on the parent instance by a profile owner of an organization-owned managed profile, then the restriction will be applied to all users.
From version android.os.Build.VERSION_CODES#M
disabling screen capture also blocks assist requests for all activities of the relevant user.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
disabled |
Boolean: Whether screen capture is disabled or not. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not permitted to control screen capture policy. |
setSecureSetting
open fun setSecureSetting(
admin: ComponentName,
setting: String!,
value: String!
): Unit
This method is mostly deprecated. Most of the settings that still have an effect have dedicated setter methods (e.g. setLocationEnabled
) or user restrictions.
Called by profile or device owners to update android.provider.Settings.Secure
settings. Validation that the value of the setting is in the correct form for the setting type should be performed by the caller.
The settings that can be updated by a profile or device owner with this method are:
android.provider.Settings.Secure#DEFAULT_INPUT_METHOD
android.provider.Settings.Secure#SKIP_FIRST_USE_HINTS
A device owner can additionally update the following settings:
android.provider.Settings.Secure#LOCATION_MODE
, but see note below.
android.provider.Settings.Secure#INSTALL_NON_MARKET_APPS
, which is deprecated. Instead, device owners or profile owners should use the restriction UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES
. If any app targeting android.os.Build.VERSION_CODES#O
or higher calls this method with android.provider.Settings.Secure#INSTALL_NON_MARKET_APPS
, an UnsupportedOperationException
is thrown. Starting from Android Q, the device and profile owner can also call UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES_GLOBALLY
to restrict unknown sources for all users. Note: Starting from Android R, apps should no longer call this method with the setting android.provider.Settings.Secure#LOCATION_MODE
, which is deprecated. Instead, device owners should call setLocationEnabled(android.content.ComponentName,boolean)
. This will be enforced for all apps targeting Android R or above.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
setting |
String!: The name of the setting to update. |
value |
String!: The value to update the setting to. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setSecurityLoggingEnabled
open fun setSecurityLoggingEnabled(
admin: ComponentName?,
enabled: Boolean
): Unit
Called by device owner or a profile owner of an organization-owned managed profile to control the security logging feature.
Security logs contain various information intended for security auditing purposes. When security logging is enabled by any app other than the device owner, certain security logs are not visible (for example personal app launch events) or they will be redacted (for example, details of the physical volume mount events). Please see SecurityEvent
for details.
Note: The device owner won't be able to retrieve security logs if there are unaffiliated secondary users or profiles on the device, regardless of whether the feature is enabled. Logs will be discarded if the internal buffer fills up while waiting for all users to become affiliated. Therefore it's recommended that affiliation ids are set for new users as soon as possible after provisioning via setAffiliationIds
. Non device owners are not subject to this restriction since all privacy-sensitive events happening outside the managed profile would have been redacted already. Starting from Build.VERSION_CODES.VANILLA_ICE_CREAM
, after the security logging policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.SECURITY_LOGGING_POLICY
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Parameters | |
---|---|
admin |
ComponentName?: Which device admin this request is associated with, or null if called by a delegated app. |
enabled |
Boolean: whether security logging should be enabled or not. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not permitted to control security logging. |
See Also
setShortSupportMessage
open fun setShortSupportMessage(
admin: ComponentName?,
message: CharSequence?
): Unit
Called by a device admin to set the short support message. This will be displayed to the user in settings screens where functionality has been disabled by the admin. The message should be limited to a short statement such as "This setting is disabled by your administrator. Contact someone@example.com for support." If the message is longer than 200 characters it may be truncated.
If the short support message needs to be localized, it is the responsibility of the DeviceAdminReceiver
to listen to the Intent.ACTION_LOCALE_CHANGED
broadcast and set a new version of this string accordingly.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
message |
CharSequence?: Short message to be displayed to the user in settings or null to clear the existing message. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator. |
See Also
setStartUserSessionMessage
open fun setStartUserSessionMessage(
admin: ComponentName,
startUserSessionMessage: CharSequence?
): Unit
Called by a device owner to specify the user session start message. This may be displayed during a user switch.
The message should be limited to a short statement or it may be truncated.
If the message needs to be localized, it is the responsibility of the DeviceAdminReceiver
to listen to the Intent.ACTION_LOCALE_CHANGED
broadcast and set a new version of this message accordingly.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with. This value cannot be null . |
startUserSessionMessage |
CharSequence?: message for starting user session, or null to use system default message. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
setStatusBarDisabled
open fun setStatusBarDisabled(
admin: ComponentName?,
disabled: Boolean
): Boolean
Called by device owner or profile owner of secondary users that is affiliated with the device to disable the status bar. Disabling the status bar blocks notifications and quick settings.
