Why can't I create a restricted profile when a

2019-07-04 16:40发布

问题:

I recently noticed that when a Device Owner application is set, it's not possible to create a restricted profile.

First case : When my device owner app is not set.
From Settings>Users : I can "Add user or Profile", and then choose between a User or a Restricted Profile.

Second case : When my device owner app is set.
From Settings>Users : I can only "Add user", and then i get the confirmation to create a new user. In this second case, it's not possible to create a restricted profile.

I'd like to know why it's not available in this case and how I could possibly create a restricted profile in this case ?
The second part of my question is : how can I programmatically create a restricted profile - or an equivalent behavior - using the existing DevicePolicyManager API (as far as I can see, there's no public API to create restricted profile) ?

UPDATE: I made a sample app to illustrate this. It's available on Github.

Steps to reproduce :

  • Compile the app
  • Upload the application to your device
  • Set the application as device owner using dpm command line tool: adb shell dpm set-device-owner com.mytest.minimalistdeviceowner/.DeviceAdminRcvr.
  • Check that the creation of profile is not available in Settings>Users
  • Unset the application as device owner by clicking, in the app, on "Unset Device Owner".
  • Check that the creation is now available in Settings>Users

回答1:

Restricted profiles are not available for tablets with a device owner, or phones. It's shown in the Settings app source code available here :

DevicePolicyManager dpm = (DevicePolicyManager) context.getSystemService(
                Context.DEVICE_POLICY_SERVICE);
// No restricted profiles for tablets with a device owner, or phones.
if (dpm.getDeviceOwner() != null || Utils.isVoiceCapable(context)) {
    mCanAddRestrictedProfile = false;
    mAddUser.setTitle(R.string.user_add_user_menu);
}

So that's not a bug, but a functionnality. It's probably disabled to avoid to interfere with your Device Owner App. You should be aware of that and because you have more power with your Device Owner App, means you’ll have to restrict your user by yourself from this Device Owner App.

To do that, you could use all restrictions API provided through DevicePolicyManager.addUserRestriction(), DevicePolicyManager.setGlobalSetting(), DevicePolicyManager.setSecureSetting() to configure settings, and also DevicePolicyManager.setApplicationHidden() to limit applications access for your user.



回答2:

Why can't I create a restricted profile when an owner device app is set?

Probably because the device owner app manages the profiles already. I guess it was easier to do like that without bypassing the device owner app restrictions.

How can I programmatically create a restricted profile?

The method DevicePolicyManager.createAndInitializeUser() can be used to create a managed profile. This profile cannot be managed directly in the settings, but the device owner app can access nearly the same features.

One feature that I cannot find is the ability to share an app from the owner profile to managed one.