1# @ohos.enterprise.restrictions (Restrictions) 2 3This **restrictions** module provides APIs for disallowing general features of devices. You can globally disable or enable the features such as Bluetooth, HDC, USB, and Wi-Fi. 4 5> **NOTE** 6> 7> The initial APIs of this module are supported since API version 12. Newly added APIs will be marked with a superscript to indicate their earliest API version. 8> 9> The APIs of this module can be used only in the stage model. 10> 11> The APIs of this module can be called only by a [device administrator application](../../mdm/mdm-kit-guide.md#introduction) that is enabled. 12 13## Modules to Import 14 15```ts 16import { restrictions } from '@kit.MDMKit'; 17``` 18 19## restrictions.setDisallowedPolicy 20 21setDisallowedPolicy(admin: Want, feature: string, disallow: boolean): void 22 23Disallows a feature. 24 25**Required permissions**: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS or ohos.permission.PERSONAL_MANAGE_RESTRICTIONS<sup>15+</sup> 26 27**System capability**: SystemCapability.Customization.EnterpriseDeviceManager 28 29**Parameters** 30 31| Name | Type | Mandatory| Description | 32| -------- | ------------------------------------------------------- | ---- | ------------------------------------------------------------ | 33| admin | [Want](../apis-ability-kit/js-apis-app-ability-want.md) | Yes | EnterpriseAdminExtensionAbility. | 34| feature | string | Yes | Feature to set.<br>- **bluetooth**: Bluetooth capability of the device.<br>- **modifyDateTime**: capability of modifying the system time. Currently, this feature is available only for 2-in-1 devices.<br>- **printer**: printing capability. Currently, this feature is available only for 2-in-1 devices.<br>- **hdc**: OpenHarmony Device Connector (hdc).<br>- **microphone**: microphone capability of the device.<br>- **fingerprint**: fingerprint authentication capability of the device. If the fingerprint authentication capability has been disabled for a user using [setDisallowedPolicyForAccount](#restrictionssetdisallowedpolicyforaccount14), a policy conflict will be reported when this API is invoked to enable the fingerprint authentication capability.<br>- **usb**: USB capability of the device. The external USB device cannot be used after this capability is disabled. That is, when the current device is in host mode, other external devices cannot be connected.<br> If you use this API to disable the USB capability of a device in the following scenarios, a policy conflict will be reported:<br> 1. Available USB devices are added using the [addAllowedUsbDevices](js-apis-enterprise-usbManager.md#usbmanageraddallowedusbdevices) API.<br> 2. The access policy of the USB storage device is set to read-only or disabled through the [setUsbStorageDeviceAccessPolicy](js-apis-enterprise-usbManager.md#usbmanagersetusbstoragedeviceaccesspolicy) API.<br> 3. A forbidden USB device type is added using the [addDisallowedUsbDevices](js-apis-enterprise-usbManager.md#usbmanageradddisallowedusbdevices14) API.<br>- **wifi**: Wi-Fi capability of the device.<br>- **tethering**<sup>14+</sup>: network sharing capability. Currently, this feature is available only for 2-in-1 devices.<br>- **inactiveUserFreeze**<sup>14+</sup>: capability of freezing inactive users. Currently, this feature is available only for 2-in-1 devices. When the system switches to the enterprise space user, the personal space users are inactive users.<br>- **camera**<sup>14+</sup>: camera capability of the device.<br>- mtpClient<sup>18+</sup>: MTP client capability. Currently, this feature is available only for 2-in-1 devices. The Media Transfer Protocol (MTP) allows users to access media files linearly on mobile devices.<br>- mtpServer<sup>18+</sup>: MTP server capability. Currently, this feature is available only for mobile phones, tablets, and 2-in-1 devices.<!--RP1--><!--RP1End--> <br> Note: Since API version 15, an application must request the ohos.permission.PERSONAL_MANAGE_RESTRICTIONS permission and call [adminManager.startAdminProvision](./js-apis-enterprise-adminManager.md#adminmanagerstartadminprovision15) to set the features including **bluetooth**, **hdc**, **microphone**, **usb**, **wifi**, **tethering**, and **camera**.| 35| disallow | boolean | Yes | Whether to disallow the feature. The value **true** means to disallow the feature; the value **false** means the opposite. | 36 37**Error codes** 38 39For details about the error codes, see [Enterprise Device Management Error Codes](errorcode-enterpriseDeviceManager.md) and [Universal Error Codes](../errorcode-universal.md). 