Note: This method has no effect for LockTask mode. The behavior of the status bar in LockTask mode can be configured with setLockTaskFeatures(android.content.ComponentName,int)
. Calls to this method when the device is in LockTask mode will be registered, but will only take effect when the device leaves LockTask mode.
This policy does not have any effect while on the lock screen, where the status bar will not be disabled. Using LockTask instead of this method is recommended.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
disabled |
Boolean: true disables the status bar, false reenables it. |
Return | |
---|---|
Boolean |
false if attempting to disable the status bar failed. true otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not the device owner, or a profile owner of secondary user that is affiliated with the device. |
See Also
setStorageEncryption
open funsetStorageEncryption(
admin: ComponentName,
encrypt: Boolean
): Int
Deprecated: This method does not actually modify the storage encryption of the device. It has never affected the encryption status of a device. Called by an application that is administering the device to request that the storage system be encrypted. Does nothing if the caller is on a secondary user or a managed profile.
When multiple device administrators attempt to control device encryption, the most secure, supported setting will always be used. If any device administrator requests device encryption, it will be enabled; Conversely, if a device administrator attempts to disable device encryption while another device administrator has enabled it, the call to disable will fail (most commonly returning This policy controls encryption of the secure (application data) storage area. Data written to other storage areas may or may not be encrypted, and this policy does not require or control the encryption of any other storage areas. There is one exception: If Important Note: On some devices, it is possible to encrypt storage without requiring the user to create a device PIN or Password. In this case, the storage is encrypted, but the encryption key may not be fully secured. For maximum security, the administrator should also require (and check for) a pattern, PIN, or password.ENCRYPTION_STATUS_ACTIVE
). android.os.Environment#isExternalStorageEmulated()
is true
, then the directory returned by android.os.Environment#getExternalStorageDirectory()
must be written to disk within the encrypted storage area.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
encrypt |
Boolean: true to request encryption, false to release any previous request |
Return | |
---|---|
Int |
the new total request status (for all active admins), or android.app.admin.DevicePolicyManager#ENCRYPTION_STATUS_UNSUPPORTED if called for a non-system user. Will be one of ENCRYPTION_STATUS_UNSUPPORTED , ENCRYPTION_STATUS_INACTIVE , or ENCRYPTION_STATUS_ACTIVE . This is the value of the requests; use getStorageEncryptionStatus() to query the actual device state. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or does not use DeviceAdminInfo.USES_ENCRYPTED_STORAGE |
setSystemSetting
open fun setSystemSetting(
admin: ComponentName,
setting: String,
value: String!
): Unit
Called by a device or profile owner to update android.provider.Settings.System
settings. Validation that the value of the setting is in the correct form for the setting type should be performed by the caller.
The settings that can be updated by a device owner or profile owner of secondary user with this method are:
android.provider.Settings.System#SCREEN_BRIGHTNESS
android.provider.Settings.System#SCREEN_BRIGHTNESS_MODE
android.provider.Settings.System#SCREEN_OFF_TIMEOUT
Starting from Android android.os.Build.VERSION_CODES#VANILLA_ICE_CREAM
, a profile owner on an organization-owned device can call this method on the parent DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
to set system settings on the parent user.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
setting |
String: The name of the setting to update. This value cannot be null . Value is android.provider.Settings.System#SCREEN_BRIGHTNESS_MODE , android.provider.Settings.System#SCREEN_BRIGHTNESS , or android.provider.Settings.System#SCREEN_OFF_TIMEOUT |
value |
String!: The value to update the setting to. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setSystemUpdatePolicy
open fun setSystemUpdatePolicy(
admin: ComponentName,
policy: SystemUpdatePolicy!
): Unit
Called by device owners or profile owners of an organization-owned managed profile to set a local system update policy. When a new policy is set, ACTION_SYSTEM_UPDATE_POLICY_CHANGED
is broadcast.
