1/* 2 * Copyright (c) 2023-2024 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16/** 17 * @file 18 * @kit MDMKit 19 */ 20 21import type Want from './@ohos.app.ability.Want'; 22import type image from './@ohos.multimedia.image'; 23 24/** 25 * This module provides the capability to manage the security of the enterprise devices. 26 * 27 * @namespace securityManager 28 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 29 * @stagemodelonly 30 * @since 11 31 */ 32declare namespace securityManager { 33 /** 34 * The device encryption status. 35 * 36 * @typedef DeviceEncryptionStatus 37 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 38 * @systemapi 39 * @stagemodelonly 40 * @since 11 41 */ 42 export interface DeviceEncryptionStatus { 43 /** 44 * True indicates device is encrypted. 45 * 46 * @type { boolean } 47 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 48 * @systemapi 49 * @stagemodelonly 50 * @since 11 51 */ 52 isEncrypted: boolean; 53 } 54 55 /** 56 * User certificate data. 57 * 58 * @typedef CertBlob 59 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 60 * @stagemodelonly 61 * @since 12 62 */ 63 export interface CertBlob { 64 /** 65 * The certificate content 66 * 67 * @type { Uint8Array } 68 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 69 * @stagemodelonly 70 * @since 12 71 */ 72 inData: Uint8Array; 73 74 /** 75 * The certificate alias 76 * 77 * @type { string } 78 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 79 * @stagemodelonly 80 * @since 12 81 */ 82 alias: string; 83 } 84 85 /** 86 * Gets device security patch tag. 87 * This function can be called by a super administrator. 88 * 89 * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY 90 * @param { Want } admin - admin indicates the enterprise admin extension ability information. 91 * The admin must have the corresponding permission. 92 * @returns { string } the security patch tag of the device. 93 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 94 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 95 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 96 * @throws { BusinessError } 202 - Permission verification failed. A non-system application calls a system API. 97 * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 98 * 2. Incorrect parameter types; 3. Parameter verification failed. 99 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 100 * @systemapi 101 * @stagemodelonly 102 * @since 11 103 */ 104 function getSecurityPatchTag(admin: Want): string; 105 106 /** 107 * Gets device encryption status. 108 * This function can be called by a super administrator. 109 * 110 * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY 111 * @param { Want } admin - admin indicates the enterprise admin extension ability information. 112 * The admin must have the corresponding permission. 113 * @returns { DeviceEncryptionStatus } device encryption status. 114 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 115 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 116 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 117 * @throws { BusinessError } 202 - Permission verification failed. A non-system application calls a system API. 118 * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 119 * 2. Incorrect parameter types; 3. Parameter verification failed. 120 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 121 * @systemapi 122 * @stagemodelonly 123 * @since 11 124 */ 125 function getDeviceEncryptionStatus(admin: Want): DeviceEncryptionStatus; 126 127 /** 128 * Gets device security policy of the specific type. 129 * This function can be called by a super administrator. 130 * 131 * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY 132 * @param { Want } admin - admin indicates the enterprise admin extension ability information. 133 * The admin must have the corresponding permission. 134 * @param { string } item - item indicates the specified security policy that needs to be obtained, including patch and encryption. 135 * patch means the device security patch tag, and encryption means the device encryption status. 136 * @returns { string } security policy of the specific type. 137 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 138 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 139 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 140 * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 141 * 2. Incorrect parameter types; 3. Parameter verification failed. 142 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 143 * @stagemodelonly 144 * @since 12 145 */ 146 function getSecurityStatus(admin: Want, item: string): string; 147 148 /** 149 * Install user certificate. 150 * This function can be called by a super administrator. 151 * 152 * @permission ohos.permission.ENTERPRISE_MANAGE_CERTIFICATE 153 * @param { Want } admin - admin indicates the enterprise admin extension ability information. 154 * The admin must have the corresponding permission. 155 * @param { CertBlob } certificate - certificate file content and alias. It cannot be empty or more than 40 characters. 156 * @returns { Promise<string> } the promise carries the uri of the certificate used to uninstall 157 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 158 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 159 * @throws { BusinessError } 9201001 - Failed to manage the certificate. 160 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 161 * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 162 * 2. Incorrect parameter types; 3. Parameter verification failed. 163 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 164 * @stagemodelonly 165 * @since 12 166 */ 167 function installUserCertificate(admin: Want, certificate: CertBlob): Promise<string>; 168 169 /** 170 * Install user certificate under specified account. 171 * This function can be called by a super administrator. 172 * 173 * @permission ohos.permission.ENTERPRISE_MANAGE_CERTIFICATE 174 * @param { Want } admin - admin indicates the enterprise admin extension ability information. 