1## 3.9\. Device Administration
2
3Android includes features that allow security-aware applications to perform
4device administration functions at the system level, such as enforcing password
5policies or performing remote wipe, through the
6[Android Device Administration API](http://developer.android.com/guide/topics/admin/device-admin.html).
7
8If device implementations implement the full range of [device administration](
9http://developer.android.com/guide/topics/admin/device-admin.html)
10policies defined in the Android SDK documentation, they:
11
12*   [C-1-1] MUST declare `android.software.device_admin`.
13*   [C-1-2] MUST support device owner provisioning as described in
14    [section 3.9.1](#3_9_1_device_provisioning) and
15    [section 3.9.1.1](#3_9_1_1_device_owner_provisioning).
16
17### 3.9.1 Device Provisioning
18
19#### 3.9.1.1 Device owner provisioning
20
21If device implementations declare `android.software.device_admin`, they:
22
23*   [C-1-1] MUST support enrolling a Device Policy Client (DPC) as a
24    [Device Owner app](
25    http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#isDeviceOwnerApp%28java.lang.String%29)
26    as described below:
27    *   When the device implementation has no user data is configured yet, it:
28        *    [C-1-3] MUST report `true` for [`DevicePolicyManager.isProvisioningAllowed(ACTION_PROVISION_MANAGED_DEVICE)`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html\#isProvisioningAllowed\(java.lang.String\)).
29        *    [C-1-4] MUST enroll the DPC application as the Device Owner app in
30             response to the intent action [`android.app.action.PROVISION_MANAGED_DEVICE`](http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_DEVICE).
31        *    [C-1-5] MUST enroll the DPC application as the Device Owner app if the
32             device declares Near-Field Communications (NFC) support via the feature
33             flag `android.hardware.nfc` and receives an NFC message containing a
34             record with MIME type [`MIME_TYPE_PROVISIONING_NFC`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#MIME_TYPE_PROVISIONING_NFC).
35    *   When the device implementation has user data, it:
36        *    [C-1-6] MUST report `false` for the [`DevicePolicyManager.isProvisioningAllowed(ACTION_PROVISION_MANAGED_DEVICE)`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html\#isProvisioningAllowed\(java.lang.String\)).
37        *    [C-1-7] MUST not enroll any DPC application as the Device Owner App
38             any more.
39*   [C-1-2] MUST require some affirmative action before or during the
40    provisioning process to consent to the app being set as Device Owner.
41    Consent can be via user action or by some programmatic means but appropriate
42    disclosure notice (as referenced in AOSP) MUST be shown before device owner
43    provisioning is initiated. Also, the programmatic device owner consent
44    mechanism used (by enterprises) for device owner provisioning MUST NOT
45    interfere with the Out-Of-Box Experience for non-enterprise use.
46*   [C-1-3] MUST NOT hard code the consent or prevent the use of other device
47    owner apps.
48
49If device implementations declare `android.software.device_admin`, but also
50include a proprietary Device Owner management solution and provide a mechanism
51to promote an application configured in their solution as a "Device Owner
52equivalent" to the standard "Device Owner" as recognized by the standard Android
53[DevicePolicyManager](
54http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html)
55APIs, they:
56
57*    [C-2-1] MUST have a process in place to verify that the specific app
58     being promoted belongs to a legitimate enterprise device management
59     solution and it has been already configured in the proprietary solution
60     to have the rights equivalent as a "Device Owner".
61*    [C-2-2] MUST show the same AOSP Device Owner consent disclosure as the
62     flow initiated by [`android.app.action.PROVISION_MANAGED_DEVICE`](http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_DEVICE)
63     prior to enrolling the DPC application as "Device Owner".
64*    MAY have user data on the device prior to enrolling the DPC application
65     as "Device Owner".
66
67#### 3.9.1.2 Managed profile provisioning
68
69If device implementations declare `android.software.managed_users`, they:
70
71*   [C-1-1] MUST implement the [APIs](http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_PROFILE)
72allowing a Device Policy Controller (DPC) application to become the
73[owner of a new Managed Profile](http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#isProfileOwnerApp%28java.lang.String%29).
74
75*   [C-1-2] The managed profile provisioning process (the flow initiated by
76[android.app.action.PROVISION_MANAGED_PROFILE](
77http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_PROFILE))
78users experience MUST align with the AOSP implementation.
