Merge "Add APIs to check whether a device is financed." into udc-dev am: c720bb2f64 (a13f8862) · Commits · e / os / android_frameworks_base

core/api/current.txt

+1 −0

Original line number	Diff line number	Diff line
		@@ -7895,6 +7895,7 @@ package android.app.admin {
		method @Deprecated public boolean isCallerApplicationRestrictionsManagingPackage();
		method public boolean isCommonCriteriaModeEnabled(@Nullable android.content.ComponentName);
		method public boolean isComplianceAcknowledgementRequired();
		method public boolean isDeviceFinanced();
		method public boolean isDeviceIdAttestationSupported();
		method public boolean isDeviceOwnerApp(String);
		method public boolean isEphemeralUser(@NonNull android.content.ComponentName);

core/api/system-current.txt

+1 −0

Original line number	Diff line number	Diff line
		@@ -1257,6 +1257,7 @@ package android.app.admin {
		method @Nullable public CharSequence getDeviceOwnerOrganizationName();
		method @Nullable @RequiresPermission(android.Manifest.permission.MANAGE_USERS) public android.os.UserHandle getDeviceOwnerUser();
		method @NonNull @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public android.app.admin.DevicePolicyState getDevicePolicyState();
		method @Nullable @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public String getFinancedDeviceKioskRoleHolder();
		method @Nullable @RequiresPermission(anyOf={android.Manifest.permission.MANAGE_USERS, android.Manifest.permission.QUERY_ADMIN_POLICY}) public java.util.List<java.lang.String> getPermittedAccessibilityServices(int);
		method @Nullable @RequiresPermission(anyOf={android.Manifest.permission.MANAGE_USERS, android.Manifest.permission.QUERY_ADMIN_POLICY}) public java.util.List<java.lang.String> getPermittedInputMethodsForCurrentUser();
		method @NonNull @RequiresPermission(android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS) public java.util.List<android.os.UserHandle> getPolicyManagedProfiles(@NonNull android.os.UserHandle);

core/java/android/app/admin/DevicePolicyManager.java

+51 −0

Original line number	Diff line number	Diff line
		@@ -16901,4 +16901,55 @@ public class DevicePolicyManager {
		}
		return false;
		}

		/**
		* Returns {@code true} if this device is marked as a financed device.
		*
		* <p>A financed device can be entered into lock task mode (see {@link #setLockTaskPackages})
		* by the holder of the role {@link android.app.role.RoleManager#ROLE_FINANCED_DEVICE_KIOSK}.
		* If this occurs, Device Owners and Profile Owners that have set lock task packages or
		* features, or that attempt to set lock task packages or features, will receive a callback
		* indicating that it could not be set. See {@link PolicyUpdateReceiver#onPolicyChanged} and
		* {@link PolicyUpdateReceiver#onPolicySetResult}.
		*
		* <p>To be informed of changes to this status you can subscribe to the broadcast
		* {@link ACTION_DEVICE_FINANCING_STATE_CHANGED}.
		*
		* @throws SecurityException if the caller is not a device owner, profile owner of an
		* organization-owned managed profile, profile owner on the primary user or holder of one of the
		* following roles: {@link android.app.role.RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT},
		* android.app.role.RoleManager.ROLE_SYSTEM_SUPERVISION.
		*/
		public boolean isDeviceFinanced() {
		if (mService != null) {
		try {
		return mService.isDeviceFinanced(mContext.getPackageName());
		} catch (RemoteException e) {
		throw e.rethrowFromSystemServer();
		}
		}
		return false;
		}

		/**
		* Returns the package name of the application holding the role:
		* {@link android.app.role.RoleManager#ROLE_FINANCED_DEVICE_KIOSK}.
		*
		* @return the package name of the application holding the role or {@code null} if the role is
		* not held by any applications.
		* @hide
		*/
		@SystemApi
		@RequiresPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS)
		@Nullable
		public String getFinancedDeviceKioskRoleHolder() {
		if (mService != null) {
		try {
		return mService.getFinancedDeviceKioskRoleHolder(mContext.getPackageName());
		} catch (RemoteException e) {
		throw e.rethrowFromSystemServer();
		}
		}
		return null;
		}
		}

core/java/android/app/admin/IDevicePolicyManager.aidl

+3 −0

Original line number	Diff line number	Diff line
		@@ -605,4 +605,7 @@ interface IDevicePolicyManager {
		void setOverrideKeepProfilesRunning(boolean enabled);

		boolean triggerDevicePolicyEngineMigration(boolean forceMigration);

