Loading core/java/android/os/UserManager.java +74 −34 Original line number Diff line number Diff line Loading @@ -192,7 +192,11 @@ public class UserManager { /** * Specifies if a user is disallowed from changing Wi-Fi * access points. The default value is <code>false</code>. * <p>This restriction has no effect in a managed profile. * <p> * Device owner and profile owner can set this restriction, although the restriction has no * effect in a managed profile. When it is set by the profile owner of an organization-owned * managed profile on the parent profile, it will disallow the personal user from changing * Wi-Fi access points. * * <p>Key for user restrictions. * <p>Type: Boolean Loading Loading @@ -242,8 +246,13 @@ public class UserManager { /** * Specifies if a user is disallowed from turning on location sharing. * The default value is <code>false</code>. * <p>In a managed profile, location sharing always reflects the primary user's setting, but * <p> * In a managed profile, location sharing always reflects the primary user's setting, but * can be overridden and forced off by setting this restriction to true in the managed profile. * <p> * Device owner and profile owner can set this restriction. When it is set by the profile * owner of an organization-owned managed profile on the parent profile, it will prevent the * user from turning on location sharing in the personal profile. * * <p>Key for user restrictions. * <p>Type: Boolean Loading Loading @@ -349,9 +358,14 @@ public class UserManager { * Specifies if a user is disallowed from configuring bluetooth. * This does <em>not</em> restrict the user from turning bluetooth on or off. * The default value is <code>false</code>. * <p>This restriction doesn't prevent the user from using bluetooth. For disallowing usage of * <p> * This restriction doesn't prevent the user from using bluetooth. For disallowing usage of * bluetooth completely on the device, use {@link #DISALLOW_BLUETOOTH}. * <p>This restriction has no effect in a managed profile. * <p> * Device owner and profile owner can set this restriction, although the restriction has no * effect in a managed profile. When it is set by the profile owner of an organization-owned * managed profile on the parent profile, it will disallow the personal user from configuring * bluetooth. * * <p>Key for user restrictions. * <p>Type: Boolean Loading @@ -364,8 +378,10 @@ public class UserManager { /** * Specifies if bluetooth is disallowed on the device. * * <p> This restriction can only be set by the device owner and the profile owner on the * primary user and it applies globally - i.e. it disables bluetooth on the entire device. * <p> This restriction can only be set by the device owner, the profile owner on the * primary user or the profile owner of an organization-owned managed profile on the * parent profile and it applies globally - i.e. it disables bluetooth on the entire * device. * <p>The default value is <code>false</code>. * <p>Key for user restrictions. * <p>Type: Boolean Loading @@ -377,8 +393,9 @@ public class UserManager { /** * Specifies if outgoing bluetooth sharing is disallowed on the device. Device owner and profile * owner can set this restriction. When it is set by device owner, all users on this device will * be affected. * owner can set this restriction. When it is set by device owner or the profile owner of an * organization-owned managed profile on the parent profile, all users on this device will be * affected. * * <p>Default is <code>true</code> for managed profiles and false for otherwise. When a device * upgrades to {@link android.os.Build.VERSION_CODES#O}, the system sets it for all existing Loading @@ -394,7 +411,8 @@ public class UserManager { /** * Specifies if a user is disallowed from transferring files over * USB. This can only be set by device owners and profile owners on the primary user. * USB. This can only be set by device owners, profile owners on the primary user or * profile owners of organization-owned managed profiles on the parent profile. * The default value is <code>false</code>. * * <p>Key for user restrictions. Loading Loading @@ -453,8 +471,9 @@ public class UserManager { /** * Specifies if a user is disallowed from enabling or accessing debugging features. When set on * the primary user, disables debugging