Loading core/java/android/app/admin/DevicePolicyManager.java +1 −1 Original line number Diff line number Diff line Loading @@ -8606,7 +8606,7 @@ public class DevicePolicyManager { * <p> * This method may be called on the {@code DevicePolicyManager} instance returned from * {@link #getParentProfileInstance(ComponentName)}. Note that only a profile owner on * an organization-deviced can affect account types on the parent profile instance. * an organization-owned device can affect account types on the parent profile instance. * * @return a list of account types for which account management has been disabled. * Loading services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +6 −14 Original line number Diff line number Diff line Loading @@ -2702,10 +2702,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { Slog.i(LOG_TAG, "Clearing the DO..."); final ComponentName doAdminReceiver = doAdmin.info.getComponent(); clearDeviceOwnerLocked(doAdmin, doUserId); // TODO(b/143516163): If we have a power cut here, we might leave active admin. Consider if // it is worth the complexity to make it more robust. Slog.i(LOG_TAG, "Removing admin artifacts..."); // TODO(b/143516163): Clean up application restrictions in UserManager. // TODO(b/149075700): Clean up application restrictions in UserManager. removeAdminArtifacts(doAdminReceiver, doUserId); Slog.i(LOG_TAG, "Migration complete."); Loading Loading @@ -2747,18 +2745,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { // The following policies weren't available to PO, but will be available after migration. parentAdmin.disableCamera = doAdmin.disableCamera; parentAdmin.requireAutoTime = doAdmin.requireAutoTime; // TODO(b/143516163): Uncomment once corresponding APIs are available via parent instance. // parentAdmin.disableScreenCapture = doAdmin.disableScreenCapture; // parentAdmin.accountTypesWithManagementDisabled.addAll( // doAdmin.accountTypesWithManagementDisabled); parentAdmin.disableScreenCapture = doAdmin.disableScreenCapture; parentAdmin.accountTypesWithManagementDisabled.addAll( doAdmin.accountTypesWithManagementDisabled); moveDoUserRestrictionsToCopeParent(doAdmin, parentAdmin); // TODO(b/143516163): migrate network and security logging state, currently they are // turned off when DO is removed. } private void moveDoUserRestrictionsToCopeParent(ActiveAdmin doAdmin, ActiveAdmin parentAdmin) { Loading @@ -2778,7 +2770,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { * a managed profile. */ @GuardedBy("getLockObject()") void applyManagedProfileRestrictionIfDeviceOwnerLocked() { private void applyManagedProfileRestrictionIfDeviceOwnerLocked() { final int doUserId = mOwners.getDeviceOwnerUserId(); if (doUserId == UserHandle.USER_NULL) { logIfVerbose("No DO found, skipping application of restriction."); Loading Loading @@ -4002,11 +3994,11 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { mOwners.systemReady(); break; case SystemService.PHASE_ACTIVITY_MANAGER_READY: maybeStartSecurityLogMonitorOnActivityManagerReady(); synchronized (getLockObject()) { migrateToProfileOnOrganizationOwnedDeviceIfCompLocked(); applyManagedProfileRestrictionIfDeviceOwnerLocked(); } maybeStartSecurityLogMonitorOnActivityManagerReady(); final int userId = getManagedUserId(UserHandle.USER_SYSTEM); if (userId >= 0) { updatePersonalAppSuspension(userId, false /* running */); Loading services/tests/servicestests/res/raw/comp_policies_primary.xml +4 −0 Original line number Diff line number Diff line Loading @@ -5,5 +5,9 @@ <password-history-length value="33" /> <require_auto_time value="true" /> <user-restrictions no_bluetooth="true" /> <disable-screen-capture value="true" /> <disable-account-management> <account-type value="com.google-primary" /> </disable-account-management> </admin> </policies> services/tests/servicestests/res/raw/comp_policies_profile_same_package.xml +3 −0 Original line number Diff line number Diff line Loading @@ -2,5 +2,8 @@ <policies setup-complete="true" provisioning-state="3"> <admin