		boolean isDeviceFinanced(String callerPackageName);
		String getFinancedDeviceKioskRoleHolder(String callerPackageName);
		}

services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java

+106 −31

Original line number	Diff line number	Diff line
		@@ -77,6 +77,7 @@ import static android.Manifest.permission.MANAGE_DEVICE_POLICY_WALLPAPER;
		import static android.Manifest.permission.MANAGE_DEVICE_POLICY_WIFI;
		import static android.Manifest.permission.MANAGE_DEVICE_POLICY_WINDOWS;
		import static android.Manifest.permission.MANAGE_DEVICE_POLICY_WIPE_DATA;
		import static android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS;
		import static android.Manifest.permission.QUERY_ADMIN_POLICY;
		import static android.Manifest.permission.REQUEST_PASSWORD_COMPLEXITY;
		import static android.Manifest.permission.SET_TIME;
		@@ -3967,7 +3968,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		Objects.requireNonNull(adminReceiver, "ComponentName is null");
		Preconditions.checkCallAuthorization(isAdb(getCallerIdentity())
		\|\| hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS),
		\|\| hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS),
		"Caller must be shell or hold MANAGE_PROFILE_AND_DEVICE_OWNERS to call "
		+ "forceRemoveActiveAdmin");
		mInjector.binderWithCleanCallingIdentity(() -> {
		@@ -9481,7 +9482,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		Preconditions.checkCallAuthorization(
		isDefaultDeviceOwner(caller) \|\| canManageUsers(caller) \|\| isFinancedDeviceOwner(
		caller) \|\| hasCallingOrSelfPermission(
		permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		MANAGE_PROFILE_AND_DEVICE_OWNERS));
		return mOwners.hasDeviceOwner();
		}

		@@ -9650,7 +9651,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		if (!callingUserOnly) {
		Preconditions.checkCallAuthorization(canManageUsers(getCallerIdentity())
		\|\| hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		\|\| hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));
		}
		synchronized (getLockObject()) {
		if (!mOwners.hasDeviceOwner()) {
		@@ -9700,7 +9701,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return null;
		}
		Preconditions.checkCallAuthorization(canManageUsers(getCallerIdentity())
		\|\| hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		\|\| hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		synchronized (getLockObject()) {
		if (!mOwners.hasDeviceOwner()) {
		@@ -10104,7 +10105,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}
		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(canManageUsers(caller)
		\|\| hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		\|\| hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		if (userHandle != caller.getUserId()) {
		Preconditions.checkCallAuthorization(canManageUsers(caller)
		@@ -10122,7 +10123,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return;
		}
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		final CallerIdentity caller = getCallerIdentity();
		final long id = mInjector.binderClearCallingIdentity();
		@@ -10435,7 +10436,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return null;
		}
		Preconditions.checkCallAuthorization(canManageUsers(getCallerIdentity())
		\|\| hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		\|\| hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));
		return getProfileOwnerNameUnchecked(userHandle);
		}

		@@ -10642,7 +10643,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return;
		}
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		if ((mIsWatch \|\| hasUserSetupCompleted(userHandle))) {
		Preconditions.checkState(isSystemUid(caller),
		@@ -10666,7 +10667,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		boolean hasIncompatibleAccountsOrNonAdb) {
		if (!isAdb(caller)) {
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));
		}

		final int code = checkDeviceOwnerProvisioningPreConditionLocked(owner,
		@@ -15924,7 +15925,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		private boolean canWriteCredentialManagerPolicy(CallerIdentity caller) {
		return (isProfileOwner(caller) && isManagedProfile(caller.getUserId()))
		\|\| isDefaultDeviceOwner(caller)
		\|\| hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS);
		\|\| hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS);
		}

