Android includes features that allow security-aware applications to perform device administration functions at the system level, such as enforcing password policies or performing remote wipe, through the Android Device Administration API]. Device implementations MUST provide an implementation of the DevicePolicyManager class. Device implementations that supports a secure lock screen MUST implement the full range of device administration policies defined in the Android SDK documentation and report the platform feature android.software.device_admin.
If a device implementation declares the android.software.device_admin
feature then it MUST implement the provisioning of the Device Owner app of a Device Policy Client (DPC) application as indicated below:
true
for DevicePolicyManager.isProvisioningAllowed(ACTION_PROVISION_MANAGED_DEVICE)
.android.app.action.PROVISION_MANAGED_DEVICE
.android.hardware.nfc
and receives an NFC message containing a record with MIME type MIME_TYPE_PROVISIONING_NFC
.false
for the DevicePolicyManager.isProvisioningAllowed(ACTION_PROVISION_MANAGED_DEVICE)
.Device implementations MAY have a preinstalled application performing device administration functions but this application MUST NOT be set as the Device Owner app without explicit consent or action from the user or the administrator of the device.
If a device implementation declares the android.software.managed_users, it MUST be possible to enroll a Device Policy Controller (DPC) application as the owner of a new Managed Profile.
The managed profile provisioning process (the flow initiated by android.app.action.PROVISION_MANAGED_PROFILE) user experience MUST align with the AOSP implementation.
Device implementations MUST provide the following user affordances within the Settings user interface to indicate to the user when a particular system function has been disabled by the Device Policy Controller (DPC):
setShortSupportMessage
](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#setShortSupportMessage%28android.content.ComponentName, java.lang.CharSequence%29).Managed profile capable devices are those devices that:
Managed profile capable devices MUST:
android.software.managed_users
.android.app.admin.DevicePolicyManager
APIs.DevicePolicyManager.ACTION_SET_NEW_PASSWORD
intent and show an interface to configure a separate lock screen credential for the managed profile.DevicePolicyManager
instance returned by getParentProfileInstance.