1## 3.9\. Device Administration 2 3Android includes features that allow security-aware applications to perform 4device administration functions at the system level, such as enforcing password 5policies or performing remote wipe, through the 6[Android Device Administration API](http://developer.android.com/guide/topics/admin/device-admin.html)]. 7 8If device implementations implement the full range of [device administration]( 9http://developer.android.com/guide/topics/admin/device-admin.html) 10policies defined in the Android SDK documentation, they: 11 12* [C-1-1] MUST declare `android.software.device_admin`. 13* [C-1-2] MUST support device owner provisioning as described in 14 [section 3.9.1](#3_9_1_device_provisioning) and 15 [section 3.9.1.1](#3_9_1_1_device_owner_provisioning). 16* [C-1-3] MUST declare the support of manged profiles via the 17 `android.software.managed_users` feature flag, except for when the device is 18 configured so that it would [report]( 19 http://developer.android.com/reference/android/app/ActivityManager.html#isLowRamDevice%28%29) 20 itself as a low RAM device or so that it allocate internal (non-removable) 21 storage as shared storage. 22 23### 3.9.1 Device Provisioning 24 25#### 3.9.1.1 Device owner provisioning 26 27If device implementations declare `android.software.device_admin`, they: 28 29* [C-1-1] MUST support enrolling a Device Policy Client (DPC) as a 30 [Device Owner app]( 31 http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#isDeviceOwnerApp%28java.lang.String%29) 32 as described below: 33 * When the device implementation has no user data is configured yet, it: 34 * [C-1-3] MUST report `true` for [`DevicePolicyManager.isProvisioningAllowed(ACTION_PROVISION_MANAGED_DEVICE)`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html\#isProvisioningAllowed\(java.lang.String\)). 35 * [C-1-4] MUST enroll the DPC application as the Device Owner app in 36 response to the intent action [`android.app.action.PROVISION_MANAGED_DEVICE`](http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_DEVICE). 37 * [C-1-5] MUST enroll the DPC application as the Device Owner app if the 38 device declares Near-Field Communications (NFC) support via the feature 39 flag `android.hardware.nfc` and receives an NFC message containing a 40 record with MIME type [`MIME_TYPE_PROVISIONING_NFC`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#MIME_TYPE_PROVISIONING_NFC). 41 * When the device implementation has user data, it: 42 * [C-1-6] MUST report `false` for the [`DevicePolicyManager.isProvisioningAllowed(ACTION_PROVISION_MANAGED_DEVICE)`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html\#isProvisioningAllowed\(java.lang.String\)). 43 * [C-1-7] MUST not enroll any DPC application as the Device Owner App 44 any more. 45* [C-1-2] MUST NOT set an application (including pre-installed app) as the 46 Device Owner app without explicit consent or action from the user or the 47 administrator of the device. 48 49If device implementations declare `android.software.device_admin`, but also 50include a proprietary Device Owner management solution and provide a mechanism 51to promote an application configured in their solution as a "Device Owner 52equivalent" to the standard "Device Owner" as recognized by the standard Android 53[DevicePolicyManager]( 54http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html) 55APIs, they: 56 57* [C-2-1] MUST have a process in place to verify that the specific app 58 being promoted belongs to a legitimate enterprise device management 59 solution and it has been already configured in the proprietary solution 60 to have the rights equivalent as a "Device Owner". 61* [C-2-2] MUST show the same AOSP Device Owner consent disclosure as the 62 flow initiated by [`android.app.action.PROVISION_MANAGED_DEVICE`](http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_DEVICE) 63 prior to enrolling the DPC application as "Device Owner". 64* MAY have user data on the device prior to enrolling the DPC application 65 as "Device Owner". 66 67#### 3.9.1.2 Managed profile provisioning 68 69If device implementations declare `android.software.managed_users`, they: 70 71* [C-1-1] MUST implement the [APIs](http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_PROFILE) 72allowing a Device Policy Controller (DPC) application to become the 73[owner of a new Managed Profile](http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#isProfileOwnerApp%28java.lang.String%29). 