features altogether, including USB debugging. When set * on a managed profile or a secondary user, blocks debugging for that user only, including * the primary user or by the profile owner of an organization-owned managed profile on the * parent profile, disables debugging features altogether, including USB debugging. When set on * a managed profile or a secondary user, blocks debugging for that user only, including * starting activities, making service calls, accessing content providers, sending broadcasts, * installing/uninstalling packages, clearing user data, etc. * The default value is <code>false</code>. Loading Loading @@ -485,18 +504,19 @@ public class UserManager { /** * Specifies if a user is disallowed from enabling or disabling location providers. As a * result, user is disallowed from turning on or off location. Device owner and profile owners * can set this restriction and it only applies on the managed user. * * <p>In a managed profile, location sharing is forced off when it's off on primary user, so * user can still turn off location sharing on managed profile when the restriction is set by * profile owner on managed profile. * result, user is disallowed from turning on or off location. * * <p>This user restriction is different from {@link #DISALLOW_SHARE_LOCATION}, * <p> * In a managed profile, location sharing is forced off when it is turned off on the primary * user or by the profile owner of an organization-owned managed profile on the parent profile. * The user can still turn off location sharing on a managed profile when the restriction is * set by the profile owner on a managed profile. * <p> * This user restriction is different from {@link #DISALLOW_SHARE_LOCATION}, * as the device owner or profile owner can still enable or disable location mode via * {@link DevicePolicyManager#setLocationEnabled} when this restriction is on. * * <p>The default value is <code>false</code>. * <p> * The default value is <code>false</code>. * * <p>Key for user restrictions. * <p>Type: Boolean Loading @@ -510,7 +530,8 @@ public class UserManager { /** * Specifies if date, time and timezone configuring is disallowed. * * <p>When restriction is set by device owners, it applies globally - i.e., it disables date, * <p>When restriction is set by device owners or profile owners of organization-owned * managed profiles on the parent profile, it applies globally - i.e., it disables date, * time and timezone setting on the entire device and all users will be affected. When it's set * by profile owners, it's only applied to the managed user. * <p>The default value is <code>false</code>. Loading @@ -526,8 +547,9 @@ public class UserManager { /** * Specifies if a user is disallowed from configuring Tethering * & portable hotspots. This can only be set by device owners and profile owners on the * primary user. The default value is <code>false</code>. * & portable hotspots. This can only be set by device owners, profile owners on the * primary user or profile owners of organization-owned managed profiles on the parent profile. * The default value is <code>false</code>. * <p>In Android 9.0 or higher, if tethering is enabled when this restriction is set, * tethering will be automatically turned off. * Loading Loading @@ -571,8 +593,8 @@ public class UserManager { /** * Specifies if a user is disallowed from adding new users. This can only be set by device * owners and profile owners on the primary user. * The default value is <code>false</code>. * owners, profile owners on the primary user or profile owners of organization-owned managed * profiles on the parent profile. The default value is <code>false</code>. * <p>This restriction has no effect on secondary users and managed profiles since only the * primary user can add other users. * Loading Loading @@ -621,7 +643,8 @@ public class UserManager { /** * Specifies if a user is disallowed from configuring cell * broadcasts. This can only be set by device owners and profile owners on the primary user. * broadcasts. This can only be set by device owners, profile owners on the primary user or * profile owners of organization-owned managed profiles on the parent profile. * The default value is <code>false</code>. * <p>This restriction has no effect on secondary users and managed profiles since only the * primary user