harmony 鸿蒙@ohos.enterprise.adminManager (Enterprise Device Management)

2025-06-12
浏览 (5)

@ohos.enterprise.adminManager (Enterprise Device Management)

The adminManager module provides enterprise device management capabilities so that devices have the custom capabilities required in enterprise settings.

NOTE

The initial APIs of this module are supported since API version 12. Newly added APIs will be marked with a superscript to indicate their earliest API version.

The APIs of this module are available only to device administrator applications.

Modules to Import

import { adminManager } from '@kit.MDMKit';

adminManager.disableAdmin

disableAdmin(admin: Want, userId?: number): Promise<void>

Disables an administrator application for the user specified by the device. This API uses a promise to return the result.

Required permissions: ohos.permission.MANAGE_ENTERPRISE_DEVICE_ADMIN

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Model restriction: This API can be used only in the stage model.

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
userId	number	No	User ID, which must be greater than or equal to 0. - If userId is passed in, this API applies to the specified user. - If userId is not passed in, this API applies to the current user.

Return value

Type	Description
Promise<void>	Promise that returns no value. If the operation fails, an error object will be thrown.

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200005	Failed to deactivate the administrator application of the device.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
import { BusinessError } from '@kit.BasicServicesKit';
let wantTemp: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};

adminManager.disableAdmin(wantTemp, 100).catch((err: BusinessError) => {
  console.error(`Failed to disable admin. Code: ${err.code}, message: ${err.message}`);
});

adminManager.subscribeManagedEventSync

subscribeManagedEventSync(admin: Want, managedEvents: Array<ManagedEvent>): void

Subscribes to system management events.

Required permissions: ohos.permission.ENTERPRISE_SUBSCRIBE_MANAGED_EVENT

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Model restriction: This API can be used only in the stage model.

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
managedEvents	Array<ManagedEvent>	Yes	Array of events to subscribe to.

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200001	The application is not an administrator application of the device.
9200008	The specified system event is invalid.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
let wantTemp: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};
let events: Array<adminManager.ManagedEvent> = [adminManager.ManagedEvent.MANAGED_EVENT_BUNDLE_ADDED, adminManager.ManagedEvent.MANAGED_EVENT_BUNDLE_REMOVED];

try {
  adminManager.subscribeManagedEventSync(wantTemp, events);
  console.info('Succeeded in subscribing managed event.');
} catch (err) {
  console.error(`Failed to subscribe managed event. Code: ${err.code}, message: ${err.message}`);
}

adminManager.unsubscribeManagedEventSync

unsubscribeManagedEventSync(admin: Want, managedEvents: Array<ManagedEvent>): void

Unsubscribes from system management events.

Required permissions: ohos.permission.ENTERPRISE_SUBSCRIBE_MANAGED_EVENT

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Model restriction: This API can be used only in the stage model.

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
managedEvents	Array<ManagedEvent>	Yes	Array of events to unsubscribe from.

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200001	The application is not an administrator application of the device.
9200008	The specified system event is invalid.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
let wantTemp: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};
let events: Array<adminManager.ManagedEvent> = [adminManager.ManagedEvent.MANAGED_EVENT_BUNDLE_ADDED, adminManager.ManagedEvent.MANAGED_EVENT_BUNDLE_REMOVED];

try {
  adminManager.unsubscribeManagedEventSync(wantTemp, events);
  console.info('Succeeded in unsubscribing managed event.');
} catch (err) {
  console.error(`Failed to unsubscribe managed event. Code: ${err.code}, message: ${err.message}`);
}

adminManager.setDelegatedPolicies¹⁴⁺

setDelegatedPolicies(admin: Want, bundleName: string, policies: Array<string>): void

Delegates other applications to set device management policies.

Required permission: ohos.permission.ENTERPRISE_MANAGE_DELEGATED_POLICY

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Model restriction: This API can be used only in the stage model.

