Merge "Document access to device identifiers on managed devices" into sc-dev

     * Delegation of certificate installation and management. This scope grants access to the

     * {@link #getInstalledCaCerts}, {@link #hasCaCertInstalled}, {@link #installCaCert},

     * {@link #uninstallCaCert}, {@link #uninstallAllUserCaCerts} and {@link #installKeyPair} APIs.

     * This scope also grants the ability to read identifiers that the delegating device owner or

     * profile owner can obtain. See {@link #getEnrollmentSpecificId()}.

     */

    public static final String DELEGATION_CERT_INSTALL = "delegation-cert-install";

     * It is available both in a work profile and on a fully-managed device.

     * The identifier would be consistent even if the work profile is removed and enrolled again

     * (to the same organization), or the device is factory reset and re-enrolled.

     *

     * Can only be called by the Profile Owner or Device Owner, if the

     * {@link #setOrganizationId(String)} was previously called.

     * If {@link #setOrganizationId(String)} was not called, then the returned value will be an

     * empty string.

     *

     * <p>Note about access to device identifiers: a device owner, a profile owner of an

     * organization-owned device or the delegated certificate installer (holding the

     * {@link #DELEGATION_CERT_INSTALL} delegation) on such a device can still obtain hardware

     * identifiers by calling e.g. {@link android.os.Build#getSerial()}, in addition to using

     * this method. However, a profile owner on a personal (non organization-owned) device, or the

     * delegated certificate installer on such a device, cannot obtain hardware identifiers anymore

     * and must switch to using this method.

     *

     * @return A stable, enrollment-specific identifier.

     * @throws SecurityException if the caller is not a profile owner or device owner.

     */

     * <ul>

     *     <li>If the calling app has been granted the READ_PRIVILEGED_PHONE_STATE permission; this

     *     is a privileged permission that can only be granted to apps preloaded on the device.

     *     <li>If the calling app is the device or profile owner and has been granted the

     *     {@link Manifest.permission#READ_PHONE_STATE} permission. The profile owner is an app that

     *     owns a managed profile on the device; for more details see <a

     *     href="https://developer.android.com/work/managed-profiles">Work profiles</a>.

     *     Profile owner access is deprecated and will be removed in a future release.

     *     <li>If the calling app has carrier privileges (see {@link

     *     android.telephony.TelephonyManager#hasCarrierPrivileges}) on any active subscription.

     *     <li>If the calling app is the default SMS role holder (see {@link

     *     android.app.role.RoleManager#isRoleHeld(String)}).

     *     <li>If the calling app is the device owner of a fully-managed device, a profile

     *     owner of an organization-owned device, or their delegates (see {@link

     *     android.app.admin.DevicePolicyManager#getEnrollmentSpecificId()}).

     * </ul>

     *

     * <p>If the calling app does not meet one of these requirements then this method will behave

     * <ul>

     *     <li>If the calling app has been granted the READ_PRIVILEGED_PHONE_STATE permission; this

     *     is a privileged permission that can only be granted to apps preloaded on the device.

     *     <li>If the calling app is the device or profile owner and has been granted the

     *     {@link Manifest.permission#READ_PHONE_STATE} permission. The profile owner is an app that

     *     owns a managed profile on the device; for more details see <a

     *     href="https://developer.android.com/work/managed-profiles">Work profiles</a>.

     *     Profile owner access is deprecated and will be removed in a future release.

     *     <li>If the calling app is the device owner of a fully-managed device, a profile

     *     owner of an organization-owned device, or their delegates (see {@link

     *     android.app.admin.DevicePolicyManager#getEnrollmentSpecificId()}).

     *     <li>If the calling app has carrier privileges (see {@link #hasCarrierPrivileges}) on any

     *     active subscription.

     *     <li>If the calling app is the default SMS role holder (see {@link

     * <ul>

     *     <li>If the calling app has been granted the READ_PRIVILEGED_PHONE_STATE permission; this

     *     is a privileged permission that can only be granted to apps preloaded on the device.

     *     <li>If the calling app is the device or profile owner and has been granted the

     *     {@link Manifest.permission#READ_PHONE_STATE} permission. The profile owner is an app that

     *     owns a managed profile on the device; for more details see <a

     *     href="https://developer.android.com/work/managed-profiles">Work profiles</a>.

