DevicePolicyManager

---

public class DevicePolicyManager
extends Object

java.lang.Object
↳	android.app.admin.DevicePolicyManager

---

Manages device policy and restrictions applied to the user of the device or apps running on the device.

This class contains three types of methods:

1. Those aimed at managing apps
2. Those aimed at the Device Policy Management Role Holder
3. Those aimed at apps which wish to respect device policy

The intended caller for each API is indicated in its Javadoc.

Managing Apps

Apps can be made capable of setting device policy ("Managing Apps") either by being set as a Device Administrator, being set as a Device Policy Controller, or by holding the appropriate Permissions.

A Device Administrator is an app which is able to enforce device policies that it has declared in its device admin XML file. An app can prompt the user to give it device administator privileges using the ACTION_ADD_DEVICE_ADMIN action.

For more information about Device Administration, read the Device Administration developer guide.

Device Administrator apps can also be recognised as Device Policy Controllers. Device Policy Controllers can be one of two types:

• A Device Owner, which only ever exists on the System User or Main User, is the most powerful type of Device Policy Controller and can affect policy across the device.
• A Profile Owner, which can exist on any user, can affect policy on the user it is on, and when it is running on a profile has limited ability to affect policy on its parent.

Additional capabilities can be provided to Device Policy Controllers in the following circumstances:

• A Profile Owner on an organization owned device has access to additional abilities, both affecting policy on the profile's parent and also the profile itself.
• A Profile Owner running on the System User has access to additional capabilities which affect the System User and also the whole device.
• A Profile Owner running on an affiliated user has capabilities similar to that of a Device Owner

For more information, see Building a Device Policy Controller.

Permissions are generally only given to apps fulfilling particular key roles on the device (such as managing device locks).

Device Policy Management Role Holder

One app on the device fulfills the Device Policy Management Role and is trusted with managing the overall state of Device Policy. This has access to much more powerful methods than managing apps.

Querying Device Policy

In most cases, regular apps do not need to concern themselves with device policy, and restrictions will be enforced automatically. There are some cases where an app may wish to query device policy to provide a better user experience. Only a small number of policies allow apps to query them directly. These APIs will typically have no special required permissions.

Managed Provisioning

Managed Provisioning is the process of recognising an app as a Device Owner or Profile Owner. It involves presenting education and consent screens to the user to ensure they are aware of the capabilities this grants the Device Policy Controller

For more information on provisioning, see Building a Device Policy Controller.

A Managed Profile enables data separation. For example to use a device both for personal and corporate usage. The managed profile and its parent share a launcher.

Affiliation

Using the setAffiliationIds(ComponentName, Set) method, a Device Owner can set a list of affiliation ids for the System User. Any Profile Owner on the same device can also call setAffiliationIds(ComponentName, Set) to set affiliation ids for the user it is on. When there is the same ID present in both lists, the user is said to be "affiliated" and we can refer to the Profile Owner as a "profile owner on an affiliated user" or an "affiliated profile owner". Becoming affiliated grants the Profile Owner capabilities similar to that of the Device Owner. It also allows use of the bindDeviceAdminServiceAsUser(ComponentName, Intent, ServiceConnection, BindServiceFlags, UserHandle) APIs for direct communication between the Device Owner and affiliated Profile Owners.

Organization Owned

An organization owned device is one which is not owned by the person making use of the device and is instead owned by an organization such as their employer or education provider. These devices are recognised as being organization owned either by the presence of a device owner or of a profile which has a profile owner is marked as organization owned.

Profile owners running on an organization owned device can exercise additional capabilities using the getParentProfileInstance(android.content.ComponentName) API which apply to the parent user. Each API will indicate if it is usable in this way.

Android Automotive

On "Android Automotive builds", some methods can throw "an exception" if an action is unsafe (for example, if the vehicle is moving). Callers running on "Android Automotive builds" should always check for this exception.
Restricted for SDK Runtime environment in API level 34.
Requires the PackageManager#FEATURE_DEVICE_ADMIN feature which can be detected using PackageManager.hasSystemFeature(String).

Summary

Nested classes
class	DevicePolicyManager.InstallSystemUpdateCallback Callback used in DevicePolicyManager.installSystemUpdate(ComponentName, Uri, Executor, InstallSystemUpdateCallback) to indicate that there was an error while trying to install an update.
interface	DevicePolicyManager.OnClearApplicationUserDataListener Callback used in DevicePolicyManager.clearApplicationUserData(ComponentName, String, Executor, OnClearApplicationUserDataListener) to indicate that the clearing of an application's user data is done.

Constants
String	ACTION_ADD_DEVICE_ADMIN Activity action: ask the user to add a new device administrator to the system.
String	ACTION_ADMIN_POLICY_COMPLIANCE Activity action: Starts the administrator to show policy compliance for the provisioning.
String	ACTION_APPLICATION_DELEGATION_SCOPES_CHANGED Broadcast Action: Sent after application delegation scopes are changed.
String	ACTION_CHECK_POLICY_COMPLIANCE Activity action: launch the DPC to check policy compliance.
String	ACTION_DEVICE_ADMIN_SERVICE Service action: Action for a service that device owner and profile owner can optionally own.
String	ACTION_DEVICE_FINANCING_STATE_CHANGED Broadcast Action: Broadcast sent to indicate that the device financing state has changed.
String	ACTION_DEVICE_OWNER_CHANGED Broadcast action: sent when the device owner is set, changed or cleared.
String	ACTION_DEVICE_POLICY_RESOURCE_UPDATED Broadcast action: notify system apps (e.g. settings, SysUI, etc) that the device management resources with IDs EXTRA_RESOURCE_IDS has been updated, the updated resources can be retrieved using DevicePolicyResourcesManager.getDrawable and DevicePolicyResourcesManager.getString.