Android 2.2 introduces support for enterprise applications by offering the Android Device Administration API. The Device Administration API provides device administration features at the system level. These APIs allow you to create security-aware applications that are useful in enterprise settings, in which IT professionals require rich control over employee devices. For example, the built-in Android Email application has leveraged the new APIs to improve Exchange support. Through the Email application, Exchange administrators can enforce password policies — including alphanumeric passwords or numeric PINs — across devices. Administrators can also remotely wipe (that is, restore factory defaults on) lost or stolen handsets. Exchange users can sync their email and calendar data.
This document is intended for developers who want to develop enterprise solutions for Android-powered devices. It discusses the various features provided by the Device Administration API to provide stronger security for employee devices that are powered by Android.
Note For information on building a Work Policy Controller for Android for Work deployments, see Building a Work Policy Controller.
Here are examples of the types of applications that might use the Device Administration API:
You use the Device Administration API to write device admin applications that users install on their devices. The device admin application enforces the desired policies. Here's how it works:
If users do not enable the device admin app, it remains on the device, but in an inactive state. Users will not be subject to its policies, and they will conversely not get any of the application's benefits—for example, they may not be able to sync data.
If a user fails to comply with the policies (for example, if a user sets a password that violates the guidelines), it is up to the application to decide how to handle this. However, typically this will result in the user not being able to sync data.
If a device attempts to connect to a server that requires policies not supported in the Device Administration API, the connection will not be allowed. The Device Administration API does not currently allow partial provisioning. In other words, if a device (for example, a legacy device) does not support all of the stated policies, there is no way to allow the device to connect.
If a device contains multiple enabled admin applications, the strictest policy is enforced. There is no way to target a particular admin application.
To uninstall an existing device admin application, users need to first unregister the application as an administrator.
In an enterprise setting, it's often the case that employee devices must adhere to a strict set of policies that govern the use of the device. The Device Administration API supports the policies listed in Table 1. Note that the Device Administration API currently only supports passwords for screen lock:
Table 1. Policies supported by the Device Administration API.
| Policy | Description |
|---|---|
| Password enabled | Requires that devices ask for PIN or passwords. |
| Minimum password length | Set the required number of characters for the password. For example, you can require PIN or passwords to have at least six characters. |
| Alphanumeric password required | Requires that passwords have a combination of letters and numbers. They may include symbolic characters. |
| Complex password required | Requires that passwords must contain at least a letter, a numerical digit, and a special symbol. Introduced in Android 3.0. |
| Minimum letters required in password | The minimum number of letters required in the password for all admins or a particular one. Introduced in Android 3.0. |
| Minimum lowercase letters required in password | The minimum number of lowercase letters required in the password for all admins or a particular one. Introduced in Android 3.0. |
| Minimum non-letter characters required in password | The minimum number of non-letter characters required in the password for all admins or a particular one. Introduced in Android 3.0. |
| Minimum numerical digits required in password | The minimum number of numerical digits required in the password for all admins or a particular one. Introduced in Android 3.0. |
| Minimum symbols required in password | The minimum number of symbols required in the password for all admins or a particular one. Introduced in Android 3.0. |
| Minimum uppercase letters required in password | The minimum number of uppercase letters required in the password for all admins or a particular one. Introduced in Android 3.0. |
| Password expiration timeout | When the password will expire, expressed as a delta in milliseconds from when a device admin sets the expiration timeout. Introduced in Android 3.0. |
| Password history restriction | This policy prevents users from reusing the last n unique passwords. This policy is typically used in conjunction with {@link android.app.admin.DevicePolicyManager#setPasswordExpirationTimeout(android.content.ComponentName,long) setPasswordExpirationTimeout()}, which forces users to update their passwords after a specified amount of time has elapsed. Introduced in Android 3.0. |
| Maximum failed password attempts | Specifies how many times a user can enter the wrong password before the device wipes its data. The Device Administration API also allows administrators to remotely reset the device to factory defaults. This secures data in case the device is lost or stolen. |
| Maximum inactivity time lock | Sets the length of time since the user last touched the screen or pressed a button before the device locks the screen. When this happens, users need to enter their PIN or passwords again before they can use their devices and access data. The value can be between 1 and 60 minutes. |
| Require storage encryption | Specifies that the storage area should be encrypted, if the device supports it. Introduced in Android 3.0. |
| Disable camera | Specifies that the camera should be disabled. Note that this doesn't have to be a permanent disabling. The camera can be enabled/disabled dynamically based on context, time, and so on. Introduced in Android 4.0. |
In addition to supporting the policies listed in the above table, the Device Administration API lets you do the following:
The examples used in this document are based on the Device Administration API
sample, which is included in the SDK samples (available through the
Android SDK Manager) and located on your system as
<sdk_root>/ApiDemos/app/src/main/java/com/example/android/apis/app/DeviceAdminSample.java.