If the supplied system update policy has freeze periods set but the freeze periods do not meet 90-day maximum length or 60-day minimum separation requirement set out in SystemUpdatePolicy.setFreezePeriods
, SystemUpdatePolicy.ValidationFailedException
will the thrown. Note that the system keeps a record of freeze periods the device experienced previously, and combines them with the new freeze periods to be set when checking the maximum freeze length and minimum freeze separation constraints. As a result, freeze periods that passed validation during SystemUpdatePolicy.setFreezePeriods
might fail the additional checks here due to the freeze period history. If this is causing issues during development, adb shell dpm clear-freeze-period-record
can be used to clear the record.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. All components in the package can set system update policies and the most recent policy takes effect. This should be null if the caller is not a device admin. |
policy |
SystemUpdatePolicy!: the new policy, or null to clear the current policy. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner or a profile owner of an organization-owned managed profile, or the caller is not permitted to set this policy |
java.lang.IllegalArgumentException |
if the policy type or maintenance window is not valid. |
android.app.admin.SystemUpdatePolicy.ValidationFailedException |
if the policy's freeze period does not meet the requirement. |
setTime
open fun setTime(
admin: ComponentName?,
millis: Long
): Boolean
Called by a device owner or a profile owner of an organization-owned managed profile to set the system wall clock time. This only takes effect if called when android.provider.Settings.Global#AUTO_TIME
is 0, otherwise false
will be returned.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
millis |
Long: time in milliseconds since the Epoch |
Return | |
---|---|
Boolean |
true if set time succeeded, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner or a profile owner of an organization-owned managed profile. |
setTimeZone
open fun setTimeZone(
admin: ComponentName?,
timeZone: String!
): Boolean
Called by a device owner or a profile owner of an organization-owned managed profile to set the system's persistent default time zone. This only takes effect if called when android.provider.Settings.Global#AUTO_TIME_ZONE
is 0, otherwise false
will be returned.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
timeZone |
String!: one of the Olson ids from the list returned by java.util.TimeZone#getAvailableIDs |
Return | |
---|---|
Boolean |
true if set timezone succeeded, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner or a profile owner of an organization-owned managed profile. |
setTrustAgentConfiguration
open fun setTrustAgentConfiguration(
admin: ComponentName?,
target: ComponentName,
configuration: PersistableBundle!
): Unit
Sets a list of configuration features to enable for a trust agent component. This is meant to be used in conjunction with KEYGUARD_DISABLE_TRUST_AGENTS
, which disables all trust agents but those enabled by this function call. If flag KEYGUARD_DISABLE_TRUST_AGENTS
is not set, then this call has no effect.
For any specific trust agent, whether it is disabled or not depends on the aggregated state of each admin's KEYGUARD_DISABLE_TRUST_AGENTS
setting and its trust agent configuration as set by this function call. In particular: if any admin sets KEYGUARD_DISABLE_TRUST_AGENTS
and does not additionally set any trust agent configuration, the trust agent is disabled completely. Otherwise, the trust agent will receive the list of configurations from all admins who set KEYGUARD_DISABLE_TRUST_AGENTS
and aggregate the configurations to determine its behavior. The exact meaning of aggregation is trust-agent-specific.
A calling device admin must have requested DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES
to be able to call this method; if not, a security exception will be thrown.
This method can be called on the DevicePolicyManager
instance returned by getParentProfileInstance(android.content.ComponentName)
in order to set the configuration for the parent profile.
On devices not supporting PackageManager.FEATURE_SECURE_LOCK_SCREEN
feature, calling this method has no effect - no trust agent configuration will be set.
Requires the PackageManager#FEATURE_SECURE_LOCK_SCREEN
feature which can be detected using PackageManager.hasSystemFeature(String)
.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin This value may be null . |
target |
ComponentName: Component name of the agent to be configured. This value cannot be null . |
configuration |
PersistableBundle!: Trust-agent-specific feature configuration bundle. Please consult documentation of the specific trust agent to determine the interpretation of this bundle. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not an active administrator or does not use DeviceAdminInfo.USES_POLICY_DISABLE_KEYGUARD_FEATURES |
setUninstallBlocked
open fun setUninstallBlocked(
admin: ComponentName?,
packageName: String!,
uninstallBlocked: Boolean
): Unit
Change whether a user can uninstall a package. This function can be called by a device owner, profile owner, or by a delegate given the DELEGATION_BLOCK_UNINSTALL
scope via setDelegatedScopes
or holders of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_APPS_CONTROL
.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the set uninstall blocked policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.PACKAGE_UNINSTALL_BLOCKED_POLICY
- The additional policy params bundle, which contains
PolicyUpdateReceiver.EXTRA_PACKAGE_NAME
the package name the policy applies to - The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
packageName |
String!: package to change. |
uninstallBlocked |
Boolean: true if the user shouldn't be able to uninstall the package. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_APPS_CONTROL . |
setUsbDataSignalingEnabled
open fun setUsbDataSignalingEnabled(enabled: Boolean): Unit
Called by a device owner or profile owner of an organization-owned managed profile to enable or disable USB data signaling for the device. When disabled, USB data connections (except from charging functions) are prohibited.