can configure cell broadcasts. Loading @@ -636,7 +659,8 @@ public class UserManager { /** * Specifies if a user is disallowed from configuring mobile * networks. This can only be set by device owners and profile owners on the primary user. * networks. This can only be set by device owners, profile owners on the primary user or * profile owners of organization-owned managed profiles on the parent profile. * The default value is <code>false</code>. * <p>This restriction has no effect on secondary users and managed profiles since only the * primary user can configure mobile networks. Loading Loading @@ -739,6 +763,10 @@ public class UserManager { /** * Specifies that the user is not allowed to send or receive * SMS messages. The default value is <code>false</code>. * <p> * Device owner and profile owner can set this restriction. When it is set by the * profile owner of an organization-owned managed profile on the parent profile, * it will disable SMS in the personal profile. * * <p>Key for user restrictions. * <p>Type: Boolean Loading Loading @@ -857,7 +885,8 @@ public class UserManager { /** * Specifies if the user is not allowed to reboot the device into safe boot mode. * This can only be set by device owners and profile owners on the primary user. * This can only be set by device owners, profile owners on the primary user or profile * owners of organization-owned managed profiles on the parent profile. * The default value is <code>false</code>. * * <p>Key for user restrictions. Loading Loading @@ -896,6 +925,12 @@ public class UserManager { /** * Specifies if a user is not allowed to use the camera. * <p> * Device owner and profile owner can set this restriction. When the restriction is set by * the device owner or the profile owner of an organization-owned managed profile on the * parent profile, it is applied globally. * <p> * The default value is <code>false</code>. * * @see DevicePolicyManager#addUserRestriction(ComponentName, String) * @see DevicePolicyManager#clearUserRestriction(ComponentName, String) Loading @@ -916,7 +951,8 @@ public class UserManager { /** * Specifies if a user is not allowed to use cellular data when roaming. This can only be set by * device owners. The default value is <code>false</code>. * device owners or profile owners of organization-owned managed profiles on the parent profile. * The default value is <code>false</code>. * * @see DevicePolicyManager#addUserRestriction(ComponentName, String) * @see DevicePolicyManager#clearUserRestriction(ComponentName, String) Loading Loading @@ -1011,8 +1047,9 @@ public class UserManager { * Specifies if the contents of a user's screen is not allowed to be captured for artificial * intelligence purposes. * * <p>Device owner and profile owner can set this restriction. When it is set by device owner, * only the target user will be affected. * <p>Device owner and profile owner can set this restriction. When it is set by the * device owner or the profile owner of an organization-owned managed profile on the parent * profile, only the target user will be affected. * * <p>The default value is <code>false</code>. * Loading @@ -1026,8 +1063,9 @@ public class UserManager { * Specifies if the current user is able to receive content suggestions for selections based on * the contents of their screen. * * <p>Device owner and profile owner can set this restriction. When it is set by device owner, * only the target user will be affected. * <p>Device owner and profile owner can set this restriction. When it is set by the * device owner or the profile owner of an organization-owned managed profile on the parent * profile, only the target user will be affected. * * <p>The default value is <code>false</code>. * Loading Loading @@ -1093,7 +1131,9 @@ public class UserManager { * * <p>The default value is <code>false</code>. * * <p>This user restriction can only be applied by the Device Owner. * <p>This user restriction can only be applied by the device owner or the profile owner * of an organization-owned managed profile on the parent profile. * * <p>Key for user restrictions. * <p>Type: Boolean * @see DevicePolicyManager#addUserRestriction(ComponentName, String) Loading services/core/java/com/android/server/pm/UserRestrictionsUtils.java +21 −3 Original line number Diff line number Diff line Loading @@ -199,13 +199,31 @@ public class UserRestrictionsUtils { ); /** * Special user restrictions that are applied globally when set by the profile owner of a * managed profile that was created during the device provisioning flow. * Special user restrictions that profile owner of an organization-owned managed profile can * set on the parent profile instance to apply them globally. */ private static final Set<String> PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS = Sets.newArraySet( UserManager.DISALLOW_CONFIG_DATE_TIME, UserManager.DISALLOW_CAMERA UserManager.DISALLOW_CAMERA, UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_BLUETOOTH, UserManager.DISALLOW_BLUETOOTH_SHARING, UserManager.DISALLOW_CONFIG_BLUETOOTH, UserManager.DISALLOW_CONFIG_CELL_BROADCASTS, UserManager.DISALLOW_CONFIG_LOCATION, UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS, UserManager.DISALLOW_CONFIG_PRIVATE_DNS, UserManager.DISALLOW_CONFIG_TETHERING, UserManager.DISALLOW_CONFIG_WIFI, UserManager.DISALLOW_CONTENT_CAPTURE, UserManager.DISALLOW_CONTENT_SUGGESTIONS, UserManager.DISALLOW_DATA_ROAMING, UserManager.DISALLOW_DEBUGGING_FEATURES, UserManager.DISALLOW_SAFE_BOOT, UserManager.DISALLOW_SHARE_LOCATION, UserManager.DISALLOW_SMS, UserManager.DISALLOW_USB_FILE_TRANSFER ); /** Loading services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +40 −9 Original line number Diff line number Diff line Loading @@ -1968,6 +1968,29 @@ public class DevicePolicyManagerTest extends DpmTestBase { // TODO Make sure restrictions are written to the file. } private static final Set<String> PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS = Sets.newSet( UserManager.DISALLOW_CONFIG_DATE_TIME, UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_BLUETOOTH, UserManager.DISALLOW_BLUETOOTH_SHARING, UserManager.DISALLOW_CONFIG_BLUETOOTH, UserManager.DISALLOW_CONFIG_CELL_BROADCASTS, UserManager.DISALLOW_CONFIG_LOCATION, UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS, UserManager.DISALLOW_CONFIG_PRIVATE_DNS, UserManager.DISALLOW_CONFIG_TETHERING, UserManager.DISALLOW_CONFIG_WIFI, UserManager.DISALLOW_CONTENT_CAPTURE, UserManager.DISALLOW_CONTENT_SUGGESTIONS, UserManager.DISALLOW_DATA_ROAMING, UserManager.DISALLOW_DEBUGGING_FEATURES, UserManager.DISALLOW_SAFE_BOOT, UserManager.DISALLOW_SHARE_LOCATION, UserManager.DISALLOW_SMS, UserManager.DISALLOW_USB_FILE_TRANSFER ); public void testSetUserRestriction_asPoOfOrgOwnedDevice() throws Exception { final int MANAGED_PROFILE_USER_ID = DpmMockContext.CALLER_USER_HANDLE; final int MANAGED_PROFILE_ADMIN_UID = Loading @@ -1980,15 +2003,9 @@ public class DevicePolicyManagerTest extends DpmTestBase { when(getServices().userManager.getProfileParent(MANAGED_PROFILE_USER_ID)) .thenReturn(new UserInfo(UserHandle.USER_SYSTEM, "user system", 0)); parentDpm.addUserRestriction(admin1, UserManager.DISALLOW_CONFIG_DATE_TIME); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(MANAGED_PROFILE_USER_ID), MockUtils.checkUserRestrictions(UserManager.DISALLOW_CONFIG_DATE_TIME), eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE)); reset(getServices().userManagerInternal); parentDpm.clearUserRestriction(admin1, UserManager.DISALLOW_CONFIG_DATE_TIME); reset(getServices().userManagerInternal); for (String restriction : PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS) { addAndRemoveUserRestrictionOnParentDpm(restriction); } parentDpm.setCameraDisabled(admin1, true); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( Loading @@ -2005,6 +2022,20 @@ public class DevicePolicyManagerTest extends DpmTestBase { reset(getServices().userManagerInternal); } private void addAndRemoveUserRestrictionOnParentDpm(String restriction) { parentDpm.addUserRestriction(admin1, restriction); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(restriction), eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE)); parentDpm.clearUserRestriction(admin1, restriction); DpmTestUtils.assertRestrictions( DpmTestUtils.newRestrictions(), parentDpm.getUserRestrictions(admin1) ); reset(getServices().userManagerInternal); } public void testNoDefaultEnabledUserRestrictions() throws Exception { mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS); mContext.callerPermissions.add(permission.MANAGE_USERS); Loading Loading