40 41| ID| Error Message | 42| -------- | ------------------------------------------------------------ | 43| 9200001 | The application is not an administrator application of the device. | 44| 9200002 | The administrator application does not have permission to manage the device. | 45| 201 | Permission verification failed. The application does not have the permission required to call the API. | 46| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed. | 47 48**Example** 49 50```ts 51import { Want } from '@kit.AbilityKit'; 52let wantTemp: Want = { 53 bundleName: 'com.example.myapplication', 54 abilityName: 'EntryAbility', 55}; 56 57try { 58 restrictions.setDisallowedPolicy(wantTemp, 'printer', true); 59 console.info('Succeeded in setting printer disabled'); 60} catch (err) { 61 console.error(`Failed to set printer disabled. Code is ${err.code}, message is ${err.message}`); 62} 63``` 64 65## restrictions.getDisallowedPolicy 66 67getDisallowedPolicy(admin: Want, feature: string): boolean 68 69Obtains a disabled feature. 70 71**Required permissions**: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS or ohos.permission.PERSONAL_MANAGE_RESTRICTIONS<sup>15+</sup> 72 73**System capability**: SystemCapability.Customization.EnterpriseDeviceManager 74 75**Parameters** 76 77| Name | Type | Mandatory| Description | 78| ------- | ------------------------------------------------------- | ---- | ------------------------------------------------------------ | 79| admin | [Want](../apis-ability-kit/js-apis-app-ability-want.md) | Yes | EnterpriseAdminExtensionAbility. | 80| feature | string | Yes | Feature to set.<br>- **bluetooth**: Bluetooth capability of the device.<br>- **modifyDateTime**: capability of modifying the system time. Currently, this feature is available only for 2-in-1 devices.<br>- **printer**: printing capability. Currently, this feature is available only for 2-in-1 devices.<br>- **hdc**: OpenHarmony Device Connector (hdc).<br>- **microphone**: microphone capability of the device.<br>- **fingerprint**: fingerprint authentication capability of the device.<br>- **usb**: USB capability of the device. External USB devices cannot be used after this capability is disabled. That is, when the current device is in host mode, other external devices cannot be connected.<br>- **wifi**: Wi-Fi capability of the device.<br>- **tethering**<sup>14+</sup>: network sharing capability. Currently, this feature is available only for 2-in-1 devices.<br>- **inactiveUserFreeze**<sup>14+</sup>: capability of freezing inactive users. Currently, this feature is available only for 2-in-1 devices. When the system switches to the enterprise space user, the personal space users are inactive users.<br>- **camera**<sup>14+</sup>: camera capability of the device.<br>- mtpClient<sup>18+</sup>: MTP client capability. Currently, this feature is available only for 2-in-1 devices. The Media Transfer Protocol (MTP) allows users to access media files linearly on mobile devices.<br>- mtpServer<sup>18+</sup>: MTP server capability. Currently, this feature is available only for mobile phones, tablets, and 2-in-1 devices.<!--RP2--><!--RP2End--> <br> Note: Since API version 15, an application must request the ohos.permission.PERSONAL_MANAGE_RESTRICTIONS permission and call [adminManager.startAdminProvision](./js-apis-enterprise-adminManager.md#adminmanagerstartadminprovision15) to set the features including **bluetooth**, **hdc**, **microphone**, **usb**, **wifi**, **tethering**, and **camera**.| 81 82**Return value** 83 84| Type | Description | 85| ------- | ------------------------------------------------------------ | 86| boolean | Returns **true** if the feature is disallowed; returns **false** otherwise.| 87 88**Error codes** 89 90For details about the error codes, see [Enterprise Device Management Error Codes](errorcode-enterpriseDeviceManager.md) and [Universal Error Codes](../errorcode-universal.md). 