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
bundleName	string	Yes	Bundle name of the delegated application. Only enterprise_mdm and enterprise_normal applications are supported. For details about the application distribution types, see Guide.
policies	Array<string>	Yes	Delegation Policy List

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200001	The application is not an administrator application of the device.
9200002	The administrator application does not have permission to manage the device.
9200009	Failed to grant the permission to the application.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
let admin: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};
let policies: Array<string> = ["disabled_hdc"];

try {
  adminManager.setDelegatedPolicies(admin, "com.example.enterprise.xxx", policies);
  console.info('Succeeded in setting delegated policies.');
} catch (err) {
  console.error(`Failed to set delegated policies. Code: ${err.code}, message: ${err.message}`);
}

adminManager.getDelegatedPolicies¹⁴⁺

getDelegatedPolicies(admin: Want, bundleName: string): Array<string>

Queries the list of policies that can be accessed by the delegated application.

Required permission: ohos.permission.ENTERPRISE_MANAGE_DELEGATED_POLICY

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Model restriction: This API can be used only in the stage model.

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
bundleName	string	Yes	Bundle name of the delegated application. Only enterprise_mdm and enterprise_normal applications are supported. For details about the application distribution types, see Guide.

Return value

Type	Description
Array<string>	Delegation policy list.

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200001	The application is not an administrator application of the device.
9200002	The administrator application does not have permission to manage the device.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
let admin: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};

try {
  let policies: Array<string> = adminManager.getDelegatedPolicies(admin, "com.example.enterprise.xxx");
  console.info(`Succeeded in getting delegated policies.${JSON.stringify(policies)}`);
} catch (err) {
  console.error(`Failed to get delegated policies. Code: ${err.code}, message: ${err.message}`);
}

adminManager.getDelegatedBundleNames¹⁴⁺

getDelegatedBundleNames(admin: Want, policy: string): Array<string>

Queries the delegated applications that can access a delegation policy and output the list of delegated applications.

Required permission: ohos.permission.ENTERPRISE_MANAGE_DELEGATED_POLICY

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Model restriction: This API can be used only in the stage model.

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
policy	string	Yes	Delegation policy.

Return value

Type	Description
Array<string>	List of delegated applications.

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200001	The application is not an administrator application of the device.
9200002	The administrator application does not have permission to manage the device.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
let admin: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};

try {
  let bundleNames: Array<string> = adminManager.getDelegatedBundleNames(admin, "disabled_hdc");
  console.info(`Succeeded in getting delegated bundles.${JSON.stringify(bundleNames)}`);
} catch (err) {
  console.error(`Failed to get delegated bundles. Code: ${err.code}, message: ${err.message}`);
}

adminManager.startAdminProvision¹⁵⁺

startAdminProvision(admin: Want, type: AdminType, context: common.Context, parameters: Record<string, string>): void

Enables the device administrator application to open a page for the BYOD administrator to perform activation.

Required permission: ohos.permission.START_PROVISIONING_MESSAGE

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Model restriction: This API can be used only in the stage model.

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
type	AdminType	Yes	Type of the activated device administrator application. Only the ADMIN_TYPE_BYOD type is supported.
context	common.Context	Yes	Context information of the administrator application.
parameters	Record<string, string>	Yes	Custom parameters. The key value must contain activateId.

Error codes

For details about the error codes, see Universal Error Codes.

ID	Error Message
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { common, Want } from '@kit.AbilityKit';
import adminManager from '@ohos.enterprise.adminManager';
let wantTemp: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};
let context = getContext(this) as common.UIAbilityContext;
let recordParameters: Record<string, string> = {
  "activateId": "activateId testValue",
  "customizedInfo": "customizedInfo testValue"
}
try {
  console.info('context:' + JSON.stringify(context));
  adminManager.startAdminProvision(wantTemp, adminManager.AdminType.ADMIN_TYPE_BYOD, context, recordParameters);
  console.info('startAdminProvision::success');
} catch (error) {
  console.info('startAdminProvision::errorCode: ' + error.code + ' errorMessage: ' + error.message);
}

ManagedEvent

Enumerates the system management events that can be subscribed to.

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Name	Value	Description
MANAGED_EVENT_BUNDLE_ADDED	0	An application is installed.
MANAGED_EVENT_BUNDLE_REMOVED	1	An application is uninstalled.
MANAGED_EVENT_APP_START	2	An application is started.
MANAGED_EVENT_APP_STOP	3	An application is stopped.
MANAGED_EVENT_SYSTEM_UPDATE	4	The system is updated.
MANAGED_EVENT_ACCOUNT_ADDED¹⁸⁺	5	An account is created.
MANAGED_EVENT_ACCOUNT_SWITCHED¹⁸⁺	6	An account is switched.
MANAGED_EVENT_ACCOUNT_REMOVED¹⁸⁺	7	An account is removed.

