Merge "Explicitly get Profile Owner"

        return getDeviceOwnerOfCallerLocked(caller);

    }

    @NonNull ActiveAdmin getParentOfAdminIfRequired(ActiveAdmin admin, boolean parent) {

        Objects.requireNonNull(admin);

        return parent ? admin.getParentActiveAdmin() : admin;

    }

    /**

     * Finds an active admin for the caller then checks {@code permission} if admin check failed.

     *

        }

        Objects.requireNonNull(who, "ComponentName is null");

        Preconditions.checkArgument(timeoutMs >= 0, "Timeout must not be a negative number.");

        final CallerIdentity caller = getCallerIdentity(who);

        Preconditions.checkCallAuthorization(isDeviceOwner(caller) || isProfileOwner(caller));

        // timeoutMs with value 0 means that the admin doesn't participate

        // timeoutMs is clamped to the interval in case the internal constants change in the future

        final long minimumStrongAuthTimeout = getMinimumStrongAuthTimeoutMs();

            timeoutMs = DevicePolicyManager.DEFAULT_STRONG_AUTH_TIMEOUT_MS;

        }

        final int userHandle = mInjector.userHandleGetCallingUserId();

        final int userHandle = caller.getUserId();

        boolean changed = false;

        synchronized (getLockObject()) {

            ActiveAdmin ap = getActiveAdminForCallerLocked(who,

                    DeviceAdminInfo.USES_POLICY_PROFILE_OWNER, parent);

            ActiveAdmin ap = getParentOfAdminIfRequired(getProfileOwnerOrDeviceOwnerLocked(caller),

                    parent);

            if (ap.strongAuthUnlockTimeout != timeoutMs) {

                ap.strongAuthUnlockTimeout = timeoutMs;

                saveSettingsLocked(userHandle);

            List<String> lockdownWhitelist)

            throws SecurityException {

        enforceProfileOrDeviceOwner(who);

        final CallerIdentity caller = getCallerIdentity(who);

        final int userId = mInjector.userHandleGetCallingUserId();

        final int userId = caller.getUserId();

        mInjector.binderWithCleanCallingIdentity(() -> {

            if (vpnPackage != null && !isPackageInstalledForUser(vpnPackage, userId)) {

                Slog.w(LOG_TAG, "Non-existent VPN package specified: " + vpnPackage);

                    .write();

        });

        synchronized (getLockObject()) {

            ActiveAdmin admin = getActiveAdminForCallerLocked(who,

                    DeviceAdminInfo.USES_POLICY_PROFILE_OWNER);

            ActiveAdmin admin = getProfileOwnerOrDeviceOwnerLocked(caller);

            if (!TextUtils.equals(vpnPackage, admin.mAlwaysOnVpnPackage)

                    || lockdown != admin.mAlwaysOnVpnLockdown) {

                admin.mAlwaysOnVpnPackage = vpnPackage;

            return null;

        }

        Objects.requireNonNull(who, "ComponentName is null");

        final CallerIdentity caller = getCallerIdentity(who);

        synchronized (getLockObject()) {

            final ActiveAdmin activeAdmin = getActiveAdminForCallerLocked(who,

                    DeviceAdminInfo.USES_POLICY_PROFILE_OWNER, parent);

            final ActiveAdmin activeAdmin = getParentOfAdminIfRequired(

                    getProfileOwnerOrDeviceOwnerLocked(caller), parent);

            if (parent) {

                enforceProfileOwnerOfOrganizationOwnedDevice(activeAdmin);

            }

            return;

        }

        Objects.requireNonNull(who, "ComponentName is null");

        final CallerIdentity caller = getCallerIdentity(who);

        synchronized (getLockObject()) {

            /*

             * When called on the parent DPM instance (parent == true), affects active admin

             * * The ActiveAdmin must be of an org-owned profile owner.

             * * The parent ActiveAdmin instance should be used for managing the restriction.

             */

            ActiveAdmin ap = getActiveAdminForCallerLocked(who,

                    parent ? DeviceAdminInfo.USES_POLICY_ORGANIZATION_OWNED_PROFILE_OWNER

                            : DeviceAdminInfo.USES_POLICY_PROFILE_OWNER, parent);

            final ActiveAdmin ap;

            if (parent) {

                ap = getParentOfAdminIfRequired(getOrganizationOwnedProfileOwnerLocked(caller),

                        parent);

            } else {

                ap = getParentOfAdminIfRequired(getProfileOwnerOrDeviceOwnerLocked(caller), parent);

            }

            if (disabled) {

                ap.accountTypesWithManagementDisabled.add(accountType);

            } else {