Fix 2737842: Disable KeguardManager API if device policy is enabled

This change adds notification to find out when the device policy
has changed.  When an admin adds or changes a policy, we get notified
and reset the state of keyguard to be enabled.

It also moves disabling keyguard into the TokenWatcher.acquired()
method to avoid disabling keyguard when a policy doesn't permit it.
This avoids reference counting issues in TokenWatcher and hence relieves
the ordering issue.

There is one remaining caveat. An application that uses KeyguardManager
to disable keyguard will need to disable keyguard again after any
policy change.

Tested:

Install and run app that disables keyguard with no admin. Result: keyguard is enabled/disabled as expected.
Enable admin and set quality = "something" after installing & running app. Result: keyguard is enabled.
Change admin password quality to "unspecified" and re-run app (per caveat). Result: keyguard is disabled.
Change admin password quality to "something" again. Result: keyguard is enabled.
Disable admin : Result: keyguard is enabled until app runs again (per caveat).

Added minor cosmetic changes after review.

Change-Id: I302f2b01446bf031f746b0f3e8b5fd7a6cc0e648