Block ADB from being able to remove COPE profile
Set DISALLOW_REMOVE_MANAGED_PROFILE on user 0 on HSUM.
A bit hacky but should do the job.
Bug: 345713432
Test: manual
Change-Id: I211444b513d46bfe4e1ea947540607bee404fc5c
diff --git a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
index bdd0730..e296796 100644
--- a/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
+++ b/services/devicepolicy/java/com/android/server/devicepolicy/DevicePolicyManagerService.java
@@ -4145,6 +4145,10 @@
private void clearOrgOwnedProfileOwnerUserRestrictions(UserHandle parentUserHandle) {
mUserManager.setUserRestriction(
UserManager.DISALLOW_REMOVE_MANAGED_PROFILE, false, parentUserHandle);
+ if (mInjector.userManagerIsHeadlessSystemUserMode()) {
+ mUserManager.setUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,
+ false, UserHandle.SYSTEM);
+ }
mUserManager.setUserRestriction(
UserManager.DISALLOW_ADD_USER, false, parentUserHandle);
}
@@ -17890,6 +17894,12 @@
mUserManager.setUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,
isProfileOwnerOnOrganizationOwnedDevice,
parentUser);
+ if (mInjector.userManagerIsHeadlessSystemUserMode()) {
+ // For HSUM, additionally set this on user 0 to block ADB from removing the profile.
+ mUserManager.setUserRestriction(UserManager.DISALLOW_REMOVE_MANAGED_PROFILE,
+ isProfileOwnerOnOrganizationOwnedDevice,
+ UserHandle.SYSTEM);
+ }
mUserManager.setUserRestriction(UserManager.DISALLOW_ADD_USER,
isProfileOwnerOnOrganizationOwnedDevice,
parentUser);