name="com.android.frameworks.servicestests/com.android.server.devicepolicy.DummyDeviceAdmins$Admin1"> <policies flags="991"/> <disable-account-management> <account-type value="com.google-profile" /> </disable-account-management> </admin> </policies> services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerServiceMigrationTest.java +10 −1 Original line number Diff line number Diff line Loading @@ -19,6 +19,7 @@ import static android.os.UserHandle.USER_SYSTEM; import static com.android.server.devicepolicy.DpmTestUtils.writeInputStreamToFile; import static org.junit.Assert.assertArrayEquals; import static org.mockito.Matchers.any; import static org.mockito.Matchers.anyInt; import static org.mockito.Matchers.eq; Loading Loading @@ -378,6 +379,15 @@ public class DevicePolicyManagerServiceMigrationTest extends DpmTestBase { 33, dpm.getParentProfileInstance(admin1).getPasswordHistoryLength(admin1)); assertEquals("Password history policy was put into non-parent PO instance", 0, dpm.getPasswordHistoryLength(admin1)); assertTrue("Screen capture restriction wasn't migrated to PO parent instance", dpm.getParentProfileInstance(admin1).getScreenCaptureDisabled(admin1)); assertArrayEquals("Accounts with management disabled weren't migrated to PO parent", new String[] {"com.google-primary"}, dpm.getParentProfileInstance(admin1).getAccountTypesWithManagementDisabled()); assertArrayEquals("Accounts with management disabled for profile were lost", new String[] {"com.google-profile"}, dpm.getAccountTypesWithManagementDisabled()); assertTrue("User restriction wasn't migrated to PO parent instance", dpm.getParentProfileInstance(admin1).getUserRestrictions(admin1) Loading @@ -394,7 +404,6 @@ public class DevicePolicyManagerServiceMigrationTest extends DpmTestBase { dpms.getProfileOwnerAdminLocked(COPE_PROFILE_USER_ID) .getEffectiveRestrictions() .containsKey(UserManager.DISALLOW_CONFIG_DATE_TIME)); // TODO(b/143516163): verify more policies. }); } Loading Loading
core/java/android/app/admin/DevicePolicyManager.java +1 −1 Original line number Diff line number Diff line Loading @@ -8606,7 +8606,7 @@ public class DevicePolicyManager { * <p> * This method may be called on the {@code DevicePolicyManager} instance returned from * {@link #getParentProfileInstance(ComponentName)}. Note that only a profile owner on * an organization-deviced can affect account types on the parent profile instance. * an organization-owned device can affect account types on the parent profile instance. * * @return a list of account types for which account management has been disabled. * Loading
services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java +6 −14 Original line number Diff line number Diff line Loading @@ -2702,10 +2702,8 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { Slog.i(LOG_TAG, "Clearing the DO..."); final ComponentName doAdminReceiver = doAdmin.info.getComponent(); clearDeviceOwnerLocked(doAdmin, doUserId); // TODO(b/143516163): If we have a power cut here, we might leave active admin. Consider if // it is worth the complexity to make it more robust. Slog.i(LOG_TAG, "Removing admin artifacts..."); // TODO(b/143516163): Clean up application restrictions in UserManager. // TODO(b/149075700): Clean up application restrictions in UserManager. removeAdminArtifacts(doAdminReceiver, doUserId); Slog.i(LOG_TAG, "Migration complete."); Loading Loading @@ -2747,18 +2745,12 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { // The following policies weren't available to PO, but will be available after migration. parentAdmin.disableCamera = doAdmin.disableCamera; parentAdmin.requireAutoTime = doAdmin.requireAutoTime; // TODO(b/143516163): Uncomment once corresponding APIs are available via parent instance. // parentAdmin.disableScreenCapture = doAdmin.disableScreenCapture; // parentAdmin.accountTypesWithManagementDisabled.addAll( // doAdmin.accountTypesWithManagementDisabled); parentAdmin.disableScreenCapture = doAdmin.disableScreenCapture; parentAdmin.accountTypesWithManagementDisabled.addAll( doAdmin.accountTypesWithManagementDisabled); moveDoUserRestrictionsToCopeParent(doAdmin, parentAdmin); // TODO(b/143516163): migrate network and security logging state, currently they are // turned off when DO is removed. } private void moveDoUserRestrictionsToCopeParent(ActiveAdmin doAdmin, ActiveAdmin parentAdmin) { Loading @@ -2778,7 +2770,7 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { * a managed profile. */ @GuardedBy("getLockObject()") void applyManagedProfileRestrictionIfDeviceOwnerLocked() { private void applyManagedProfileRestrictionIfDeviceOwnerLocked() { final int doUserId = mOwners.getDeviceOwnerUserId(); if (doUserId == UserHandle.USER_NULL) { logIfVerbose("No DO found, skipping application of restriction."); Loading Loading @@ -4002,11 +3994,11 @@ public class DevicePolicyManagerService extends BaseIDevicePolicyManager { mOwners.systemReady(); break; case SystemService.PHASE_ACTIVITY_MANAGER_READY: maybeStartSecurityLogMonitorOnActivityManagerReady(); synchronized (getLockObject()) { migrateToProfileOnOrganizationOwnedDeviceIfCompLocked(); applyManagedProfileRestrictionIfDeviceOwnerLocked(); } maybeStartSecurityLogMonitorOnActivityManagerReady(); final int userId = getManagedUserId(UserHandle.USER_SYSTEM); if (userId >= 0) { updatePersonalAppSuspension(userId, false /* running */); Loading
services/tests/servicestests/res/raw/comp_policies_primary.xml +4 −0 Original line number Diff line number Diff line Loading @@ -5,5 +5,9 @@ <password-history-length value="33" /> <require_auto_time value="true" /> <user-restrictions no_bluetooth="true" /> <disable-screen-capture value="true" /> <disable-account-management> <account-type value="com.google-primary" /> </disable-account-management> </admin> </policies>
services/tests/servicestests/res/raw/comp_policies_profile_same_package.xml +3 −0 Original line number Diff line number Diff line Loading @@ -2,5 +2,8 @@ <policies setup-complete="true" provisioning-state="3"> <admin name="com.android.frameworks.servicestests/com.android.server.devicepolicy.DummyDeviceAdmins$Admin1"> <policies flags="991"/> <disable-account-management> <account-type value="com.google-profile" /> </disable-account-management> </admin> </policies>
services/tests/servicestests/src/com/android/server/devicepolicy/DevicePolicyManagerServiceMigrationTest.java +10 −1 Original line number Diff line number Diff line Loading @@ -19,6 +19,7 @@ import static android.os.UserHandle.USER_SYSTEM; import static com.android.server.devicepolicy.DpmTestUtils.writeInputStreamToFile; import static org.junit.Assert.assertArrayEquals; import static org.mockito.Matchers.any; import static org.mockito.Matchers.anyInt; import static org.mockito.Matchers.eq; Loading Loading @@ -378,6 +379,15 @@ public class DevicePolicyManagerServiceMigrationTest extends DpmTestBase { 33, dpm.getParentProfileInstance(admin1).getPasswordHistoryLength(admin1)); assertEquals("Password history policy was put into non-parent PO instance", 0, dpm.getPasswordHistoryLength(admin1)); assertTrue("Screen capture restriction wasn't migrated to PO parent instance", dpm.getParentProfileInstance(admin1).getScreenCaptureDisabled(admin1)); assertArrayEquals("Accounts with management disabled weren't migrated to PO parent", new String[] {"com.google-primary"}, dpm.getParentProfileInstance(admin1).getAccountTypesWithManagementDisabled()); assertArrayEquals("Accounts with management disabled for profile were lost", new String[] {"com.google-profile"}, dpm.getAccountTypesWithManagementDisabled()); assertTrue("User restriction wasn't migrated to PO parent instance", dpm.getParentProfileInstance(admin1).getUserRestrictions(admin1) Loading @@ -394,7 +404,6 @@ public class DevicePolicyManagerServiceMigrationTest extends DpmTestBase { dpms.getProfileOwnerAdminLocked(COPE_PROFILE_USER_ID) .getEffectiveRestrictions() .containsKey(UserManager.DISALLOW_CONFIG_DATE_TIME)); // TODO(b/143516163): verify more policies. }); } Loading
