/* * Copyright (c) 2023-2024 Huawei Device Co., Ltd. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /** * @file * @kit MDMKit */ import type Want from './@ohos.app.ability.Want'; import type image from './@ohos.multimedia.image'; /** * This module provides the capability to manage the security of the enterprise devices. * * @namespace securityManager * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 11 */ declare namespace securityManager { /** * The device encryption status. * * @typedef DeviceEncryptionStatus * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @systemapi * @stagemodelonly * @since 11 */ export interface DeviceEncryptionStatus { /** * True indicates device is encrypted. * * @type { boolean } * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @systemapi * @stagemodelonly * @since 11 */ isEncrypted: boolean; } /** * User certificate data. * * @typedef CertBlob * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ export interface CertBlob { /** * The certificate content * * @type { Uint8Array } * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ inData: Uint8Array; /** * The certificate alias * * @type { string } * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ alias: string; } /** * Application instance data. * * @typedef ApplicationInstance * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 20 */ export interface ApplicationInstance { /** * Globally unique identifier of an application, which is allocated by the cloud. * AppIdentifier does not change along the application lifecycle, including version updates, certificate changes, * public and private key changes, and application transfer. * * @type { string } * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 20 */ appIdentifier: string; /** * Indicates the OS account identifier. * * @type { number } * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 20 */ accountId: number; /** * Indicates the index of clone app. * * @type { number } * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 20 */ appIndex: number; } /** * Gets device security patch tag. * This function can be called by a super administrator. * * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY * @param { Want } admin - admin indicates the enterprise admin extension ability information. * The admin must have the corresponding permission. * @returns { string } the security patch tag of the device. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @throws { BusinessError } 202 - Permission verification failed. A non-system application calls a system API. * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; * 2. Incorrect parameter types; 3. Parameter verification failed. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @systemapi * @stagemodelonly * @since 11 */ function getSecurityPatchTag(admin: Want): string; /** * Gets device encryption status. * This function can be called by a super administrator. * * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY * @param { Want } admin - admin indicates the enterprise admin extension ability information. * The admin must have the corresponding permission. * @returns { DeviceEncryptionStatus } device encryption status. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @throws { BusinessError } 202 - Permission verification failed. A non-system application calls a system API. * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; * 2. Incorrect parameter types; 3. Parameter verification failed. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @systemapi * @stagemodelonly * @since 11 */ function getDeviceEncryptionStatus(admin: Want): DeviceEncryptionStatus; /** * Gets device security policy of the specific type. * This function can be called by a super administrator. * * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY * @param { Want } admin - admin indicates the enterprise admin extension ability information. * The admin must have the corresponding permission. * @param { string } item - item indicates the specified security policy that needs to be obtained, including patch and encryption. * patch means the device security patch tag, and encryption means the device encryption status. * @returns { string } security policy of the specific type. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; * 2. Incorrect parameter types; 3. Parameter verification failed. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ function getSecurityStatus(admin: Want, item: string): string; /** * Install user certificate. * This function can be called by a super administrator. * * @permission ohos.permission.ENTERPRISE_MANAGE_CERTIFICATE * @param { Want } admin - admin indicates the enterprise admin extension ability information. * The admin must have the corresponding permission. * @param { CertBlob } certificate - certificate file content and alias. It cannot be empty or more than 40 characters. * @returns { Promise } the promise carries the uri of the certificate used to uninstall * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 9201001 - Failed to manage the certificate. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; * 2. Incorrect parameter types; 3. Parameter verification failed. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ function installUserCertificate(admin: Want, certificate: CertBlob): Promise; /** * Install user certificate under specified account. * This function can be called by a super administrator. * * @permission ohos.permission.ENTERPRISE_MANAGE_CERTIFICATE * @param { Want } admin - admin indicates the enterprise admin extension ability information. * The admin must have the corresponding permission. * @param { CertBlob } certificate - certificate file content and alias. It cannot be empty or more than 40 characters. * @param { number } accountId - accountId indicates the local ID of the OS account. * @returns { string } the uri of the user certificate used to uninstall. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 9201001 - Failed to manage the certificate. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 18 */ function installUserCertificate(admin: Want, certificate: CertBlob, accountId: number): string; /** * Uninstall user certificate. * This function can be called by a super administrator. * * @permission ohos.permission.ENTERPRISE_MANAGE_CERTIFICATE * @param { Want } admin - admin indicates the enterprise admin extension ability information. * The admin must have the corresponding permission. * @param { string } certUri - uri of the certificate. It cannot be empty or more than 64 characters. * @returns { Promise } the promise returned by the uninstallUserCertificate. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 9201001 - Failed to manage the certificate. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; * 2. Incorrect parameter types; 3. Parameter verification failed. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ function uninstallUserCertificate(admin: Want, certUri: string): Promise; /** * Get user certificate under specified account. * This function can be called by a super administrator. * * @permission ohos.permission.ENTERPRISE_MANAGE_CERTIFICATE * @param { Want } admin - admin indicates the enterprise admin extension ability information. * The admin must have the corresponding permission. * @param { number } accountId - accountId indicates the local ID of the OS account. * @returns { Array } returned the uri list of user Certificates. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 18 */ function getUserCertificates(admin: Want, accountId: number): Array; /** * Sets the password policy of the device. * * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY * @param { Want } admin - admin indicates the enterprise admin extension ability information. * The admin must have the corresponding permission. * @param { PasswordPolicy } policy - password policy to be set. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; * 2. Incorrect parameter types; 3. Parameter verification failed. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ function setPasswordPolicy(admin: Want, policy: PasswordPolicy): void; /** * Gets the password policy of the device. * * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY * @param { Want } admin - admin indicates the enterprise admin extension ability information. * The admin must have the corresponding permission. * @returns { PasswordPolicy } the password policy of the device. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; * 2. Incorrect parameter types; 3. Parameter verification failed. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ function getPasswordPolicy(admin: Want): PasswordPolicy; /** * Gets the password policy of the device. * * @returns { PasswordPolicy } the password policy of the device. * @throws { BusinessError } 202 - Permission verification failed. A non-system application calls a system API. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @systemapi * @stagemodelonly * @since 12 */ function getPasswordPolicy(): PasswordPolicy; /** * Sets the application's clipboard policy of the device. * * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY * @param { Want } admin - admin indicates the administrator ability information. * @param { number } tokenId - tokenId indicates the token id of the application. * @param { ClipboardPolicy } policy - clipboard policy to be set. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; * 2. Incorrect parameter types; 3. Parameter verification failed. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ function setAppClipboardPolicy(admin: Want, tokenId: number, policy: ClipboardPolicy): void; /** * Gets the application's clipboard policy of the device. * * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY * @param { Want } admin - admin indicates the administrator ability information. * @param { number } [tokenId] - tokenId indicates the token id of the application. * @returns { string } the json string of clipboard policy for each application of the device. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; * 2. Incorrect parameter types; 3. Parameter verification failed. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ function getAppClipboardPolicy(admin: Want, tokenId?: number): string; /** * Sets the application's clipboard policy of the device by bundle and account. * * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY * @param { Want } admin - admin indicates the administrator ability information. * @param { string } bundleName - bundleName indicates the name of bundle. * @param { number } accountId - accountId indicates the ID of OS account. * @param { ClipboardPolicy } policy - clipboard policy to be set. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 18 */ function setAppClipboardPolicy(admin: Want, bundleName: string, accountId: number, policy: ClipboardPolicy): void; /** * Gets the application's clipboard policy of the device by bundle and account. * * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY * @param { Want } admin - admin indicates the administrator ability information. * @param { string } bundleName - bundleName indicates the name of bundle. * @param { number } accountId - accountId indicates the ID of OS account. * @returns { string } the json string of the clipboard policy for application of the device. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 18 */ function getAppClipboardPolicy(admin: Want, bundleName: string, accountId: number): string; /** * Sets the application's permission managed state of the device. * * @permission ohos.permission.ENTERPRISE_MANAGE_USER_GRANT_PERMISSION * @param { Want } admin - admin indicates the administrator ability information. * @param { ApplicationInstance } applicationInstance - Application instance data. * @param { Array } permissions - permissions indicates the list of permission names that need to manage. * @param { PermissionManagedState } managedState - the managed state of application permission. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 9200010 - A conflict policy has been configured. * @throws { BusinessError } 9200012 - Parameter verification failed. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 20 */ function setPermissionManagedState(admin: Want, applicationInstance: ApplicationInstance, permissions: Array, managedState: PermissionManagedState): void; /** * Gets the permission managed state of an application instance. * * @permission ohos.permission.ENTERPRISE_MANAGE_USER_GRANT_PERMISSION * @param { Want } admin - admin indicates the administrator ability information. * @param { ApplicationInstance } applicationInstance - applicationInstance indicates an application instance. * @param { string } permission - permission indicates the permission name which need to get state. * @returns { PermissionManagedState } the managed state of application permission. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 9200012 - Parameter verification failed. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 20 */ function getPermissionManagedState(admin: Want, applicationInstance: ApplicationInstance, permission: string): PermissionManagedState; /** * Sets the watermark image displayed during the application running. * * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY * @param { Want } admin - admin indicates the administrator ability information. * @param { string } bundleName - the bundle name of the application to be set watermark. * @param { string | image.PixelMap } source - watermark's pixelMap or its url. * @param { number } accountId - indicates the accountID. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; * 2. Incorrect parameter types; 3. Parameter verification failed. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 14 */ function setWatermarkImage(admin: Want, bundleName: string, source: string | image.PixelMap, accountId: number): void; /** * Cancels the watermark image displayed during the application running. * * @permission ohos.permission.ENTERPRISE_MANAGE_SECURITY * @param { Want } admin - admin indicates the administrator ability information. * @param { string } bundleName - the bundle name of the application to be set watermark. * @param { number } accountId - indicates the accountID. * @throws { BusinessError } 9200001 - The application is not an administrator application of the device. * @throws { BusinessError } 9200002 - The administrator application does not have permission to manage the device. * @throws { BusinessError } 201 - Permission verification failed. The application does not have the permission required to call the API. * @throws { BusinessError } 401 - Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; * 2. Incorrect parameter types; 3. Parameter verification failed. * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 14 */ function cancelWatermarkImage(admin: Want, bundleName: string, accountId: number): void; /** * Password policy. * * @typedef PasswordPolicy * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ export interface PasswordPolicy { /** * The regex of complexity * * @type { ?string } * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ complexityRegex?: string; /** * Period of validity * * @type { ?number } * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ validityPeriod?: number; /** * Other supplementary description * * @type { ?string } * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ additionalDescription?: string; } /** * Clipboard policy. * * @enum { number } ClipboardPolicy * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ export enum ClipboardPolicy { /** * Policy default * * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ DEFAULT = 0, /** * Policy indicates that the clipboard can be used on the same application * * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ IN_APP = 1, /** * Policy indicates that the clipboard can be used on the same device * * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ LOCAL_DEVICE = 2, /** * Policy indicates that the clipboard can be used across device * * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 12 */ CROSS_DEVICE = 3, } /** * Managed State. * * @enum { number } PermissionManagedState * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 20 */ export enum PermissionManagedState { /** * PermissionManagedState default * * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 20 */ DEFAULT = 1, /** * PermissionManagedState granted, Users do not need to authorize a second time. * * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 20 */ GRANTED = 0, /** * PermissionManagedState DENIED, Users need to authorize a second time. * * @syscap SystemCapability.Customization.EnterpriseDeviceManager * @stagemodelonly * @since 20 */ DENIED = -1 } } export default securityManager;