AdminType¹⁵⁺

Enumerates the types of device administrator applications.

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Name	Value	Description
ADMIN_TYPE_BYOD	0x02	BYOD device administrator application.

Appendix

Delegation Policy List

Policy Name	API	Description
disallow_add_local_account	accountManager.disallowOsAccountAddition accountManager.isOsAccountAdditionDisallowed	Does not accept the accountId parameter, and disallows the device to create a local user. Does not accept the accountId parameter, and checks whether to disallow the device to create a local user.
disallow_add_os_account_by_user	accountManager.disallowOsAccountAddition accountManager.isOsAccountAdditionDisallowed	Accepts the accountId parameter, and disallows the specified user to add accounts. Accepts the accountId parameter, and checks whether to disallow the specified user to add accounts.
disallow_running_bundles	applicationManager.addDisallowedRunningBundlesSync applicationManager.removeDisallowedRunningBundlesSync applicationManager.getDisallowedRunningBundlesSync	Adds applications to the application blocklist. These applications are disallowed to run by the current or specified user. Removes applications from the application blocklist. Obtains the application blocklist of the current user or a specified user.
manage_auto_start_apps	applicationManager.addAutoStartApps applicationManager.removeAutoStartApps applicationManager.getAutoStartApps	Adds the list of auto-start applications upon system startup. Currently, this capability supports only 2-in-1 devices. Removes an app from the auto-startup app list. Currently, this capability supports only 2-in-1 devices. Queries the list of auto-start applications upon system startup. Currently, this capability supports only 2-in-1 devices.
allowed_bluetooth_devices	bluetoothManager.addAllowedBluetoothDevices bluetoothManager.removeAllowedBluetoothDevices bluetoothManager.getAllowedBluetoothDevices	Adds allowed Bluetooth devices. Removes allowed Bluetooth devices. Queries allowed Bluetooth devices.
set_browser_policies	browser.setPolicySync browser.getPoliciesSync	Sets a policy for a browser. Obtains the policy of a specified browser.
allowed_install_bundles	bundleManager.addAllowedInstallBundlesSync bundleManager.removeAllowedInstallBundlesSync bundleManager.getAllowedInstallBundlesSync	Adds the applications that can be installed by the current or specified user. Removes the applications that can be installed. Obtains the applications that can be installed by the current or specified user.
disallowed_install_bundles	bundleManager.addDisallowedInstallBundlesSync bundleManager.removeDisallowedInstallBundlesSync bundleManager.getDisallowedInstallBundlesSync	Adds the applications that cannot be installed by the current or specified user. Removes the applications that cannot be installed. Obtains the applications that cannot be installed by the current or specified user.
disallowed_uninstall_bundles	bundleManager.addDisallowedUninstallBundlesSync bundleManager.removeDisallowedUninstallBundlesSync bundleManager.getDisallowedUninstallBundlesSync	Adds the applications that cannot be uninstalled by the current or specified user. Removes the applications that cannot be uninstalled. Obtains the applications that cannot be uninstalled by the current or specified user.
get_device_info	deviceInfo.getDeviceInfo	Obtains device information.
location_policy	locationManager.setLocationPolicy locationManager.getLocationPolicy	Sets the location service policy. Queries the location service policy.
disabled_network_interface	networkManager.setNetworkInterfaceDisabledSync networkManager.isNetworkInterfaceDisabledSync	Disables a network interface. Queries whether a specified network interface is disabled.
global_proxy	networkManager.setGlobalProxySync networkManager.getGlobalProxySync	Sets the global network proxy. Obtains the global network proxy.
disabled_bluetooth	restrictions.setDisallowedPolicy restrictions.getDisallowedPolicy	The feature parameter is used to enable or disable the Bluetooth capability. Accepts bluetooth as the parameter to query whether the Bluetooth capability is disabled.
disallow_modify_datetime	restrictions.setDisallowedPolicy restrictions.getDisallowedPolicy	Accepts modifyDateTime as the parameter to disable or enable the system time setting capability. Accepts modifyDateTime as the parameter to query whether the system time modification capability is disabled.
