2 files changed, 14 insertions, 20 deletions

diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index 98d356b5a921..f31de4bfc695 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -2184,9 +2184,6 @@ public class DevicePolicyManager {
      * Force a new device unlock password (the password needed to access the entire device, not for
      * individual accounts) on the user. This takes effect immediately.
      * <p>
-     * Calling this from a managed profile that shares the password with the owner profile will
-     * throw a security exception.
-     * <p>
      * <em>Note: This API has been limited as of {@link android.os.Build.VERSION_CODES#N} for
      * device admins that are not device owner and not profile owner.
      * The password can now only be changed if there is currently no password set.  Device owner
@@ -2200,10 +2197,10 @@ public class DevicePolicyManager {
      * case the currently active quality will be increased to match.
      * <p>
      * Calling with a null or empty password will clear any existing PIN, pattern or password if the
-     * current password constraints allow it. <em>Note: This will not
-     * work in {@link android.os.Build.VERSION_CODES#N} and later for device admins that are not
-     * device owner and not profile owner.  Once set, the password cannot be changed to null or
-     * empty, except by device owner or profile owner.</em>
+     * current password constraints allow it. <em>Note: This will not work in
+     * {@link android.os.Build.VERSION_CODES#N} and later for managed profiles, or for device admins
+     * that are not device owner or profile owner.  Once set, the password cannot be changed to null
+     * or empty except by these admins.</em>
      * <p>
      * The calling device admin must have requested
      * {@link DeviceAdminInfo#USES_POLICY_RESET_PASSWORD} to be able to call this method; if it has
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index c362c9c3ceb2..a6dd6eae6e07 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -3692,32 +3692,26 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
         final int callingUid = mInjector.binderGetCallingUid();
         final int userHandle = mInjector.userHandleGetCallingUserId();
 
-        if (getCredentialOwner(userHandle, /* parent */ false) != userHandle) {
-            throw new SecurityException("You can not change password for this profile because"
-                    + " it shares the password with the owner profile");
-        }
-
         String password = passwordOrNull != null ? passwordOrNull : "";
 
+        // Password resetting to empty/null is not allowed for managed profiles.
+        if (TextUtils.isEmpty(password)) {
+            enforceNotManagedProfile(userHandle, "clear the active password");
+        }
+
         int quality;
         synchronized (this) {
-            // If caller has PO (or DO), it can clear the password, so see if that's the case
-            // first.
+            // If caller has PO (or DO) it can change the password, so see if that's the case first.
             ActiveAdmin admin = getActiveAdminWithPolicyForUidLocked(
                     null, DeviceAdminInfo.USES_POLICY_PROFILE_OWNER, callingUid);
             if (admin == null) {
                 // Otherwise, make sure the caller has any active admin with the right policy.
                 admin = getActiveAdminForCallerLocked(null,
                         DeviceAdminInfo.USES_POLICY_RESET_PASSWORD);
-            }
-
-            final ComponentName adminComponent = admin.info.getComponent();
 
-            // As of N, only profile owners and device owners can reset the password.
-            if (!(isProfileOwner(adminComponent, userHandle)
-                    || isDeviceOwner(adminComponent, userHandle))) {
                 final boolean preN = getTargetSdk(admin.info.getPackageName(), userHandle)
                         <= android.os.Build.VERSION_CODES.M;
+
                 // As of N, password resetting to empty/null is not allowed anymore.
                 // TODO Should we allow DO/PO to set an empty password?
                 if (TextUtils.isEmpty(password)) {
@@ -3846,6 +3840,9 @@ public class DevicePolicyManagerService extends IDevicePolicyManager.Stub {
         // back in to the service.
         final long ident = mInjector.binderClearCallingIdentity();
         try {
+            if (isManagedProfile(userHandle)) {
+                mLockPatternUtils.setSeparateProfileChallengeEnabled(userHandle, true);
+            }
             if (!TextUtils.isEmpty(password)) {
                 mLockPatternUtils.saveLockPassword(password, null, quality, userHandle);
             } else {