core/java/android/os/UserManager.java +74 −34 Original line number Diff line number Diff line Loading @@ -192,7 +192,11 @@ public class UserManager { /** * Specifies if a user is disallowed from changing Wi-Fi * access points. The default value is <code>false</code>. * <p>This restriction has no effect in a managed profile. * <p> * Device owner and profile owner can set this restriction, although the restriction has no * effect in a managed profile. When it is set by the profile owner of an organization-owned * managed profile on the parent profile, it will disallow the personal user from changing * Wi-Fi access points. * * <p>Key for user restrictions. * <p>Type: Boolean Loading Loading @@ -242,8 +246,13 @@ public class UserManager { /** * Specifies if a user is disallowed from turning on location sharing. * The default value is <code>false</code>. * <p>In a managed profile, location sharing always reflects the primary user's setting, but * <p> * In a managed profile, location sharing always reflects the primary user's setting, but * can be overridden and forced off by setting this restriction to true in the managed profile. * <p> * Device owner and profile owner can set this restriction. When it is set by the profile * owner of an organization-owned managed profile on the parent profile, it will prevent the * user from turning on location sharing in the personal profile. * * <p>Key for user restrictions. * <p>Type: Boolean Loading Loading @@ -349,9 +358,14 @@ public class UserManager { * Specifies if a user is disallowed from configuring bluetooth. * This does <em>not</em> restrict the user from turning bluetooth on or off. * The default value is <code>false</code>. * <p>This restriction doesn't prevent the user from using bluetooth. For disallowing usage of * <p> * This restriction doesn't prevent the user from using bluetooth. For disallowing usage of * bluetooth completely on the device, use {@link #DISALLOW_BLUETOOTH}. * <p>This restriction has no effect in a managed profile. * <p> * Device owner and profile owner can set this restriction, although the restriction has no * effect in a managed profile. When it is set by the profile owner of an organization-owned * managed profile on the parent profile, it will disallow the personal user from configuring * bluetooth. * * <p>Key for user restrictions. * <p>Type: Boolean Loading @@ -364,8 +378,10 @@ public class UserManager { /** * Specifies if bluetooth is disallowed on the device. * * <p> This restriction can only be set by the device owner and the profile owner on the * primary user and it applies globally - i.e. it disables bluetooth on the entire device. * <p> This restriction can only be set by the device owner, the profile owner on the * primary user or the profile owner of an organization-owned managed profile on the * parent profile and it applies globally - i.e. it disables bluetooth on the entire * device. * <p>The default value is <code>false</code>. * <p>Key for user restrictions. * <p>Type: Boolean Loading @@ -377,8 +393,9 @@ public class UserManager { /** * Specifies if outgoing bluetooth sharing is disallowed on the device. Device owner and profile * owner can set this restriction. When it is set by device owner, all users on this device will * be affected. * owner can set this restriction. When it is set by device owner or the profile owner of an * organization-owned managed profile on the parent profile, all users on this device will be * affected. * * <p>Default is <code>true</code> for managed profiles and false for otherwise. When a device * upgrades to {@link android.os.Build.VERSION_CODES#O}, the system sets it for all existing Loading @@ -394,7 +411,8 @@ public class UserManager { /** * Specifies if a user is disallowed from transferring files over * USB. This can only be set by device owners and profile owners on the primary user. * USB. This can only be set by device owners, profile owners on the primary user or * profile owners of organization-owned managed profiles on the parent profile. * The default value is <code>false</code>. * * <p>Key for user restrictions. Loading Loading @@ -453,8 +471,9 @@ public class UserManager { /** * Specifies if a user is disallowed from enabling or accessing debugging features. When set on * the primary user, disables debugging features altogether, including USB debugging. When set * on