74 75* [C-1-2] The managed profile provisioning process (the flow initiated by 76[android.app.action.PROVISION_MANAGED_PROFILE]( 77http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_PROFILE)) 78users experience MUST align with the AOSP implementation. 79 80* [C-1-3] MUST provide the following user affordances within the Settings to 81 indicate to the user when a particular system function has been disabled by 82 the Device Policy Controller (DPC): 83 * A consistent icon or other user affordance (for example the upstream 84 AOSP info icon) to represent when a particular setting is restricted by 85 a Device Admin. 86 * A short explanation message, as provided by the Device Admin via the 87 [`setShortSupportMessage`]( 88 https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#setShortSupportMessage%28android.content.ComponentName, java.lang.CharSequence%29). 89 * The DPC application’s icon. 90 91## 3.9.2 Managed Profile Support 92 93If device implementations declare `android.software.managed_users`, they: 94 95* [C-1-1] MUST support managed profiles via the `android.app.admin.DevicePolicyManager` 96 APIs. 97* [C-1-2] MUST allow one and only [one managed profile to be created](http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_PROVISION_MANAGED_PROFILE). 98* [C-1-3] MUST use an icon badge (similar to the AOSP upstream work badge) to 99 represent the managed applications and widgets and other badged UI elements 100 like Recents & Notifications. 101* [C-1-4] MUST display a notification icon (similar to the AOSP upstream work 102 badge) to indicate when user is within a managed profile application. 103* [C-1-5] MUST display a toast indicating that the user is in the managed 104 profile if and when the device wakes up (ACTION_USER_PRESENT) and the 105 foreground application is within the managed profile. 106* [C-1-6] Where a managed profile exists, MUST show a visual affordance in the 107 Intent 'Chooser' to allow the user to forward the intent from the managed 108 profile to the primary user or vice versa, if enabled by the Device Policy 109 Controller. 110* [C-1-7] Where a managed profile exists, MUST expose the following user 111 affordances for both the primary user and the managed profile: 112 * Separate accounting for battery, location, mobile data and storage usage 113 for the primary user and managed profile. 114 * Independent management of VPN Applications installed within the primary 115 user or managed profile. 116 * Independent management of applications installed within the primary user 117 or managed profile. 118 * Independent management of accounts within the primary user or managed 119 profile. 120* [C-1-8] MUST ensure the preinstalled dialer, contacts and messaging 121 applications can search for and look up caller information from the managed 122 profile (if one exists) alongside those from the primary profile, if the 123 Device Policy Controller permits it. 124* [C-1-9] MUST ensure that it satisfies all the security requirements 125 applicable for a device with multiple users enabled 126 (see[section 9.5](#9_5_multi-user_support)), even though the managed profile 127 is not counted as another user in addition to the primary user. 128* [C-1-10] MUST support the ability to specify a separate lock screen meeting 129 the following requirements to grant access to apps running in a managed 130 profile. 131 * Device implementations MUST honor the 132 [`DevicePolicyManager.ACTION_SET_NEW_PASSWORD`](https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#ACTION_SET_NEW_PASSWORD) 133 intent and show an interface to configure a separate lock screen 134 credential for the managed profile. 135 * The lock screen credentials of the managed profile MUST use the same 136 credential storage and management mechanisms as the parent profile, 137 as documented on the 138 [Android Open Source Project Site](http://source.android.com/security/authentication/index.html) 139 * The DPC [password policies](https://developer.android.com/guide/topics/admin/device-admin.html#pwd) 140 MUST apply to only the managed profile's lock screen credentials unless 141 called upon the `DevicePolicyManager` instance returned by 142 <a href="https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#getParentProfileInstance%28android.content.ComponentName%29">getParentProfileInstance</a>. 143* When contacts from the managed profile are displayed 144 in the preinstalled call log, in-call UI, in-progress and missed-call 145 notifications, contacts and messaging apps they SHOULD be badged with the 146 same badge used to indicate managed profile applications. 147