     *     Profile owner access is deprecated and will be removed in a future release.

     *     <li>If the calling app is the device owner of a fully-managed device, a profile

     *     owner of an organization-owned device, or their delegates (see {@link

     *     android.app.admin.DevicePolicyManager#getEnrollmentSpecificId()}).

     *     <li>If the calling app has carrier privileges (see {@link #hasCarrierPrivileges}) on any

     *     active subscription.

     *     <li>If the calling app is the default SMS role holder (see {@link

     * <ul>

     *     <li>If the calling app has been granted the READ_PRIVILEGED_PHONE_STATE permission; this

     *     is a privileged permission that can only be granted to apps preloaded on the device.

     *     <li>If the calling app is the device or profile owner and has been granted the

     *     {@link Manifest.permission#READ_PHONE_STATE} permission. The profile owner is an app that

     *     owns a managed profile on the device; for more details see <a

     *     href="https://developer.android.com/work/managed-profiles">Work profiles</a>.

     *     Profile owner access is deprecated and will be removed in a future release.

     *     <li>If the calling app is the device owner of a fully-managed device, a profile

     *     owner of an organization-owned device, or their delegates (see {@link

     *     android.app.admin.DevicePolicyManager#getEnrollmentSpecificId()}).

     *     <li>If the calling app has carrier privileges (see {@link #hasCarrierPrivileges}) on any

     *     active subscription.

     *     <li>If the calling app is the default SMS role holder (see {@link

     * <ul>

     *     <li>If the calling app has been granted the READ_PRIVILEGED_PHONE_STATE permission; this

     *     is a privileged permission that can only be granted to apps preloaded on the device.

     *     <li>If the calling app is the device or profile owner and has been granted the

     *     {@link Manifest.permission#READ_PHONE_STATE} permission. The profile owner is an app that

     *     owns a managed profile on the device; for more details see <a

     *     href="https://developer.android.com/work/managed-profiles">Work profiles</a>.

     *     Profile owner access is deprecated and will be removed in a future release.

     *     <li>If the calling app is the device owner of a fully-managed device, a profile

     *     owner of an organization-owned device, or their delegates (see {@link

     *     android.app.admin.DevicePolicyManager#getEnrollmentSpecificId()}).

     *     <li>If the calling app has carrier privileges (see {@link #hasCarrierPrivileges}) on any

     *     active subscription.

     *     <li>If the calling app is the default SMS role holder (see {@link

     * <ul>

     *     <li>If the calling app has been granted the READ_PRIVILEGED_PHONE_STATE permission; this

     *     is a privileged permission that can only be granted to apps preloaded on the device.

     *     <li>If the calling app is the device or profile owner and has been granted the

     *     {@link Manifest.permission#READ_PHONE_STATE} permission. The profile owner is an app that

     *     owns a managed profile on the device; for more details see <a

     *     href="https://developer.android.com/work/managed-profiles">Work profiles</a>.

     *     Profile owner access is deprecated and will be removed in a future release.

     *     <li>If the calling app is the device owner of a fully-managed device, a profile

     *     owner of an organization-owned device, or their delegates (see {@link

     *     android.app.admin.DevicePolicyManager#getEnrollmentSpecificId()}).

     *     <li>If the calling app has carrier privileges (see {@link #hasCarrierPrivileges}) on any

     *     active subscription.

     *     <li>If the calling app is the default SMS role holder (see {@link

     * <ul>

     *     <li>If the calling app has been granted the READ_PRIVILEGED_PHONE_STATE permission; this

     *     is a privileged permission that can only be granted to apps preloaded on the device.

     *     <li>If the calling app is the device or profile owner and has been granted the

     *     {@link Manifest.permission#READ_PHONE_STATE} permission. The profile owner is an app that

     *     owns a managed profile on the device; for more details see <a

     *     href="https://developer.android.com/work/managed-profiles">Work profiles</a>.

     *     Profile owner access is deprecated and will be removed in a future release.

     *     <li>If the calling app is the device owner of a fully-managed device, a profile

     *     owner of an organization-owned device, or their delegates (see {@link

     *     android.app.admin.DevicePolicyManager#getEnrollmentSpecificId()}).