This API is not supported on all devices, the caller should call canUsbDataSignalingBeDisabled()
to check whether enabling or disabling USB data signaling is supported on the device. Starting from Android 15, after the USB data signaling policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Parameters | |
---|---|
enabled |
Boolean: whether USB data signaling should be enabled or not. |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not permitted to set this policy |
java.lang.IllegalStateException |
if disabling USB data signaling is not supported or if USB data signaling fails to be enabled/disabled. |
setUserControlDisabledPackages
open fun setUserControlDisabledPackages(
admin: ComponentName?,
packages: MutableList<String!>
): Unit
Called by a device owner or a profile owner or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_APPS_CONTROL
to disable user control over apps. User will not be able to clear app data or force-stop packages. When called by a device owner, applies to all users on the device. Packages with user control disabled are exempted from App Standby Buckets.
Starting from Build.VERSION_CODES.UPSIDE_DOWN_CAKE
, after the user control disabled packages policy has been set, PolicyUpdateReceiver.onPolicySetResult(Context, String,
will notify the admin on whether the policy was successfully set or not. This callback will contain:
- The policy identifier
DevicePolicyIdentifiers.USER_CONTROL_DISABLED_PACKAGES_POLICY
- The
TargetUser
that this policy relates to - The
PolicyUpdateResult
, which will bePolicyUpdateResult.RESULT_POLICY_SET
if the policy was successfully set or the reason the policy failed to be set (e.g.PolicyUpdateResult.RESULT_FAILURE_CONFLICTING_ADMIN_POLICY
)
PolicyUpdateReceiver.onPolicyChanged(Context, String, Bundle, TargetUser,
will notify the admin of this change. This callback will contain the same parameters as PolicyUpdateReceiver#onPolicySetResult and the PolicyUpdateResult
will contain the reason why the policy changed.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with. Null if the caller is not a device admin. This value may be null . |
packages |
MutableList<String!>: The package names for the apps. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner or a profile owner or holder of the permission android.Manifest.permission#MANAGE_DEVICE_POLICY_APPS_CONTROL . |
setUserIcon
open fun setUserIcon(
admin: ComponentName,
icon: Bitmap!
): Unit
Called by profile or device owners to set the user's photo.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
icon |
Bitmap!: the bitmap to set as the photo. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device or profile owner. |
setWifiSsidPolicy
open fun setWifiSsidPolicy(policy: WifiSsidPolicy?): Unit
Called by device owner or profile owner of an organization-owned managed profile to specify the Wi-Fi SSID policy (WifiSsidPolicy
). Wi-Fi SSID policy specifies the SSID restriction the network must satisfy in order to be eligible for a connection. Providing a null policy results in the deactivation of the SSID restriction
Parameters | |
---|---|
policy |
WifiSsidPolicy?: Wi-Fi SSID policy This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the caller is not permitted to manage wifi policy |
startUserInBackground
open fun startUserInBackground(
admin: ComponentName,
userHandle: UserHandle
): Int
Called by a device owner to start the specified secondary user in background.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
userHandle |
UserHandle: the user to be started in background. This value cannot be null . |
Return | |
---|---|
Int |
one of the following result codes: UserManager.USER_OPERATION_ERROR_UNKNOWN , UserManager.USER_OPERATION_SUCCESS , UserManager.USER_OPERATION_ERROR_MANAGED_PROFILE , UserManager.USER_OPERATION_ERROR_MAX_RUNNING_USERS , Value is android.os.UserManager#USER_OPERATION_SUCCESS , android.os.UserManager#USER_OPERATION_ERROR_UNKNOWN , android.os.UserManager#USER_OPERATION_ERROR_MANAGED_PROFILE , android.os.UserManager#USER_OPERATION_ERROR_MAX_RUNNING_USERS , android.os.UserManager#USER_OPERATION_ERROR_CURRENT_USER , android.os.UserManager#USER_OPERATION_ERROR_LOW_STORAGE , android.os.UserManager#USER_OPERATION_ERROR_MAX_USERS , android.os.UserManager.USER_OPERATION_ERROR_USER_ACCOUNT_ALREADY_EXISTS, android.os.UserManager.USER_OPERATION_ERROR_DISABLED_USER, android.os.UserManager.USER_OPERATION_ERROR_PRIVATE_PROFILE, or android.os.UserManager.USER_OPERATION_ERROR_USER_RESTRICTED |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
See Also
stopUser
open fun stopUser(
admin: ComponentName,
userHandle: UserHandle
): Int