		@Override
		@@ -16427,7 +16428,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		Objects.requireNonNull(packageName, "packageName is null");
		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		long originalId = mInjector.binderClearCallingIdentity();
		try {
		@@ -17160,7 +17161,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		// Only adb or system apps with the right permission can mark a profile owner on
		// organization-owned device.
		if (!(isAdb(caller) \|\| hasCallingPermission(permission.MARK_DEVICE_ORGANIZATION_OWNED)
		\|\| hasCallingPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS))) {
		\|\| hasCallingPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS))) {
		throw new SecurityException(
		"Only the system can mark a profile owner of organization-owned device.");
		}
		@@ -17761,7 +17762,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		@Override
		public void forceUpdateUserSetupComplete(@UserIdInt int userId) {
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		boolean isUserCompleted = mInjector.settingsSecureGetIntForUser(
		Settings.Secure.USER_SETUP_COMPLETE, 0, userId) != 0;
		@@ -18699,7 +18700,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		public List<String> getDisallowedSystemApps(ComponentName admin, int userId,
		String provisioningAction) throws RemoteException {
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		return new ArrayList<>(
		mOverlayPackagesProvider.getNonRequiredApps(admin, userId, provisioningAction));
		@@ -19516,7 +19517,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		Preconditions.checkCallAuthorization(canManageUsers(getCallerIdentity())
		\|\| hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		\|\| hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		long id = mInjector.binderClearCallingIdentity();
		try {
		@@ -19543,7 +19544,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		return false;
		}
		Preconditions.checkCallAuthorization(canManageUsers(getCallerIdentity())
		\|\| hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		\|\| hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		return mInjector.binderWithCleanCallingIdentity(() -> isUnattendedManagedKioskUnchecked());
		}
		@@ -20523,7 +20524,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		@Override
		public void clearOrganizationIdForUser(int userHandle) {
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		synchronized (getLockObject()) {
		final ActiveAdmin owner = getDeviceOrProfileOwnerAdminLocked(userHandle);
		@@ -20545,7 +20546,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		final CallerIdentity caller = getCallerIdentity(callerPackage);
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		provisioningParams.logParams(callerPackage);

		@@ -20643,7 +20644,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		public void finalizeWorkProfileProvisioning(UserHandle managedProfileUser,
		Account migratedAccount) {
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		if (!isManagedProfile(managedProfileUser.getIdentifier())) {
		throw new IllegalStateException("Given user is not a managed profile");
		@@ -20745,15 +20746,65 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		}

		private boolean isCallerDevicePolicyManagementRoleHolder(CallerIdentity caller) {
		return doesCallerHoldRole(caller, RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT);
		}

		private boolean isCallerSystemSupervisionRoleHolder(CallerIdentity caller) {
		return doesCallerHoldRole(caller, RoleManager.ROLE_SYSTEM_SUPERVISION);
		}

		/**
		* Check if the caller is holding the given role on the calling user.
		*
		* @param caller the caller you wish to check
		* @param role the name of the role to check for.
		* @return {@code true} if the caller holds the role, {@code false} otherwise.
		*/
		private boolean doesCallerHoldRole(CallerIdentity caller, String role) {
		int callerUid = caller.getUid();
		String devicePolicyManagementRoleHolderPackageName =
		getRoleHolderPackageName(mContext, RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT);
		String roleHolderPackageName =
		getRoleHolderPackageNameOnUser(role, caller.getUserId());
		int roleHolderUid = mInjector.getPackageManagerInternal().getPackageUid(
		devicePolicyManagementRoleHolderPackageName, 0, caller.getUserId());
		roleHolderPackageName, 0, caller.getUserId());

		return callerUid == roleHolderUid;
		}

		/**
		* Return the package name of the role holder on the given user.
		*
		* <p>If the userId passed in is {@link UserHandle.USER_ALL} then every user will be checked and
		* the package name of the role holder on the first user where there is a role holder is
		* returned.
		*
		* @param role the name of the role to check for.
		* @param userId the userId to check for the role holder on.
		* @return the package name of the role holder
		*/
		@Nullable
		private String getRoleHolderPackageNameOnUser(String role, int userId) {
		RoleManager roleManager = mContext.getSystemService(RoleManager.class);

		// Clear calling identity as the RoleManager APIs require privileged permissions.
		return mInjector.binderWithCleanCallingIdentity(() -> {
		List<UserInfo> users;
		// Interpret USER_ALL as meaning "any" user.
		if (userId == UserHandle.USER_ALL) {
		users = mInjector.getUserManagerInternal().getUsers(/excludeDying=/ true);
		} else {
		users = List.of(new UserInfo(userId, /name=/ null, /flags=/ 0));
		}
		for (UserInfo user : users) {
		List<String> roleHolders =
		roleManager.getRoleHoldersAsUser(role, user.getUserHandle());
		if (!roleHolders.isEmpty()) {
		return roleHolders.get(0);
		}
		}
		return null;
		});
		}

		private void resetInteractAcrossProfilesAppOps(@UserIdInt int userId) {
		mInjector.getCrossProfileApps(userId).clearInteractAcrossProfilesAppOps();
		pregrantDefaultInteractAcrossProfilesAppOps(userId);
		@@ -20980,7 +21031,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		final CallerIdentity caller = getCallerIdentity();
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS)
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS)
		\|\| (hasCallingOrSelfPermission(permission.PROVISION_DEMO_DEVICE)
		&& provisioningParams.isDemoDevice()));

