Allow user with a profile owner to have escrow tokens

This mainly covers the unicorn case where the primary user has a profile owner set on it. Test: cts-tradefed run cts-dev -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.MixedProfileOwnerTest#testResetPasswordWithToken Bug: 35457534 Change-Id: Ieee883cce17c0b54b6e63fe113ada009e16150ad
author: Rubin Xu <rubinxu@google.com> 2017-02-22 20:31:57 +0000
committer: Rubin Xu <rubinxu@google.com> 2017-02-22 20:31:57 +0000
commit: bc7a47c6d30943be512f9f982ae4803ff3cdc52a (patch)
tree: 05d01b309e3791ae9f03c84c3b2d12e938c12b5c
parent: 82c2d94e89c0d786b0734ff98a8395e1a7ce3956 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/services/core/java/com/android/server/LockSettingsService.java b/services/core/java/com/android/server/LockSettingsService.java
index f76ddc71bc01..d66cbdd7f842 100644
--- a/services/core/java/com/android/server/LockSettingsService.java
+++ b/services/core/java/com/android/server/LockSettingsService.java
@@ -2198,18 +2198,26 @@ public class LockSettingsService extends ILockSettings.Stub {
         try {
             // Managed profile should have escrow enabled
             if (mUserManager.getUserInfo(userId).isManagedProfile()) {
+                Slog.i(TAG, "Managed profile can have escrow token");
                 return;
             }
             DevicePolicyManager dpm = (DevicePolicyManager)
                     mContext.getSystemService(Context.DEVICE_POLICY_SERVICE);
             // Devices with Device Owner should have escrow enabled on all users.
             if (dpm.getDeviceOwnerComponentOnAnyUser() != null) {
+                Slog.i(TAG, "Corp-owned device can have escrow token");
+                return;
+            }
+            // We could also have a profile owner on the given (non-managed) user for unicorn cases
+            if (dpm.getProfileOwnerAsUser(userId) != null) {
+                Slog.i(TAG, "User with profile owner can have escrow token");
                 return;
             }
             // If the device is yet to be provisioned (still in SUW), there is still
             // a chance that Device Owner will be set on the device later, so postpone
             // disabling escrow token for now.
             if (!dpm.isDeviceProvisioned()) {
+                Slog.i(TAG, "Postpone disabling escrow tokens until device is provisioned");
                 return;
             }
             // Disable escrow token permanently on all other device/user types.
author	Rubin Xu <rubinxu@google.com>	2017-02-22 20:31:57 +0000
committer	Rubin Xu <rubinxu@google.com>	2017-02-22 20:31:57 +0000
commit	bc7a47c6d30943be512f9f982ae4803ff3cdc52a (patch)
tree	05d01b309e3791ae9f03c84c3b2d12e938c12b5c
parent	82c2d94e89c0d786b0734ff98a8395e1a7ce3956 (diff)