Called by a device owner to stop the specified secondary user.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
userHandle |
UserHandle: the user to be stopped. This value cannot be null . |
Return | |
---|---|
Int |
one of the following result codes: UserManager.USER_OPERATION_ERROR_UNKNOWN , UserManager.USER_OPERATION_SUCCESS , UserManager.USER_OPERATION_ERROR_MANAGED_PROFILE , UserManager.USER_OPERATION_ERROR_CURRENT_USER Value is android.os.UserManager#USER_OPERATION_SUCCESS , android.os.UserManager#USER_OPERATION_ERROR_UNKNOWN , android.os.UserManager#USER_OPERATION_ERROR_MANAGED_PROFILE , android.os.UserManager#USER_OPERATION_ERROR_MAX_RUNNING_USERS , android.os.UserManager#USER_OPERATION_ERROR_CURRENT_USER , android.os.UserManager#USER_OPERATION_ERROR_LOW_STORAGE , android.os.UserManager#USER_OPERATION_ERROR_MAX_USERS , android.os.UserManager.USER_OPERATION_ERROR_USER_ACCOUNT_ALREADY_EXISTS, android.os.UserManager.USER_OPERATION_ERROR_DISABLED_USER, android.os.UserManager.USER_OPERATION_ERROR_PRIVATE_PROFILE, or android.os.UserManager.USER_OPERATION_ERROR_USER_RESTRICTED |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
See Also
switchUser
open fun switchUser(
admin: ComponentName,
userHandle: UserHandle?
): Boolean
Called by a device owner to switch the specified secondary user to the foreground.
Parameters | |
---|---|
admin |
ComponentName: Which DeviceAdminReceiver this request is associated with. This value cannot be null . |
userHandle |
UserHandle?: the user to switch to; null will switch to primary. |
Return | |
---|---|
Boolean |
true if the switch was successful, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner. |
transferOwnership
open fun transferOwnership(
admin: ComponentName,
target: ComponentName,
bundle: PersistableBundle?
): Unit
Changes the current administrator to another one. All policies from the current administrator are migrated to the new administrator. The whole operation is atomic - the transfer is either complete or not done at all.
Depending on the current administrator (device owner, profile owner), you have the following expected behaviour:
- A device owner can only be transferred to a new device owner
- A profile owner can only be transferred to a new profile owner
Use the bundle
parameter to pass data to the new administrator. The data will be received in the DeviceAdminReceiver.onTransferOwnershipComplete(Context, PersistableBundle)
callback of the new administrator.
The transfer has failed if the original administrator is still the corresponding owner after calling this method.
The incoming target administrator must have the <support-transfer-ownership />
tag inside the <device-admin></device-admin>
tags in the xml file referenced by DeviceAdminReceiver.DEVICE_ADMIN_META_DATA
. Otherwise an IllegalArgumentException
will be thrown.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with. This value cannot be null . |
target |
ComponentName: which DeviceAdminReceiver we want the new administrator to be. This value cannot be null . |
bundle |
PersistableBundle?: data to be sent to the new administrator. This value may be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not a device owner nor a profile owner. |
java.lang.IllegalArgumentException |
if admin or target is null , they are components in the same package or target is not an active admin. |
uninstallAllUserCaCerts
open fun uninstallAllUserCaCerts(admin: ComponentName?): Unit
Uninstalls all custom trusted CA certificates from the profile. Certificates installed by means other than device policy will also be removed, except for system CA certificates.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if calling from a delegated certificate installer. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not null and not a device or profile owner. |
uninstallCaCert
open fun uninstallCaCert(
admin: ComponentName?,
certBuffer: ByteArray!
): Unit
Uninstalls the given certificate from trusted user CAs, if present. The caller must be a profile or device owner on that user, or a delegate package given the DELEGATION_CERT_INSTALL
scope via setDelegatedScopes
; otherwise a security exception will be thrown.
Parameters | |
---|---|
admin |
ComponentName?: Which DeviceAdminReceiver this request is associated with, or null if calling from a delegated certificate installer. |
certBuffer |
ByteArray!: encoded form of the certificate to remove. |
Exceptions | |
---|---|
java.lang.SecurityException |
if admin is not null and not a device or profile owner. |
updateOverrideApn
open fun updateOverrideApn(
admin: ComponentName,
apnId: Int,
apnSetting: ApnSetting
): Boolean
Called by device owner or managed profile owner to update an override APN.