The sample application offers a demo of device admin features. It presents users with a user interface that lets them enable the device admin application. Once they've enabled the application, they can use the buttons in the user interface to do the following:
Figure 1. Screenshot of the Sample Application
System administrators can use the Device Administration API to write an application that enforces remote/local device security policy enforcement. This section summarizes the steps involved in creating a device administration application.
To use the Device Administration API, the application's manifest must include the following:
Here is an excerpt from the Device Administration sample manifest:
<activity android:name=".app.DeviceAdminSample"
android:label="@string/activity_sample_device_admin">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.SAMPLE_CODE" />
</intent-filter>
</activity>
<receiver android:name=".app.DeviceAdminSample$DeviceAdminSampleReceiver"
android:label="@string/sample_device_admin"
android:description="@string/sample_device_admin_description"
android:permission="android.permission.BIND_DEVICE_ADMIN">
<meta-data android:name="android.app.device_admin"
android:resource="@xml/device_admin_sample" />
<intent-filter>
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
</intent-filter>
</receiver>
Note that:
ApiDemos/res/values/strings.xml. For more information about resources, see
Application Resources.
android:label="@string/activity_sample_device_admin" refers to the
user-readable label for the activity.android:label="@string/sample_device_admin" refers to the
user-readable label for the permission.android:description="@string/sample_device_admin_description" refers to
the user-readable description of the permission. A descripton is typically longer and more
informative than
a label.android:permission="android.permission.BIND_DEVICE_ADMIN"
is a permission that a {@link android.app.admin.DeviceAdminReceiver} subclass must
have, to ensure that only the system can interact with the receiver (no application can be granted this permission). This
prevents other applications from abusing your device admin app.android.app.action.DEVICE_ADMIN_ENABLED is the primary
action that a {@link android.app.admin.DeviceAdminReceiver} subclass must handle to be
allowed to manage a device. This is set to the receiver when the user enables
the device admin app. Your code typically handles this in
{@link android.app.admin.DeviceAdminReceiver#onEnabled onEnabled()}. To be supported, the receiver must also
require the {@link android.Manifest.permission#BIND_DEVICE_ADMIN} permission so that other applications
cannot abuse it. android:resource="@xml/device_admin_sample"
declares the security policies used in metadata. The metadata provides additional
information specific to the device administrator, as parsed by the {@link
android.app.admin.DeviceAdminInfo} class. Here are the contents of
device_admin_sample.xml:<device-admin xmlns:android="http://schemas.android.com/apk/res/android">
<uses-policies>
<limit-password />
<watch-login />
<reset-password />
<force-lock />
<wipe-data />
<expire-password />
<encrypted-storage />
<disable-camera />
</uses-policies>
</device-admin>
In designing your device administration application, you don't need to include all of the policies, just the ones that are relevant for your app.
For more discussion of the manifest file, see the Android Developers Guide.The Device Administration API includes the following classes:
These classes provide the foundation for a fully functional device administration application. The rest of this section describes how you use the {@link android.app.admin.DeviceAdminReceiver} and {@link android.app.admin.DevicePolicyManager} APIs to write a device admin application.
To create a device admin application, you must subclass {@link android.app.admin.DeviceAdminReceiver}. The {@link android.app.admin.DeviceAdminReceiver} class consists of a series of callbacks that are triggered when particular events occur.
In its {@link android.app.admin.DeviceAdminReceiver} subclass, the sample application simply displays a {@link android.widget.Toast} notification in response to particular events. For example:
public class DeviceAdminSample extends DeviceAdminReceiver {
void showToast(Context context, String msg) {
String status = context.getString(R.string.admin_receiver_status, msg);
Toast.makeText(context, status, Toast.LENGTH_SHORT).show();
}
@Override
public void onEnabled(Context context, Intent intent) {
showToast(context, context.getString(R.string.admin_receiver_status_enabled));
}
@Override
public CharSequence onDisableRequested(Context context, Intent intent) {
return context.getString(R.string.admin_receiver_status_disable_warning);
}
@Override
public void onDisabled(Context context, Intent intent) {
showToast(context, context.getString(R.string.admin_receiver_status_disabled));
}
@Override
public void onPasswordChanged(Context context, Intent intent) {
showToast(context, context.getString(R.string.admin_receiver_status_pw_changed));
}
...