     *     <li>If the calling app has carrier privileges (see {@link #hasCarrierPrivileges}).

     *     <li>If the calling app is the default SMS role holder (see {@link

     *     RoleManager#isRoleHeld(String)}).

     * <ul>

     *     <li>If the calling app has been granted the READ_PRIVILEGED_PHONE_STATE permission; this

     *     is a privileged permission that can only be granted to apps preloaded on the device.

     *     <li>If the calling app is the device or profile owner and has been granted the

     *     {@link Manifest.permission#READ_PHONE_STATE} permission. The profile owner is an app that

     *     owns a managed profile on the device; for more details see <a

     *     href="https://developer.android.com/work/managed-profiles">Work profiles</a>.

     *     Profile owner access is deprecated and will be removed in a future release.

     *     <li>If the calling app is the device owner of a fully-managed device, a profile

     *     owner of an organization-owned device, or their delegates (see {@link

     *     android.app.admin.DevicePolicyManager#getEnrollmentSpecificId()}).

     *     <li>If the calling app has carrier privileges (see {@link #hasCarrierPrivileges}).

     *     <li>If the calling app is the default SMS role holder (see {@link

     *     RoleManager#isRoleHeld(String)}).

     * <ul>

     *     <li>If the calling app has been granted the READ_PRIVILEGED_PHONE_STATE permission; this

     *     is a privileged permission that can only be granted to apps preloaded on the device.

     *     <li>If the calling app is the device or profile owner and has been granted the

     *     {@link Manifest.permission#READ_PHONE_STATE} permission. The profile owner is an app that

     *     owns a managed profile on the device; for more details see <a

     *     href="https://developer.android.com/work/managed-profiles">Work profiles</a>.

     *     Profile owner access is deprecated and will be removed in a future release.

     *     <li>If the calling app is the device owner of a fully-managed device, a profile

     *     owner of an organization-owned device, or their delegates (see {@link

     *     android.app.admin.DevicePolicyManager#getEnrollmentSpecificId()}).

     *     <li>If the calling app has carrier privileges (see {@link #hasCarrierPrivileges}).

     *     <li>If the calling app is the default SMS role holder (see {@link

     *     RoleManager#isRoleHeld(String)}).

     * <ul>

     *     <li>If the calling app has been granted the READ_PRIVILEGED_PHONE_STATE permission; this

     *     is a privileged permission that can only be granted to apps preloaded on the device.

     *     <li>If the calling app is the device or profile owner and has been granted the

     *     {@link Manifest.permission#READ_PHONE_STATE} permission. The profile owner is an app that

     *     owns a managed profile on the device; for more details see <a

     *     href="https://developer.android.com/work/managed-profiles">Work profiles</a>.

     *     Profile owner access is deprecated and will be removed in a future release.

     *     <li>If the calling app is the device owner of a fully-managed device, a profile

     *     owner of an organization-owned device, or their delegates (see {@link

     *     android.app.admin.DevicePolicyManager#getEnrollmentSpecificId()}).

     *     <li>If the calling app has carrier privileges (see {@link #hasCarrierPrivileges}).

     *     <li>If the calling app is the default SMS role holder (see {@link

     *     RoleManager#isRoleHeld(String)}).

     * <ul>

     *     <li>If the calling app has been granted the READ_PRIVILEGED_PHONE_STATE permission; this

     *     is a privileged permission that can only be granted to apps preloaded on the device.

     *     <li>If the calling app is the device or profile owner and has been granted the

     *     {@link Manifest.permission#READ_PHONE_STATE} permission. The profile owner is an app that

     *     owns a managed profile on the device; for more details see <a

     *     href="https://developer.android.com/work/managed-profiles">Work profiles</a>.

     *     Profile owner access is deprecated and will be removed in a future release.

     *     <li>If the calling app is the device owner of a fully-managed device, a profile

     *     owner of an organization-owned device, or their delegates (see {@link

     *     android.app.admin.DevicePolicyManager#getEnrollmentSpecificId()}).

     *     <li>If the calling app has carrier privileges (see {@link #hasCarrierPrivileges}).

     *     <li>If the calling app is the default SMS role holder (see {@link

     *     RoleManager#isRoleHeld(String)}).