a managed profile or a secondary user, blocks debugging for that user only, including * the primary user or by the profile owner of an organization-owned managed profile on the * parent profile, disables debugging features altogether, including USB debugging. When set on * a managed profile or a secondary user, blocks debugging for that user only, including * starting activities, making service calls, accessing content providers, sending broadcasts, * installing/uninstalling packages, clearing user data, etc. * The default value is <code>false</code>. Loading Loading @@ -485,18 +504,19 @@ public class UserManager { /** * Specifies if a user is disallowed from enabling or disabling location providers. As a * result, user is disallowed from turning on or off location. Device owner and profile owners * can set this restriction and it only applies on the managed user. * * <p>In a managed profile, location sharing is forced off when it's off on primary user, so * user can still turn off location sharing on managed profile when the restriction is set by * profile owner on managed profile. * result, user is disallowed from turning on or off location. * * <p>This user restriction is different from {@link #DISALLOW_SHARE_LOCATION}, * <p> * In a managed profile, location sharing is forced off when it is turned off on the primary * user or by the profile owner of an organization-owned managed profile on the parent profile. * The user can still turn off location sharing on a managed profile when the restriction is * set by the profile owner on a managed profile. * <p> * This user restriction is different from {@link #DISALLOW_SHARE_LOCATION}, * as the device owner or profile owner can still enable or disable location mode via * {@link DevicePolicyManager#setLocationEnabled} when this restriction is on. * * <p>The default value is <code>false</code>. * <p> * The default value is <code>false</code>. * * <p>Key for user restrictions. * <p>Type: Boolean Loading @@ -510,7 +530,8 @@ public class UserManager { /** * Specifies if date, time and timezone configuring is disallowed. * * <p>When restriction is set by device owners, it applies globally - i.e., it disables date, * <p>When restriction is set by device owners or profile owners of organization-owned * managed profiles on the parent profile, it applies globally - i.e., it disables date, * time and timezone setting on the entire device and all users will be affected. When it's set * by profile owners, it's only applied to the managed user. * <p>The default value is <code>false</code>. Loading @@ -526,8 +547,9 @@ public class UserManager { /** * Specifies if a user is disallowed from configuring Tethering * & portable hotspots. This can only be set by device owners and profile owners on the * primary user. The default value is <code>false</code>. * & portable hotspots. This can only be set by device owners, profile owners on the * primary user or profile owners of organization-owned managed profiles on the parent profile. * The default value is <code>false</code>. * <p>In Android 9.0 or higher, if tethering is enabled when this restriction is set, * tethering will be automatically turned off. * Loading Loading @@ -571,8 +593,8 @@ public class UserManager { /** * Specifies if a user is disallowed from adding new users. This can only be set by device * owners and profile owners on the primary user. * The default value is <code>false</code>. * owners, profile owners on the primary user or profile owners of organization-owned managed * profiles on the parent profile. The default value is <code>false</code>. * <p>This restriction has no effect on secondary users and managed profiles since only the * primary user can add other users. * Loading Loading @@ -621,7 +643,8 @@ public class UserManager { /** * Specifies if a user is disallowed from configuring cell * broadcasts. This can only be set by device owners and profile owners on the primary user. * broadcasts. This can only be set by device owners, profile owners on the primary user or * profile owners of organization-owned managed profiles on the parent profile. * The default value is <code>false</code>. * <p>This restriction has no effect on secondary users and managed profiles since only the * primary user can configure cell broadcasts. Loading @@ -636,7 +659,8 @@ public class UserManager { /** * Specifies if a user is disallowed from configuring mobile * networks. This can only be set by device owners and profile owners on the primary user. * networks. This can only be set by device owners, profile owners on the primary user or * profile owners of organization-owned managed profiles on the parent profile. * The default value is <code>false</code>. * <p>This restriction has no effect on secondary users and managed profiles since only the * primary user can configure mobile networks. Loading Loading @@ -739,6 +763,10 @@ public class UserManager { /** * Specifies that the user is not allowed to send or receive * SMS messages. The default value is <code>false</code>. * <p> * Device owner and profile owner can set this restriction. When it is set by the * profile owner of an organization-owned managed profile on the parent profile, * it will disable SMS in the personal profile. * * <p>Key for user restrictions. * <p>Type: Boolean Loading Loading @@ -857,7 +885,8 @@ public class UserManager { /** * Specifies if the user is not allowed to reboot the device into safe boot mode. * This can only be set by device owners and profile owners on the primary user. * This can only be set by device owners, profile owners on the primary user or profile * owners of organization-owned managed profiles on the parent profile. * The default value is <code>false</code>. * * <p>Key for user restrictions. Loading Loading @@ -896,6 +925,12 @@ public class UserManager { /** * Specifies if a user is not allowed to use the camera. * <p> * Device owner and profile owner can set this restriction. When the restriction is set by * the device owner or the profile owner of an organization-owned managed profile on the * parent profile, it is applied globally. * <p> * The default value is <code>false</code>. * * @see DevicePolicyManager#addUserRestriction(ComponentName, String) * @see DevicePolicyManager#clearUserRestriction(ComponentName, String) Loading @@ -916,7 +951,8 @@ public class UserManager { /** * Specifies if a user is not allowed to use cellular data when roaming. This can only be set by * device owners. The default value is <code>false</code>. * device owners or profile owners of organization-owned managed profiles on the parent profile. * The default value is <code>false</code>. * * @see DevicePolicyManager#addUserRestriction(ComponentName, String) * @see DevicePolicyManager#clearUserRestriction(ComponentName, String) Loading Loading @@ -1011,8 +1047,9 @@ public class UserManager { * Specifies if the contents of a user's screen is not allowed to be captured for artificial * intelligence purposes. * * <p>Device owner and profile owner can set this restriction. When it is set by device owner, * only the target user will be affected. * <p>Device owner and profile owner can set this restriction. When it is set by the * device owner or the profile owner of an organization-owned managed profile on the parent * profile, only the target user will be affected. * * <p>The default value is <code>false</code>. * Loading @@ -1026,8 +1063,9 @@ public class UserManager { * Specifies if the current user is able to receive content suggestions for selections based on * the contents of their screen. * * <p>Device owner and profile owner can set this restriction. When it is set by device owner, * only the target user will be affected. * <p>Device owner and profile owner can set this restriction. When it is set by the * device owner or the profile owner of an organization-owned managed profile on the parent * profile, only the target user will be affected. * * <p>The default value is <code>false</code>. * Loading Loading @@ -1093,7 +1131,9 @@ public class UserManager { * * <p>The default value is <code>false</code>. * * <p>This user restriction can only be applied by the Device Owner. * <p>This user restriction can only be applied by the device owner or the profile owner * of an organization-owned managed profile on the parent profile. * * <p>Key for user restrictions. * <p>Type: Boolean * @see DevicePolicyManager#addUserRestriction(ComponentName, String) Loading