		@@ -21168,7 +21219,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		@Override
		public void resetDefaultCrossProfileIntentFilters(@UserIdInt int userId) {
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));

		mInjector.binderWithCleanCallingIdentity(() -> {
		try {
		@@ -21307,7 +21358,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		public void setDeviceOwnerType(@NonNull ComponentName admin,
		@DeviceOwnerType int deviceOwnerType) {
		Preconditions.checkCallAuthorization(hasCallingOrSelfPermission(
		permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		MANAGE_PROFILE_AND_DEVICE_OWNERS));

		synchronized (getLockObject()) {
		setDeviceOwnerTypeLocked(admin, deviceOwnerType);
		@@ -21695,7 +21746,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		public boolean isDpcDownloaded() {
		Preconditions.checkCallAuthorization(hasCallingOrSelfPermission(
		android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		MANAGE_PROFILE_AND_DEVICE_OWNERS));

		ContentResolver cr = mContext.getContentResolver();

		@@ -21707,7 +21758,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {

		public void setDpcDownloaded(boolean downloaded) {
		Preconditions.checkCallAuthorization(hasCallingOrSelfPermission(
		android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		MANAGE_PROFILE_AND_DEVICE_OWNERS));

		int setTo = downloaded ? 1 : 0;

		@@ -22000,7 +22051,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		@Override
		public List<UserHandle> getPolicyManagedProfiles(@NonNull UserHandle user) {
		Preconditions.checkCallAuthorization(hasCallingOrSelfPermission(
		android.Manifest.permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		MANAGE_PROFILE_AND_DEVICE_OWNERS));
		int userId = user.getIdentifier();
		return mInjector.binderWithCleanCallingIdentity(() -> {
		List<UserInfo> userProfiles = mUserManager.getProfiles(userId);
		@@ -22662,7 +22713,7 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		@Override
		public void setOverrideKeepProfilesRunning(boolean enabled) {
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));
		mKeepProfilesRunning = enabled;
		Slog.i(LOG_TAG, "Keep profiles running overridden to: " + enabled);
		}
		@@ -22929,14 +22980,14 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		@Override
		public DevicePolicyState getDevicePolicyState() {
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));
		return mInjector.binderWithCleanCallingIdentity(mDevicePolicyEngine::getDevicePolicyState);
		}

		@Override
		public boolean triggerDevicePolicyEngineMigration(boolean forceMigration) {
		Preconditions.checkCallAuthorization(
		hasCallingOrSelfPermission(permission.MANAGE_PROFILE_AND_DEVICE_OWNERS));
		hasCallingOrSelfPermission(MANAGE_PROFILE_AND_DEVICE_OWNERS));
		return mInjector.binderWithCleanCallingIdentity(() -> {
		boolean canForceMigration = forceMigration && !hasNonTestOnlyActiveAdmins();
		if (!canForceMigration && !shouldMigrateToDevicePolicyEngine()) {
		@@ -23295,4 +23346,28 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
		// if the policy engine was ever used?
		return !mDevicePolicyEngine.hasActivePolicies();
		}

		@Override
		public boolean isDeviceFinanced(String callerPackageName) {
		CallerIdentity caller = getCallerIdentity(callerPackageName);
		Preconditions.checkCallAuthorization(isDeviceOwner(caller)
		\|\| isProfileOwnerOfOrganizationOwnedDevice(caller)
		\|\| isProfileOwnerOnUser0(caller)
		\|\| isCallerDevicePolicyManagementRoleHolder(caller)
		\|\| isCallerSystemSupervisionRoleHolder(caller));
		return getFinancedDeviceKioskRoleHolderOnAnyUser() != null;
		};

		@Override
		public String getFinancedDeviceKioskRoleHolder(String callerPackageName) {
		CallerIdentity caller = getCallerIdentity(callerPackageName);
		enforcePermission(MANAGE_PROFILE_AND_DEVICE_OWNERS, caller.getPackageName(),
		caller.getUserId());
		return getFinancedDeviceKioskRoleHolderOnAnyUser();
		}

		private String getFinancedDeviceKioskRoleHolderOnAnyUser() {
		return getRoleHolderPackageNameOnUser(
		RoleManager.ROLE_FINANCED_DEVICE_KIOSK, UserHandle.USER_ALL);
		}
		}