diff options
| author | 2020-01-20 16:28:50 +0000 | |
|---|---|---|
| committer | 2020-01-21 16:55:09 +0000 | |
| commit | da412f19d09e31fc3d82baf9a24b1c9ec16ac18c (patch) | |
| tree | a452c0ade23908b87790d745093e047ef48f0129 | |
| parent | faa0e9dbca625f6c54c0ad0bc7d9f99ed42ba305 (diff) | |
Clarify lockNow usage from a managed profile
lockNow can be used by the profile owner of a managed profile both to
lock all users and evict the encryption key of the managed profile.
However, the order of calls is important. Document the order in which
lockNow need to be called on the parent DevicePolicyManager instance so
that the profile owner isn't stopped prior to locking all users.
Bug: 148067606
Test: m docs
Change-Id: I3e29e8cb02b74d41ef4f5d96467937149282cc07
| -rw-r--r-- | core/java/android/app/admin/DevicePolicyManager.java | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java index 54a64ef3f392..df188fa952a4 100644 --- a/core/java/android/app/admin/DevicePolicyManager.java +++ b/core/java/android/app/admin/DevicePolicyManager.java @@ -4203,7 +4203,18 @@ public class DevicePolicyManager { * device by first calling {@link #resetPassword} to set the password and then lock the device. * <p> * This method can be called on the {@link DevicePolicyManager} instance returned by - * {@link #getParentProfileInstance(ComponentName)} in order to lock the parent profile. + * {@link #getParentProfileInstance(ComponentName)} in order to lock the parent profile as + * well as the managed profile. + * <p> + * NOTE: In order to lock the parent profile and evict the encryption key of the managed + * profile, {@link #lockNow()} must be called twice: First, {@link #lockNow()} should be called + * on the {@link DevicePolicyManager} instance returned by + * {@link #getParentProfileInstance(ComponentName)}, then {@link #lockNow(int)} should be + * called on the {@link DevicePolicyManager} instance associated with the managed profile, + * with the {@link #FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY} flag. + * Calling the method twice in this order ensures that all users are locked and does not + * stop the device admin on the managed profile from issuing a second call to lock its own + * profile. * * @param flags May be 0 or {@link #FLAG_EVICT_CREDENTIAL_ENCRYPTION_KEY}. * @throws SecurityException if the calling application does not own an active administrator |