disabled_printer	restrictions.setDisallowedPolicy restrictions.getDisallowedPolicy	Accepts printer as the parameter to disable or enable the printing capability. Accepts printer as the parameter to query whether the printing capability is disabled.
disabled_hdc	restrictions.setDisallowedPolicy restrictions.getDisallowedPolicy	Accepts hdc as the parameter to enable or disable HDC. Accepts hdc as the parameter to query whether the HDC capability is disabled.
disable_microphone	restrictions.setDisallowedPolicy restrictions.getDisallowedPolicy	Accepts microphone as the parameter to enable or disable the microphone capability. Accepts microphone as the parameter to query whether the microphone is disabled.
fingerprint_auth	restrictions.setDisallowedPolicy restrictions.getDisallowedPolicy restrictions.setDisallowedPolicyForAccount restrictions.getDisallowedPolicyForAccount	Accepts fingerprint as the parameter to disable or enable fingerprint authentication. Accepts fingerprint as the parameter to query whether fingerprint authentication is disabled. Accepts fingerprint as the parameter to disable or enable fingerprint authentication for a specified user. Accepts fingerprint as the parameter to query whether to disable fingerprint authentication for a specified user.
disable_usb	restrictions.setDisallowedPolicy restrictions.getDisallowedPolicy	Accepts usb as the parameter to enable or disable the USB capability. Accepts usb as the parameter to query whether the USB capability is disabled.
disable_wifi	restrictions.setDisallowedPolicy restrictions.getDisallowedPolicy	Accepts wifi as the parameter to enable or disable the Wi-Fi capability. Accepts wifi as the parameter to query whether the Wi-Fi capability is disabled.
disallowed_tethering	restrictions.setDisallowedPolicy restrictions.getDisallowedPolicy	Accepts tethering as the parameter to enable or disable network sharing. Accepts tethering as the parameter to query whether the network sharing capability is disabled.
inactive_user_freeze	restrictions.setDisallowedPolicy restrictions.getDisallowedPolicy	Accepts inactiveUserFreeze as the parameter to enable or disable the inactive user running capability. Accepts inactiveUserFreeze as the parameter to query whether to disable the inactive user running capability.
snapshot_skip	restrictions.addDisallowedListForAccount restrictions.removeDisallowedListForAccount restrictions.getDisallowedListForAccount	Accepts snapshotSkip as the parameter to add the applications that disable the screen snapshot function. Accepts snapshotSkip as the parameter to remove the applications that disable the screen snapshot function. Accepts snapshotSkip as the parameter to query the applications that disable the screen snapshot function.
password_policy	securityManager.setPasswordPolicy securityManager.getPasswordPolicy	Sets the device password policy. Obtains the device password policy.
clipboard_policy	securityManager.setAppClipboardPolicy securityManager.getAppClipboardPolicy	Sets the device clipboard policy. Obtains the device clipboard policy.
watermark_image_policy	securityManager.setWatermarkImage securityManager.cancelWatermarkImage	Sets the watermark policy. Currently, this feature is available only for 2-in-1 devices. Cancels the watermark policy. Currently, this feature is available only for 2-in-1 devices.
ntp_server	systemManager.setNTPServer systemManager.getNTPServer	Sets the NTP server policy. Obtains the NTP server information.
set_update_policy	systemManager.setOtaUpdatePolicy systemManager.getOtaUpdatePolicy	Sets the update policy. Queries the update policy.
notify_upgrade_packages	systemManager.notifyUpdatePackages systemManager.getUpdateResult	Notifies the system of the update packages. Obtains the system update result.
allowed_usb_devices	usbManager.addAllowedUsbDevices usbManager.removeAllowedUsbDevices usbManager.getAllowedUsbDevices	Adds allowed USB devices. Removes allowed USB devices. Obtains allowed USB devices.
usb_read_only	usbManager.setUsbStorageDeviceAccessPolicy usbManager.getUsbStorageDeviceAccessPolicy	Sets the USB storage device access policy. Obtains the USB storage device access policy.
disallowed_usb_devices	usbManager.addDisallowedUsbDevices usbManager.removeDisallowedUsbDevices usbManager.getDisallowedUsbDevices	Adds disallowed USB device types. Removes disallowed USB device types. Obtains disallowed USB device types.