175 * The admin must have the corresponding permission. 176 * @param { CertBlob } certificate - certificate file content and alias. It cannot be empty or more than 40 characters. 177 * @param { number } accountId - accountId indicates the local ID of the OS account. 178 * @returns { string } the uri of the user certificate used to uninstall. 179 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 180 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 181 * @throws { BusinessError } 9201001 - Failed to manage the certificate. 182 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 183 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 184 * @stagemodelonly 185 * @since 18 186 */ 187 function installUserCertificate(admin: Want, certificate: CertBlob, accountId: number): string; 188 189 /** 190 * Uninstall user certificate. 191 * This function can be called by a super administrator. 192 * 193 * @permission ohos.permission.ENTERPRISE_MANAGE_CERTIFICATE 194 * @param { Want } admin - admin indicates the enterprise admin extension ability information. 195 * The admin must have the corresponding permission. 196 * @param { string } certUri - uri of the certificate. It cannot be empty or more than 64 characters. 197 * @returns { Promise<void> } the promise returned by the uninstallUserCertificate. 198 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 199 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 200 * @throws { BusinessError } 9201001 - Failed to manage the certificate. 201 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 202 * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 203 * 2. Incorrect parameter types; 3. Parameter verification failed. 204 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 205 * @stagemodelonly 206 * @since 12 207 */ 208 function uninstallUserCertificate(admin: Want, certUri: string): Promise<void>; 209 210 /** 211 * Get user certificate under specified account. 212 * This function can be called by a super administrator. 213 * 214 * @permission ohos.permission.ENTERPRISE_MANAGE_CERTIFICATE 215 * @param { Want } admin - admin indicates the enterprise admin extension ability information. 216 * The admin must have the corresponding permission. 217 * @param { number } accountId - accountId indicates the local ID of the OS account. 218 * @returns { Array<string> } returned the uri list of user Certificates. 219 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 220 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 221 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 222 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 223 * @stagemodelonly 224 * @since 18 225 */ 226 function getUserCertificates(admin: Want, accountId: number): Array<string>; 227 228 /** 229 * Sets the password policy of the device. 230 * 231 * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY 232 * @param { Want } admin - admin indicates the enterprise admin extension ability information. 233 * The admin must have the corresponding permission. 234 * @param { PasswordPolicy } policy - password policy to be set. 235 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 236 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 237 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 238 * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 239 * 2. Incorrect parameter types; 3. Parameter verification failed. 240 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 241 * @stagemodelonly 242 * @since 12 243 */ 244 function setPasswordPolicy(admin: Want, policy: PasswordPolicy): void; 245 246 /** 247 * Gets the password policy of the device. 248 * 249 * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY 250 * @param { Want } admin - admin indicates the enterprise admin extension ability information. 251 * The admin must have the corresponding permission. 252 * @returns { PasswordPolicy } the password policy of the device. 253 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 254 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 255 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 256 * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 257 * 2. Incorrect parameter types; 3. Parameter verification failed. 258 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 259 * @stagemodelonly 260 * @since 12 261 */ 262 function getPasswordPolicy(admin: Want): PasswordPolicy; 263 264 /** 265 * Gets the password policy of the device. 266 * 267 * @returns { PasswordPolicy } the password policy of the device. 268 * @throws { BusinessError } 202 - Permission verification failed. A non-system application calls a system API. 269 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 270 * @systemapi 271 * @stagemodelonly 272 * @since 12 273 */ 274 function getPasswordPolicy(): PasswordPolicy; 275 276 /** 277 * Sets the application's clipboard policy of the device. 278 * 279 * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY 280 * @param { Want } admin - admin indicates the administrator ability information. 281 * @param { number } tokenId - tokenId indicates the token id of the application. 282 * @param { ClipboardPolicy } policy - clipboard policy to be set. 283 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 284 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 285 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 286 * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 287 * 2. Incorrect parameter types; 3. Parameter verification failed. 288 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 289 * @stagemodelonly 290 * @since 12 291 */ 292 function setAppClipboardPolicy(admin: Want, tokenId: number, policy: ClipboardPolicy): void; 293 294 /** 295 * Gets the application's clipboard policy of the device. 296 * 297 * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY 298 * @param { Want } admin - admin indicates the administrator ability information. 299 * @param { number } [tokenId] - tokenId indicates the token id of the application. 300 * @returns { string } the json string of clipboard policy for each application of the device. 