This method may returns false
if there is no override APN with the given apnId
.
This method may also returns false
if apnSetting
conflicts with an existing override APN. Update the existing conflicted APN instead.
See addOverrideApn
for the definition of conflict.
Before Android version android.os.Build.VERSION_CODES#TIRAMISU
: Only device owners can update APNs.
Starting from Android version android.os.Build.VERSION_CODES#TIRAMISU
: Both device owners and managed profile owners can update enterprise APNs (ApnSetting.TYPE_ENTERPRISE
), while only device owners can update other type of APNs.
Parameters | |
---|---|
admin |
ComponentName: which DeviceAdminReceiver this request is associated with This value cannot be null . |
apnId |
Int: the id of the override APN to update |
apnSetting |
ApnSetting: the override APN to update This value cannot be null . |
Return | |
---|---|
Boolean |
true if the required override APN is successfully updated, false otherwise. |
Exceptions | |
---|---|
java.lang.SecurityException |
If request is for enterprise APN admin is either device owner or profile owner and in all other types of APN if admin is not a device owner. |
wipeData
open fun wipeData(flags: Int): Unit
See wipeData(int,java.lang.CharSequence)
Parameters | |
---|---|
flags |
Int: Bit mask of additional options: currently supported flags are WIPE_EXTERNAL_STORAGE , WIPE_RESET_PROTECTION_DATA , WIPE_EUICC and WIPE_SILENTLY . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the calling application does not own an active administrator that uses DeviceAdminInfo.USES_POLICY_WIPE_DATA and is not granted the android.Manifest.permission#MASTER_CLEAR or android.Manifest.permission#MANAGE_DEVICE_POLICY_WIPE_DATA permissions. |
java.lang.IllegalStateException |
if called on last full-user or system-user |
wipeData
open fun wipeData(
flags: Int,
reason: CharSequence
): Unit
Ask that all user data be wiped.
If called as a secondary user or managed profile, the user itself and its associated user data will be wiped. In particular, If the caller is a profile owner of an organization-owned managed profile, calling this method will relinquish the device for personal use, removing the managed profile and all policies set by the profile owner.
Calling this method from the primary user will only work if the calling app is targeting SDK level Build.VERSION_CODES.TIRAMISU
or below, in which case it will cause the device to reboot, erasing all device data - including all the secondary users and their data - while booting up. If an app targeting SDK level Build.VERSION_CODES.UPSIDE_DOWN_CAKE
and above is calling this method from the primary user or last full user, IllegalStateException
will be thrown.
wipeDevice
instead.
Parameters | |
---|---|
flags |
Int: Bit mask of additional options: currently supported flags are WIPE_EXTERNAL_STORAGE , WIPE_RESET_PROTECTION_DATA and WIPE_EUICC . |
reason |
CharSequence: a string that contains the reason for wiping data, which can be presented to the user. This value cannot be null . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the calling application does not own an active administrator that uses DeviceAdminInfo.USES_POLICY_WIPE_DATA and is not granted the android.Manifest.permission#MASTER_CLEAR or android.Manifest.permission#MANAGE_DEVICE_POLICY_WIPE_DATA permissions. |
java.lang.IllegalArgumentException |
if the input reason string is null or empty, or if WIPE_SILENTLY is set. |
java.lang.IllegalStateException |
if called on last full-user or system-user |
See Also
wipeDevice
open fun wipeDevice(flags: Int): Unit
Ask that the device be wiped and factory reset.
The calling Device Owner or Organization Owned Profile Owner must have requested DeviceAdminInfo.USES_POLICY_WIPE_DATA
to be able to call this method; if it has not, a security exception will be thrown.
Parameters | |
---|---|
flags |
Int: Bit mask of additional options: currently supported flags are WIPE_EXTERNAL_STORAGE , WIPE_RESET_PROTECTION_DATA , WIPE_EUICC and WIPE_SILENTLY . |
Exceptions | |
---|---|
java.lang.SecurityException |
if the calling application does not own an active administrator that uses DeviceAdminInfo.USES_POLICY_WIPE_DATA and is not granted the android.Manifest.permission#MASTER_CLEAR or both the android.Manifest.permission#MANAGE_DEVICE_POLICY_WIPE_DATA and android.Manifest.permission#MANAGE_DEVICE_POLICY_ACROSS_USERS permissions. |