91 92| ID| Error Message | 93| -------- | ------------------------------------------------------------ | 94| 9200001 | The application is not an administrator application of the device. | 95| 9200002 | The administrator application does not have permission to manage the device. | 96| 201 | Permission verification failed. The application does not have the permission required to call the API. | 97| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed. | 98 99**Example** 100 101```ts 102import { Want } from '@kit.AbilityKit'; 103let wantTemp: Want = { 104 bundleName: 'com.example.myapplication', 105 abilityName: 'EntryAbility', 106}; 107 108try { 109 let result: boolean = restrictions.getDisallowedPolicy(wantTemp, 'printer'); 110 console.info(`Succeeded in querying is the printing function disabled : ${result}`); 111} catch (err) { 112 console.error(`Failed to set printer disabled. Code is ${err.code}, message is ${err.message}`); 113} 114``` 115 116## restrictions.setDisallowedPolicyForAccount<sup>14+</sup> 117 118setDisallowedPolicyForAccount(admin: Want, feature: string, disallow: boolean, accountId: number): void 119 120Enables or disables a feature of a specified user. 121 122**Required permissions**: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS 123 124**System capability**: SystemCapability.Customization.EnterpriseDeviceManager 125 126**Parameters** 127 128| Name | Type | Mandatory| Description | 129| -------- | ------------------------------------------------------- | ---- | ------------------------------------------------------------ | 130| admin | [Want](../apis-ability-kit/js-apis-app-ability-want.md) | Yes | EnterpriseAdminExtensionAbility. | 131| feature | string | Yes | Feature to set.<br>- **fingerprint**: device fingerprint authentication capability. Currently, this feature is available only for 2-in-1 devices. The rules for using this parameter are as follows:<br>1. The device fingerprint authentication capability is disabled through the [setDisallowedPolicy](#restrictionssetdisallowedpolicy) API. If this parameter is transferred through this API, a policy conflict is reported.<br>2. After this API is used to disable or enable the device fingerprint authentication capability of a specified user, if the [setDisallowedPolicy](#restrictionssetdisallowedpolicy) API is used to disable the device fingerprint authentication capability, the latter will overwrite the former. All users can use the device fingerprint authentication capability enabled by the [setDisallowedPolicy](#restrictionssetdisallowedpolicy) API.| 132| disallow | boolean | Yes | Whether to disallow the feature. The value **true** means to disallow the feature; the value **false** means the opposite. | 133| accountId | number | Yes | User ID, which must be greater than or equal to 0.<br>You can call the [getOsAccountLocalId](../apis-basic-services-kit/js-apis-osAccount.md#getosaccountlocalid9) API to obtain the user ID.| 134 135**Error codes** 136 137For details about the error codes, see [Enterprise Device Management Error Codes](errorcode-enterpriseDeviceManager.md) and [Universal Error Codes](../errorcode-universal.md). 138 139| ID| Error Message | 140| -------- | ------------------------------------------------------------ | 141| 9200001 | The application is not an administrator application of the device. | 142| 9200002 | the administrator application does not have permission to manage the device. | 143| 9200010 | A conflict policy has been configured. | 144| 201 | Permission verification failed. The application does not have the permission required to call the API. | 145| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed. | 146 147**Example** 148 149```ts 150import { Want } from '@kit.AbilityKit'; 151let wantTemp: Want = { 152 bundleName: 'com.example.myapplication', 153 abilityName: 'EntryAbility', 154}; 155 156try { 157 restrictions.setDisallowedPolicyForAccount(wantTemp, 'fingerprint', true, 100); 158 console.info('Succeeded in setting fingerprint disabled'); 159} catch (err) { 160 console.error(`Failed to set fingerprint disabled. Code is ${err.code}, message is ${err.message}`); 161} 162``` 163 164## restrictions.getDisallowedPolicyForAccount<sup>14+</sup> 165 166getDisallowedPolicyForAccount(admin: Want, feature: string, accountId: number): boolean 167 168Obtains the status of a feature of a specified user. 169 170**Required permissions**: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS 171 172**System capability**: SystemCapability.Customization.EnterpriseDeviceManager 173 174**Parameters** 175 176| Name | Type | Mandatory| Description | 177| ------- | ------------------------------------------------------- | ---- | ------------------------------------------------------------ | 178| admin | [Want](../apis-ability-kit/js-apis-app-ability-want.md) | Yes | EnterpriseAdminExtensionAbility. | 179| feature | string | Yes | Feature to set.<br>- **fingerprint**: device fingerprint authentication capability. Currently, this feature is available only for 2-in-1 devices. When this parameter is used, the following rules apply: After [setDisallowedPolicyForAccount](#restrictionssetdisallowedpolicyforaccount14) is used to disable or enable the device fingerprint authentication capability of a specified user, if the [setDisallowedPolicy](#restrictionssetdisallowedpolicy) API is used to disable the device fingerprint authentication capability, the latter will overwrite the former. And the calling result is **false**.