}
One of the major events a device admin application has to handle is the user enabling the application. The user must explicitly enable the application for the policies to be enforced. If the user chooses not to enable the application it will still be present on the device, but its policies will not be enforced, and the user will not get any of the application's benefits.
The process of enabling the application begins when the user performs an action that triggers the {@link android.app.admin.DevicePolicyManager#ACTION_ADD_DEVICE_ADMIN} intent. In the sample application, this happens when the user clicks the Enable Admin checkbox.
When the user clicks the Enable Admin checkbox, the display changes to prompt the user to activate the device admin application, as shown in figure 2.
Figure 2. Sample Application: Activating the Application
Below is the code that gets executed when the user clicks the Enable Admin checkbox. This has the effect of triggering the {@link android.preference.Preference.OnPreferenceChangeListener#onPreferenceChange(android.preference.Preference, java.lang.Object) onPreferenceChange()} callback. This callback is invoked when the value of this {@link android.preference.Preference} has been changed by the user and is about to be set and/or persisted. If the user is enabling the application, the display changes to prompt the user to activate the device admin application, as shown in figure 2. Otherwise, the device admin application is disabled.
@Override
public boolean onPreferenceChange(Preference preference, Object newValue) {
if (super.onPreferenceChange(preference, newValue)) {
return true;
}
boolean value = (Boolean) newValue;
if (preference == mEnableCheckbox) {
if (value != mAdminActive) {
if (value) {
// Launch the activity to have the user enable our admin.
Intent intent = new Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN);
intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN, mDeviceAdminSample);
intent.putExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION,
mActivity.getString(R.string.add_admin_extra_app_text));
startActivityForResult(intent, REQUEST_CODE_ENABLE_ADMIN);
// return false - don't update checkbox until we're really active
return false;
} else {
mDPM.removeActiveAdmin(mDeviceAdminSample);
enableDeviceCapabilitiesArea(false);
mAdminActive = false;
}
}
} else if (preference == mDisableCameraCheckbox) {
mDPM.setCameraDisabled(mDeviceAdminSample, value);
...
}
return true;
}
The line
intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN,
mDeviceAdminSample) states that mDeviceAdminSample (which is
a {@link android.app.admin.DeviceAdminReceiver} component) is the target policy.
This line invokes the user interface shown in figure 2, which guides users through
adding the device administrator to the system (or allows them to reject it).
When the application needs to perform an operation that is contingent on the device admin application being enabled, it confirms that the application is active. To do this it uses the {@link android.app.admin.DevicePolicyManager} method {@link android.app.admin.DevicePolicyManager#isAdminActive(android.content.ComponentName) isAdminActive()}. Notice that the {@link android.app.admin.DevicePolicyManager} method {@link android.app.admin.DevicePolicyManager#isAdminActive(android.content.ComponentName) isAdminActive()} takes a {@link android.app.admin.DeviceAdminReceiver} component as its argument:
DevicePolicyManager mDPM;
...
private boolean isActiveAdmin() {
return mDPM.isAdminActive(mDeviceAdminSample);
}
{@link android.app.admin.DevicePolicyManager} is a public class for managing policies enforced on a device. {@link android.app.admin.DevicePolicyManager} manages policies for one or more {@link android.app.admin.DeviceAdminReceiver} instances.
You get a handle to the {@link android.app.admin.DevicePolicyManager} as follows:
DevicePolicyManager mDPM =
(DevicePolicyManager)getSystemService(Context.DEVICE_POLICY_SERVICE);
This section describes how to use {@link android.app.admin.DevicePolicyManager} to perform administrative tasks:
{@link android.app.admin.DevicePolicyManager} includes APIs for setting and enforcing the device password policy. In the Device Administration API, the password only applies to screen lock. This section describes common password-related tasks.