79
80*   [C-1-3] MUST provide the following user affordances within the Settings to
81    indicate to the user when a particular system function has been disabled by
82    the Device Policy Controller (DPC):
83    *   A consistent icon or other user affordance (for example the upstream
84        AOSP info icon) to represent when a particular setting is restricted by
85        a Device Admin.
86    *   A short explanation message, as provided by the Device Admin via the
87        [`setShortSupportMessage`](
88        https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#setShortSupportMessage%28android.content.ComponentName, java.lang.CharSequence%29).
89    *   The DPC application’s icon.
90
91### 3.9.2 Managed Profile Support
92
93If device implementations declare `android.software.managed_users`, they:
94
95*   [C-1-1] MUST support managed profiles via the `android.app.admin.DevicePolicyManager`
96    APIs.
97*   [C-1-2] MUST allow one and only [one managed profile to be created](http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_PROFILE).
98*   [C-1-3] MUST use an icon badge (similar to the AOSP upstream work badge) to
99    represent the managed applications and widgets and other badged UI elements
100    like Recents & Notifications.
101*   [C-1-4] MUST display a notification icon (similar to the AOSP upstream work
102    badge) to indicate when user is within a managed profile application.
103*   [C-1-5] MUST display a toast indicating that the user is in the managed
104    profile if and when the device wakes up (ACTION_USER_PRESENT) and the
105    foreground application is within the managed profile.
106*   [C-1-6] Where a managed profile exists, MUST show a visual affordance in the
107    Intent 'Chooser' to allow the user to forward the intent from the managed
108    profile to the primary user or vice versa, if enabled by the Device Policy
109    Controller.
110*   [C-1-7] Where a managed profile exists, MUST expose the following user
111    affordances for both the primary user and the managed profile:
112    *   Separate accounting for battery, location, mobile data and storage usage
113        for the primary user and managed profile.
114    *   Independent management of VPN Applications installed within the primary
115        user or managed profile.
116    *   Independent management of applications installed within the primary user
117        or managed profile.
118    *   Independent management of accounts within the primary user or managed
119        profile.
120*   [C-1-8] MUST ensure the preinstalled dialer, contacts and messaging
121    applications can search for and look up caller information from the managed
122    profile (if one exists) alongside those from the primary profile, if the
123    Device Policy Controller permits it.
124*   [C-1-9] MUST ensure that it satisfies all the security requirements
125    applicable for a device with multiple users enabled
126    (see [section 9.5](#9_5_multi-user_support)), even though the managed profile
127    is not counted as another user in addition to the primary user.
128
129If device implementations declare `android.software.managed_users` and
130`android.software.secure_lock_screen`, they:
131
132*   [C-2-1] MUST support the ability to specify a separate lock screen meeting
133    the following requirements to grant access to apps running in a managed
134    profile only.
135    *   Device implementations MUST honor the
136        [`DevicePolicyManager.ACTION_SET_NEW_PASSWORD`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_SET_NEW_PASSWORD)
137        intent and show an interface to configure a separate lock screen
138        credential for the managed profile.
139    *   The lock screen credentials of the managed profile MUST use the same
140        credential storage and management mechanisms as the parent profile,
141        as documented on the
142        [Android Open Source Project Site](http://source.android.com/security/authentication/index.html).
143    *   The DPC [password policies](https://developer.android.com/guide/topics/admin/device-admin.html#pwd)
144        MUST apply to only the managed profile's lock screen credentials unless
145        called upon the `DevicePolicyManager` instance returned by
146        <a href="https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#getParentProfileInstance%28android.content.ComponentName%29">getParentProfileInstance</a>.
147*   When contacts from the managed profile are displayed
148    in the preinstalled call log, in-call UI, in-progress and missed-call
149    notifications, contacts and messaging apps they SHOULD be badged with the
150    same badge used to indicate managed profile applications.
151
152### 3.9.3 Managed User Support
153
154If device implementations declare `android.software.managed_users`, they:
155
156*   [C-1-1] MUST provide a user affordance to logout from the current user and
157    switch back to the primary user in multiple-user session when
158    [`isLogoutEnabled`](
159    https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#isLogoutEnabled%28%29)
160    returns `true`. The user affordance MUST be accessible from the lockscreen
161    without unlocking the device.
162