No public description

jscott1989 · pfmaggi · commit ac368b230187 · 2024-03-11T10:15:01.000+01:00
PiperOrigin-RevId: 605570443
diff --git a/README.md b/README.md
@@ -23,11 +23,8 @@ You can find various kinds of provisioning methods [here](https://developers.goo
 3. Modify (if needed) and scan [this QR code] (http://down-box.appspot.com/qr/nQB0tw7b).
 4. Follow onscreen instructions
 
-#### ADB command (Device Owner) ####
-
-```shell
+#### adb command (Device Owner) ####
 adb shell dpm set-device-owner com.afwsamples.testdpc/.DeviceAdminReceiver
-```
 
 #### Work profile ####
 The easiest way is to launch the "Set Up TestDPC" app in launcher and follow the onscreen instructions.
diff --git a/src/main/AndroidManifest.xml b/src/main/AndroidManifest.xml
@@ -40,6 +40,8 @@
     <uses-permission android:name="android.permission.QUERY_ALL_PACKAGES"/>
     <uses-permission android:name="com.google.android.setupwizard.SETUP_COMPAT_SERVICE" />
     <uses-permission android:name="android.permission.POST_NOTIFICATIONS"/>
+    <uses-permission android:name="android.permission.MANAGE_DEVICE_POLICY_CERTIFICATES"/>
+    <uses-permission android:name="android.permission.MANAGE_DEVICE_POLICY_SYSTEM_UPDATE_INFO"/>
 
     <uses-feature android:name="android.hardware.wifi" android:required="false" />
     <uses-feature android:name="android.hardware.touchscreen" android:required="false"/>
@@ -153,6 +155,15 @@
             </intent-filter>
         </activity>
 
+        <activity android:name="android.app.Activity" android:exported="true" android:permission="android.permission.LAUNCH_DEVICE_MANAGER_SETUP">
+            <intent-filter>
+                <action android:name="android.app.action.ROLE_HOLDER_PROVISION_MANAGED_DEVICE_FROM_TRUSTED_SOURCE" />
+                <action android:name="android.app.action.ROLE_HOLDER_PROVISION_MANAGED_PROFILE" />
+                <action android:name="android.app.action.ROLE_HOLDER_PROVISION_FINALIZATION" />
+                <category android:name="android.intent.category.DEFAULT" />
+            </intent-filter>
+        </activity>
+
         <receiver
                 android:name=".DeviceAdminReceiver"
                 android:exported="true"
diff --git a/src/main/java/com/afwsamples/testdpc/common/preference/DpcPreferenceHelper.java b/src/main/java/com/afwsamples/testdpc/common/preference/DpcPreferenceHelper.java
@@ -18,6 +18,7 @@
 
 import android.app.admin.DevicePolicyManager;
 import android.content.Context;
+import android.content.pm.PackageManager;
 import android.content.res.TypedArray;
 import android.os.Build.VERSION_CODES;
 import android.text.TextUtils;
@@ -96,6 +97,7 @@ public class DpcPreferenceHelper {
   private @AdminKind int mAdminConstraint;
   private @UserKind int mUserConstraint;
   private String mDelegationConstraint;
+  private String mPermissionConstraint;
 
   public DpcPreferenceHelper(Context context, Preference preference, AttributeSet attrs) {
     mContext = context;
@@ -117,6 +119,7 @@ public DpcPreferenceHelper(Context context, Preference preference, AttributeSet
     // noinspection ResourceType
     mUserConstraint = a.getInt(R.styleable.DpcPreference_user, USER_DEFAULT);
     mDelegationConstraint = a.getString(R.styleable.DpcPreference_delegation);
+    mPermissionConstraint = a.getString(R.styleable.DpcPreference_permission);
     a.recycle();
   }
 
@@ -294,7 +297,7 @@ private int getCurrentUser() {
   }
 
   private boolean isSufficientlyPrivileged(@AdminKind int admin, List<String> delegations) {
-    return isEnabledForAdmin(admin) || hasDelegation(delegations);
+    return isEnabledForAdmin(admin) || hasDelegation(delegations) || hasPermission();
   }
 
   private boolean isEnabledForAdmin(@AdminKind int admin) {
@@ -305,6 +308,11 @@ private boolean hasDelegation(List<String> delegations) {
     return delegations.contains(mDelegationConstraint);
   }
 
+  private boolean hasPermission() {
+    return mPermissionConstraint != null
+        && mContext.checkSelfPermission(mPermissionConstraint) == PackageManager.PERMISSION_GRANTED;
+  }
+
   private boolean isEnabledForUser(@UserKind int user) {
     return (mUserConstraint & user) == user;
   }
diff --git a/src/main/java/com/afwsamples/testdpc/policy/PolicyManagementFragment.java b/src/main/java/com/afwsamples/testdpc/policy/PolicyManagementFragment.java
@@ -38,6 +38,7 @@
 import android.app.admin.PackagePolicy;
 import android.app.admin.SystemUpdateInfo;
 import android.app.admin.WifiSsidPolicy;
+import android.app.role.RoleManager;
 import android.content.ComponentName;
 import android.content.ContentResolver;
 import android.content.Context;
@@ -463,6 +464,11 @@ public class PolicyManagementFragment extends BaseSearchablePolicyPreferenceFrag
 
   private static final SparseIntArray PASSWORD_COMPLEXITY = new SparseIntArray(4);
 