| 180| accountId | number | Yes | User ID, which must be greater than or equal to 0.<br>You can call [getOsAccountLocalId](../apis-basic-services-kit/js-apis-osAccount.md#getosaccountlocalid9) to obtain the user ID.| 181 182**Return value** 183 184| Type | Description | 185| ------- | ------------------------------------------------------------ | 186| boolean | If **true** is returned, the feature is disabled. If **false** is returned, the feature is not disabled.| 187 188**Error codes** 189 190For details about the error codes, see [Enterprise Device Management Error Codes](errorcode-enterpriseDeviceManager.md) and [Universal Error Codes](../errorcode-universal.md). 191 192| ID| Error Message | 193| -------- | ------------------------------------------------------------ | 194| 9200001 | The application is not an administrator application of the device. | 195| 9200002 | the administrator application does not have permission to manage the device. | 196| 201 | Permission verification failed. The application does not have the permission required to call the API. | 197| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed. | 198 199**Example** 200 201```ts 202import { Want } from '@kit.AbilityKit'; 203let wantTemp: Want = { 204 bundleName: 'com.example.myapplication', 205 abilityName: 'EntryAbility', 206}; 207 208try { 209 let result: boolean = restrictions.getDisallowedPolicyForAccount(wantTemp, 'fingerprint', 100); 210 console.info(`Succeeded in querying is the fingerprint function disabled : ${result}`); 211} catch (err) { 212 console.error(`Failed to set fingerprint disabled. Code is ${err.code}, message is ${err.message}`); 213} 214``` 215 216## restrictions.addDisallowedListForAccount<sup>14+</sup> 217 218addDisallowedListForAccount(admin: Want, feature: string, list: Array\<string>, accountId: number): void 219 220Add a list of applications that are not allowed to use a feature for a specified user. 221 222**Required permissions**: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS 223 224**System capability**: SystemCapability.Customization.EnterpriseDeviceManager 225 226**Parameters** 227 228| Name | Type | Mandatory| Description | 229| -------- | ------------------------------------------------------- | ---- | ------------------------------------------------------------ | 230| admin | [Want](../apis-ability-kit/js-apis-app-ability-want.md) | Yes | EnterpriseAdminExtensionAbility. | 231| feature | string | Yes | Feature to set.<br>- **snapshotSkip**: screen snapshot capability.| 232| list | Array\<string> | Yes | List of content such as the bundle names. | 233| accountId | number | Yes | User ID, which must be greater than or equal to 0.<br>You can call the [getOsAccountLocalId](../apis-basic-services-kit/js-apis-osAccount.md#getosaccountlocalid9) API to obtain the user ID.| 234 235**Error codes** 236 237For details about the error codes, see [Enterprise Device Management Error Codes](errorcode-enterpriseDeviceManager.md) and [Universal Error Codes](../errorcode-universal.md). 238 239| ID| Error Message | 240| -------- | ------------------------------------------------------------ | 241| 9200001 | The application is not an administrator application of the device. | 242| 9200002 | The administrator application does not have permission to manage the device. | | 243| 201 | Permission verification failed. The application does not have the permission required to call the API. | 244| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed. | 245 246**Example** 247 248```ts 249import { Want } from '@kit.AbilityKit'; 250let wantTemp: Want = { 251 bundleName: 'com.example.myapplication', 252 abilityName: 'EntryAbility', 253}; 254let valueList:Array<string> = ["com.xx.aa.", "com.xx.bb"]; 255try { 256 restrictions.addDisallowedListForAccount(wantTemp, 'snapshotSkip', valueList, 100); 257 console.info('Succeeded in adding disallowed snapshotSkip feature'); 258} catch (err) { 259 console.error(`Failed to add disallowed snapshotSkip feature. Code is ${err.code}, message is ${err.message}`); 260} 261``` 262 263## restrictions.removeDisallowedListForAccount<sup>14+</sup> 264 265removeDisallowedListForAccount(admin: Want, feature: string, list: Array\<string>, accountId: number): void 266 267Removes a list of applications that are not allowed to use a feature for a specified user. 268 269**Required permissions**: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS 270 271**System capability**: SystemCapability.Customization.EnterpriseDeviceManager 272 273**Parameters** 274 275| Name | Type | Mandatory| Description | 276| -------- | ------------------------------------------------------- | ---- | ------------------------------------------------------------ | 277| admin | [Want](../apis-ability-kit/js-apis-app-ability-want.md) | Yes | EnterpriseAdminExtensionAbility. | 278| feature | string | Yes | Feature to set.