Merge "Enforce policy management."
diff --git a/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java b/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java
index 1da2a63..bf8c571 100644
--- a/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java
+++ b/src/com/android/settings/password/ConfirmDeviceCredentialActivity.java
@@ -25,6 +25,7 @@
import android.app.trust.TrustManager;
import android.content.Context;
import android.content.Intent;
+import android.content.pm.PackageManager;
import android.hardware.biometrics.BiometricConstants;
import android.hardware.biometrics.BiometricManager;
import android.hardware.biometrics.BiometricPrompt;
@@ -52,6 +53,12 @@
public class ConfirmDeviceCredentialActivity extends FragmentActivity {
public static final String TAG = ConfirmDeviceCredentialActivity.class.getSimpleName();
+ /**
+ * If the intent is sent from {@link com.android.systemui.keyguard.WorkLockActivity} then
+ * check for device policy management flags.
+ */
+ public static final String EXTRA_FROM_WORK_LOCK_ACTIVITY = "from_work_lock_activity";
+
// The normal flow that apps go through
private static final int CREDENTIAL_NORMAL = 1;
// Unlocks the managed profile when the primary profile is unlocked
@@ -90,6 +97,8 @@
private TrustManager mTrustManager;
private ChooseLockSettingsHelper mChooseLockSettingsHelper;
private Handler mHandler = new Handler(Looper.getMainLooper());
+ private Context mContext;
+ private boolean mFromWorkLockActivity;
private String mTitle;
private String mDetails;
@@ -149,6 +158,8 @@
mLockPatternUtils = new LockPatternUtils(this);
Intent intent = getIntent();
+ mContext = this;
+ mFromWorkLockActivity = intent.getBooleanExtra(EXTRA_FROM_WORK_LOCK_ACTIVITY, false);
mTitle = intent.getStringExtra(KeyguardManager.EXTRA_TITLE);
mDetails = intent.getStringExtra(KeyguardManager.EXTRA_DESCRIPTION);
String alternateButton = intent.getStringExtra(
@@ -190,7 +201,7 @@
} else if (isManagedProfile && isInternalActivity()
&& !lockPatternUtils.isSeparateProfileChallengeEnabled(mUserId)) {
mCredentialMode = CREDENTIAL_MANAGED;
- if (isBiometricAllowed(effectiveUserId, mUserId)) {
+ if (mFromWorkLockActivity && isBiometricAllowed(effectiveUserId, mUserId)) {
showBiometricPrompt(bpBundle);
launchedBiometric = true;
} else {
@@ -256,10 +267,36 @@
|| !mUserManager.isUserUnlocked(mUserId);
}
+ /**
+ * TODO: Pass a list of disabled features to an internal BiometricPrompt API, so we can
+ * potentially show different modalities on multi-auth devices.
+ *
+ * @param effectiveUserId
+ * @return false if their exists one biometric on the device which is not disabled by the
+ * policy manager.
+ */
private boolean isBiometricDisabledByAdmin(int effectiveUserId) {
final int disabledFeatures =
- mDevicePolicyManager.getKeyguardDisabledFeatures(null, effectiveUserId);
- return (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_BIOMETRICS) != 0;
+ mDevicePolicyManager.getKeyguardDisabledFeatures(null, effectiveUserId);
+
+ final PackageManager pm = mContext.getPackageManager();
+ if (pm.hasSystemFeature(PackageManager.FEATURE_FINGERPRINT)
+ && (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_FINGERPRINT) == 0) {
+ Log.d(TAG,"Fingerprint enabled & allowed by device policy manager");
+ return false;
+ }
+ if (pm.hasSystemFeature(PackageManager.FEATURE_IRIS)
+ && (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_IRIS) == 0) {
+ Log.d(TAG,"Iris enabled & allowed by device policy manager");
+ return false;
+ }
+ if (pm.hasSystemFeature(PackageManager.FEATURE_FACE)
+ && (disabledFeatures & DevicePolicyManager.KEYGUARD_DISABLE_FACE) == 0) {
+ Log.d(TAG,"Face enabled & allowed by device policy manager");
+ return false;
+ }
+
+ return true;
}
private boolean isBiometricAllowed(int effectiveUserId, int realUserId) {