301 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 302 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 303 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 304 * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 305 * 2. Incorrect parameter types; 3. Parameter verification failed. 306 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 307 * @stagemodelonly 308 * @since 12 309 */ 310 function getAppClipboardPolicy(admin: Want, tokenId?: number): string; 311 312 /** 313 * Sets the application's clipboard policy of the device by bundle and account. 314 * 315 * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY 316 * @param { Want } admin - admin indicates the administrator ability information. 317 * @param { string } bundleName - bundleName indicates the name of bundle. 318 * @param { number } accountId - accountId indicates the ID of OS account. 319 * @param { ClipboardPolicy } policy - clipboard policy to be set. 320 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 321 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 322 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 323 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 324 * @stagemodelonly 325 * @since 18 326 */ 327 function setAppClipboardPolicy(admin: Want, bundleName: string, accountId: number, policy: ClipboardPolicy): void; 328 329 /** 330 * Gets the application's clipboard policy of the device by bundle and account. 331 * 332 * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY 333 * @param { Want } admin - admin indicates the administrator ability information. 334 * @param { string } bundleName - bundleName indicates the name of bundle. 335 * @param { number } accountId - accountId indicates the ID of OS account. 336 * @returns { string } the json string of the clipboard policy for application of the device. 337 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 338 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 339 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 340 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 341 * @stagemodelonly 342 * @since 18 343 */ 344 function getAppClipboardPolicy(admin: Want, bundleName: string, accountId: number): string; 345 346 /** 347 * Sets the watermark image displayed during the application running. 348 * 349 * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY 350 * @param { Want } admin - admin indicates the administrator ability information. 351 * @param { string } bundleName - the bundle name of the application to be set watermark. 352 * @param { string | image.PixelMap } source - watermark's pixelMap or its url. 353 * @param { number } accountId - indicates the accountID. 354 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 355 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 356 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 357 * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 358 * 2. Incorrect parameter types; 3. Parameter verification failed. 359 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 360 * @stagemodelonly 361 * @since 14 362 */ 363 function setWatermarkImage(admin: Want, bundleName: string, source: string | image.PixelMap, accountId: number): void; 364 365 /** 366 * Cancels the watermark image displayed during the application running. 367 * 368 * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY 369 * @param { Want } admin - admin indicates the administrator ability information. 370 * @param { string } bundleName - the bundle name of the application to be set watermark. 371 * @param { number } accountId - indicates the accountID. 372 * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. 373 * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. 374 * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. 375 * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 376 * 2. Incorrect parameter types; 3. Parameter verification failed. 377 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 378 * @stagemodelonly 379 * @since 14 380 */ 381 function cancelWatermarkImage(admin: Want, bundleName: string, accountId: number): void; 382 383 /** 384 * Password policy. 385 * 386 * @typedef PasswordPolicy 387 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 388 * @stagemodelonly 389 * @since 12 390 */ 391 export interface PasswordPolicy { 392 /** 393 * The regex of complexity 394 * 395 * @type { ?string } 396 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 397 * @stagemodelonly 398 * @since 12 399 */ 400 complexityRegex?: string; 401 402 /** 403 * Period of validity 404 * 405 * @type { ?number } 406 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 407 * @stagemodelonly 408 * @since 12 409 */ 410 validityPeriod?: number; 411 412 /** 413 * Other supplementary description 414 * 415 * @type { ?string } 416 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 417 * @stagemodelonly 418 * @since 12 419 */ 420 additionalDescription?: string; 421 } 422 423 /** 424 * Clipboard policy. 425 * 426 * @enum { number } ClipboardPolicy 427 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 428 * @stagemodelonly 429 * @since 12 430 */ 431 export enum ClipboardPolicy { 432 /** 433 * Policy default 434 * 435 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 436 * @stagemodelonly 437 * @since 12 438 */ 439 DEFAULT = 0, 440 441 /** 442 * Policy indicates that the clipboard can be used on the same application 443 * 444 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 445 * @stagemodelonly 446 * @since 12 447 */ 448 IN_APP = 1, 449 450 /** 451 * Policy indicates that the clipboard can be used on the same device 452 * 453 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 454 * @stagemodelonly 455 * @since 12 456 */ 457 LOCAL_DEVICE = 2, 458 459 /** 460 * Policy indicates that the clipboard can be used across device 461 * 462 * @syscap SystemCapability.Customization.EnterpriseDeviceManager 463 * @stagemodelonly 464 * @since 12 465 */ 466 CROSS_DEVICE = 3, 467 } 468} 469 470export default securityManager;