This code displays a user interface prompting the user to set a password:
Intent intent = new Intent(DevicePolicyManager.ACTION_SET_NEW_PASSWORD); startActivity(intent);
The password quality can be one of the following {@link android.app.admin.DevicePolicyManager} constants:
For example, this is how you would set the password policy to require an alphanumeric password:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; ... mDPM.setPasswordQuality(mDeviceAdminSample, DevicePolicyManager.PASSWORD_QUALITY_ALPHANUMERIC);
Beginning with Android 3.0, the {@link android.app.admin.DevicePolicyManager} class includes methods that let you fine-tune the contents of the password. For example, you could set a policy that states that passwords must contain at least n uppercase letters. Here are the methods for fine-tuning a password's contents:
For example, this snippet states that the password must have at least 2 uppercase letters:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; int pwMinUppercase = 2; ... mDPM.setPasswordMinimumUpperCase(mDeviceAdminSample, pwMinUppercase);
You can specify that a password must be at least the specified minimum length. For example:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; int pwLength; ... mDPM.setPasswordMinimumLength(mDeviceAdminSample, pwLength);
You can set the maximum number of allowed failed password attempts before the device is wiped (that is, reset to factory settings). For example:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; int maxFailedPw; ... mDPM.setMaximumFailedPasswordsForWipe(mDeviceAdminSample, maxFailedPw);
Beginning with Android 3.0, you can use the {@link android.app.admin.DevicePolicyManager#setPasswordExpirationTimeout(android.content.ComponentName,long) setPasswordExpirationTimeout()} method to set when a password will expire, expressed as a delta in milliseconds from when a device admin sets the expiration timeout. For example:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; long pwExpiration; ... mDPM.setPasswordExpirationTimeout(mDeviceAdminSample, pwExpiration);
Beginning with Android 3.0, you can use the {@link android.app.admin.DevicePolicyManager#setPasswordHistoryLength(android.content.ComponentName,int) setPasswordHistoryLength()} method to limit users' ability to reuse old passwords. This method takes a length parameter, which specifies how many old passwords are stored. When this policy is active, users cannot enter a new password that matches the last n passwords. This prevents users from using the same password over and over. This policy is typically used in conjunction with {@link android.app.admin.DevicePolicyManager#setPasswordExpirationTimeout(android.content.ComponentName,long) setPasswordExpirationTimeout()}, which forces users to update their passwords after a specified amount of time has elapsed.
For example, this snippet prohibits users from reusing any of their last 5 passwords:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; int pwHistoryLength = 5; ... mDPM.setPasswordHistoryLength(mDeviceAdminSample, pwHistoryLength);
You can set the maximum period of user inactivity that can occur before the device locks. For example:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; ... long timeMs = 1000L*Long.parseLong(mTimeout.getText().toString()); mDPM.setMaximumTimeToLock(mDeviceAdminSample, timeMs);
You can also programmatically tell the device to lock immediately:
DevicePolicyManager mDPM; mDPM.lockNow();
You can use the {@link android.app.admin.DevicePolicyManager} method {@link android.app.admin.DevicePolicyManager#wipeData wipeData()} to reset the device to factory settings. This is useful if the device is lost or stolen. Often the decision to wipe the device is the result of certain conditions being met. For example, you can use {@link android.app.admin.DevicePolicyManager#setMaximumFailedPasswordsForWipe setMaximumFailedPasswordsForWipe()} to state that a device should be wiped after a specific number of failed password attempts.
You wipe data as follows:
DevicePolicyManager mDPM; mDPM.wipeData(0);
The {@link android.app.admin.DevicePolicyManager#wipeData wipeData()} method takes as its parameter a bit mask of additional options. Currently the value must be 0.
Beginning with Android 4.0, you can disable the camera. Note that this doesn't have to be a permanent disabling. The camera can be enabled/disabled dynamically based on context, time, and so on.
You control whether the camera is disabled by using the {@link android.app.admin.DevicePolicyManager#setCameraDisabled(android.content.ComponentName, boolean) setCameraDisabled()} method. For example, this snippet sets the camera to be enabled or disabled based on a checkbox setting:
private CheckBoxPreference mDisableCameraCheckbox; DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; ... mDPM.setCameraDisabled(mDeviceAdminSample, mDisableCameraCheckbox.isChecked());
Beginning with Android 3.0, you can use the {@link android.app.admin.DevicePolicyManager#setStorageEncryption(android.content.ComponentName,boolean) setStorageEncryption()} method to set a policy requiring encryption of the storage area, where supported.
For example:
DevicePolicyManager mDPM; ComponentName mDeviceAdminSample; ... mDPM.setStorageEncryption(mDeviceAdminSample, true);
See the Device Administration API sample for a complete example of how to enable storage encryption.