+  // Copied over from RoleManager.ROLE_DEVICE_POLICY_MANAGEMENT, which can't be referenced directly
+  // since it's a @SystemAPI.
+  private static final String ROLE_DEVICE_POLICY_MANAGEMENT =
+      "android.app.role.DEVICE_POLICY_MANAGEMENT";
+
   static {
     if (Util.SDK_INT >= VERSION_CODES.Q) {
       final int[] complexityIds =
@@ -560,7 +566,7 @@ public class PolicyManagementFragment extends BaseSearchablePolicyPreferenceFrag
   @Override
   public void onCreate(Bundle savedInstanceState) {
     Context context = getActivity();
-    if (isDelegatedApp() || isCredentialManagerApp()) {
+    if (isDelegatedApp() || isCredentialManagerApp() || isDeviceManagementRoleHolder()) {
       mAdminComponentName = null;
     } else {
       mAdminComponentName = DeviceAdminReceiver.getComponentName(context);
@@ -999,6 +1005,14 @@ private boolean isCredentialManagerApp() {
     return !dpm.isDeviceOwnerApp(packageName) && !dpm.isProfileOwnerApp(packageName);
   }
 
+  private boolean isDeviceManagementRoleHolder() {
+    if (Util.SDK_INT < VERSION_CODES.S) {
+      return false;
+    }
+    RoleManager rm = getActivity().getSystemService(RoleManager.class);
+    return rm.isRoleHeld(ROLE_DEVICE_POLICY_MANAGEMENT);
+  }
+
   @Override
   public boolean isAvailable(Context context) {
     return true;
@@ -2580,6 +2594,8 @@ private void loadAppStatus() {
       appStatusStringId = R.string.this_is_a_device_owner;
     } else if (isDelegatedApp()) {
       appStatusStringId = R.string.this_is_a_delegated_app;
+    } else if (isDeviceManagementRoleHolder()) {
+      appStatusStringId = R.string.this_is_a_role_holder;
     } else {
       appStatusStringId = R.string.this_is_not_an_admin;
     }
@@ -2616,7 +2632,8 @@ private void loadEnrollmentSpecificId() {
 
     String esid = mDevicePolicyManager.getEnrollmentSpecificId();
 
-    enrollmentSpecificIdPreference.setSummary(esid);
+    enrollmentSpecificIdPreference.setSummary(
+        TextUtils.isEmpty(esid) ? getString(R.string.enrollment_specific_id_empty) : esid);
   }
 
   @TargetApi(VERSION_CODES.P)
diff --git a/src/main/res/values/attrs.xml b/src/main/res/values/attrs.xml
@@ -53,6 +53,9 @@
         <!-- Constrain a preference to a delegated scope. -->
         <attr name="delegation" format="string" />
 
+        <!-- Constrain a preference to a permission. -->
+        <attr name="permission" format="string" />
+
         <!-- Constrain a preference to certain users. -->
         <attr name="user">
             <flag name="primaryUser" value="0x1" />
diff --git a/src/main/res/values/strings.xml b/src/main/res/values/strings.xml
@@ -122,6 +122,7 @@
     <string name="this_is_a_profile_owner">This app is a profile owner.</string>
     <string name="this_is_an_org_owned_profile_owner">This app is a profile owner of an organization-owned device.</string>
     <string name="this_is_a_delegated_app">This app has delegated permissions.</string>
+    <string name="this_is_a_role_holder">This app is the Device Management Role Holder.</string>
     <string name="this_is_not_an_admin">This app is not an admin.</string>
 
     <!-- Strings for provisioning disclaimers-->
@@ -1249,6 +1250,7 @@
     <string name="set_organization_id">Set Organization Identifier</string>
     <string name="organization_id_empty">Organization Identifier must not be empty.</string>
     <string name="enrollment_specific_id">Enrollment-specific ID</string>
+    <string name="enrollment_specific_id_empty">Not Available</string>
 
     <!-- Messsage used in a toast to inform that operations that could be unsafe to execute might be safe now (or vice versa) -->
     <string name="safety_operations_change_message">Operations that affect <xliff:g id="reason">%1$s</xliff:g> are now <xliff:g id="state">%2$s</xliff:g></string>
diff --git a/src/main/res/xml/device_policy_header.xml b/src/main/res/xml/device_policy_header.xml
@@ -34,6 +34,7 @@
         android:title="@string/enrollment_specific_id"
         testdpc:admin="deviceOwner|profileOwner"
         testdpc:delegation="delegation-cert-install"
+        testdpc:permission="android.permission.MANAGE_DEVICE_POLICY_CERTIFICATES"
         testdpc:minSdkVersion="S" />
 
     <PreferenceCategory android:title="@string/accessibility_title">
@@ -615,6 +616,7 @@
         <com.afwsamples.testdpc.common.preference.DpcPreference
             android:key="system_update_pending"
             android:title="@string/system_update_pending"
+            testdpc:permission="android.permission.MANAGE_DEVICE_POLICY_SYSTEM_UPDATE_INFO"
             testdpc:minSdkVersion="O" />
         <com.afwsamples.testdpc.common.preference.DpcPreference
             android:key="managed_system_updates"