services/core/java/com/android/server/pm/UserRestrictionsUtils.java +21 −3 Original line number Diff line number Diff line Loading @@ -199,13 +199,31 @@ public class UserRestrictionsUtils { ); /** * Special user restrictions that are applied globally when set by the profile owner of a * managed profile that was created during the device provisioning flow. * Special user restrictions that profile owner of an organization-owned managed profile can * set on the parent profile instance to apply them globally. */ private static final Set<String> PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS = Sets.newArraySet( UserManager.DISALLOW_CONFIG_DATE_TIME, UserManager.DISALLOW_CAMERA UserManager.DISALLOW_CAMERA, UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_BLUETOOTH, UserManager.DISALLOW_BLUETOOTH_SHARING, UserManager.DISALLOW_CONFIG_BLUETOOTH, UserManager.DISALLOW_CONFIG_CELL_BROADCASTS, UserManager.DISALLOW_CONFIG_LOCATION, UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS, UserManager.DISALLOW_CONFIG_PRIVATE_DNS, UserManager.DISALLOW_CONFIG_TETHERING, UserManager.DISALLOW_CONFIG_WIFI, UserManager.DISALLOW_CONTENT_CAPTURE, UserManager.DISALLOW_CONTENT_SUGGESTIONS, UserManager.DISALLOW_DATA_ROAMING, UserManager.DISALLOW_DEBUGGING_FEATURES, UserManager.DISALLOW_SAFE_BOOT, UserManager.DISALLOW_SHARE_LOCATION, UserManager.DISALLOW_SMS, UserManager.DISALLOW_USB_FILE_TRANSFER ); /** Loading
services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerTest.java +40 −9 Original line number Diff line number Diff line Loading @@ -1968,6 +1968,29 @@ public class DevicePolicyManagerTest extends DpmTestBase { // TODO Make sure restrictions are written to the file. } private static final Set<String> PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS = Sets.newSet( UserManager.DISALLOW_CONFIG_DATE_TIME, UserManager.DISALLOW_ADD_USER, UserManager.DISALLOW_BLUETOOTH, UserManager.DISALLOW_BLUETOOTH_SHARING, UserManager.DISALLOW_CONFIG_BLUETOOTH, UserManager.DISALLOW_CONFIG_CELL_BROADCASTS, UserManager.DISALLOW_CONFIG_LOCATION, UserManager.DISALLOW_CONFIG_MOBILE_NETWORKS, UserManager.DISALLOW_CONFIG_PRIVATE_DNS, UserManager.DISALLOW_CONFIG_TETHERING, UserManager.DISALLOW_CONFIG_WIFI, UserManager.DISALLOW_CONTENT_CAPTURE, UserManager.DISALLOW_CONTENT_SUGGESTIONS, UserManager.DISALLOW_DATA_ROAMING, UserManager.DISALLOW_DEBUGGING_FEATURES, UserManager.DISALLOW_SAFE_BOOT, UserManager.DISALLOW_SHARE_LOCATION, UserManager.DISALLOW_SMS, UserManager.DISALLOW_USB_FILE_TRANSFER ); public void testSetUserRestriction_asPoOfOrgOwnedDevice() throws Exception { final int MANAGED_PROFILE_USER_ID = DpmMockContext.CALLER_USER_HANDLE; final int MANAGED_PROFILE_ADMIN_UID = Loading @@ -1980,15 +2003,9 @@ public class DevicePolicyManagerTest extends DpmTestBase { when(getServices().userManager.getProfileParent(MANAGED_PROFILE_USER_ID)) .thenReturn(new UserInfo(UserHandle.USER_SYSTEM, "user system", 0)); parentDpm.addUserRestriction(admin1, UserManager.DISALLOW_CONFIG_DATE_TIME); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(MANAGED_PROFILE_USER_ID), MockUtils.checkUserRestrictions(UserManager.DISALLOW_CONFIG_DATE_TIME), eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE)); reset(getServices().userManagerInternal); parentDpm.clearUserRestriction(admin1, UserManager.DISALLOW_CONFIG_DATE_TIME); reset(getServices().userManagerInternal); for (String restriction : PROFILE_OWNER_ORGANIZATION_OWNED_GLOBAL_RESTRICTIONS) { addAndRemoveUserRestrictionOnParentDpm(restriction); } parentDpm.setCameraDisabled(admin1, true); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( Loading @@ -2005,6 +2022,20 @@ public class DevicePolicyManagerTest extends DpmTestBase { reset(getServices().userManagerInternal); } private void addAndRemoveUserRestrictionOnParentDpm(String restriction) { parentDpm.addUserRestriction(admin1, restriction); verify(getServices().userManagerInternal).setDevicePolicyUserRestrictions( eq(DpmMockContext.CALLER_USER_HANDLE), MockUtils.checkUserRestrictions(restriction), eq(UserManagerInternal.OWNER_TYPE_PROFILE_OWNER_OF_ORGANIZATION_OWNED_DEVICE)); parentDpm.clearUserRestriction(admin1, restriction); DpmTestUtils.assertRestrictions( DpmTestUtils.newRestrictions(), parentDpm.getUserRestrictions(admin1) ); reset(getServices().userManagerInternal); } public void testNoDefaultEnabledUserRestrictions() throws Exception { mContext.callerPermissions.add(permission.MANAGE_DEVICE_ADMINS); mContext.callerPermissions.add(permission.MANAGE_USERS); Loading