<br>- **snapshotSkip**: screen snapshot capability.| 279| list | Array\<string> | Yes | List of content such as the bundle names. | 280| accountId | number | Yes | User ID, which must be greater than or equal to 0.<br>You can call the [getOsAccountLocalId](../apis-basic-services-kit/js-apis-osAccount.md#getosaccountlocalid9) API to obtain the user ID.| 281 282**Error codes** 283 284For details about the error codes, see [Enterprise Device Management Error Codes](errorcode-enterpriseDeviceManager.md) and [Universal Error Codes](../errorcode-universal.md). 285 286| ID| Error Message | 287| -------- | ------------------------------------------------------------ | 288| 9200001 | The application is not an administrator application of the device. | 289| 9200002 | The administrator application does not have permission to manage the device. | | 290| 201 | Permission verification failed. The application does not have the permission required to call the API. | 291| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed. | 292 293**Example** 294 295```ts 296import { Want } from '@kit.AbilityKit'; 297let wantTemp: Want = { 298 bundleName: 'com.example.myapplication', 299 abilityName: 'EntryAbility', 300}; 301let valueList:Array<string> = ["com.xx.aa.", "com.xx.bb"]; 302try { 303 restrictions.removeDisallowedListForAccount(wantTemp, 'snapshotSkip', valueList, 100); 304 console.info('Succeeded in removing disallowed snapshotSkip feature'); 305} catch (err) { 306 console.error(`Failed to remove disallowed snapshotSkip feature. Code is ${err.code}, message is ${err.message}`); 307} 308``` 309 310## restrictions.getDisallowedListForAccount<sup>14+</sup> 311 312getDisallowedListForAccount(admin: Want, feature: string, accountId: number): Array\<string> 313 314Obtains the list of applications that are not allowed to use a feature for a specified user. 315 316**Required permissions**: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS 317 318**System capability**: SystemCapability.Customization.EnterpriseDeviceManager 319 320**Parameters** 321 322| Name | Type | Mandatory| Description | 323| ------- | ------------------------------------------------------- | ---- | ------------------------------------------------------------ | 324| admin | [Want](../apis-ability-kit/js-apis-app-ability-want.md) | Yes | EnterpriseAdminExtensionAbility. | 325| feature | string | Yes | Feature to set.<br>- **snapshotSkip**: screen snapshot capability.| 326| accountId | number | Yes | User ID, which must be greater than or equal to 0.<br>You can call [getOsAccountLocalId](../apis-basic-services-kit/js-apis-osAccount.md#getosaccountlocalid9) to obtain the user ID.| 327 328**Return value** 329 330| Type | Description | 331| ------- | ------------------------------------------------------------ | 332| Array\<string> | List of applications that have been added by the user and for which a certain feature is disabled.| 333 334**Error codes** 335 336For details about the error codes, see [Enterprise Device Management Error Codes](errorcode-enterpriseDeviceManager.md) and [Universal Error Codes](../errorcode-universal.md). 337 338| ID| Error Message | 339| -------- | ------------------------------------------------------------ | 340| 9200001 | The application is not an administrator application of the device. | 341| 9200002 | The administrator application does not have permission to manage the device. | 342| 201 | Permission verification failed. The application does not have the permission required to call the API. | 343| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed. | 344 345**Example** 346 347```ts 348import { Want } from '@kit.AbilityKit'; 349let wantTemp: Want = { 350 bundleName: 'com.example.myapplication', 351 abilityName: 'EntryAbility', 352}; 353 354try { 355 let result: Array<string> = restrictions.getDisallowedListForAccount(wantTemp, 'snapshotSkip', 100); 356 console.info('Succeeded in querying disallowed list for account'); 357} catch (err) { 358 console.error(`Failed to query disallowed list for account. Code is ${err.code}, message is ${err.message}`); 359} 360``` 361