harmony 鸿蒙@ohos.enterprise.restrictions (Restrictions)

2025-06-12
浏览 (4)

@ohos.enterprise.restrictions (Restrictions)

This restrictions module provides APIs for disallowing general features of devices. You can globally disable or enable the features such as Bluetooth, HDC, USB, and Wi-Fi.

NOTE

The initial APIs of this module are supported since API version 12. Newly added APIs will be marked with a superscript to indicate their earliest API version.

The APIs of this module can be used only in the stage model.

The APIs of this module can be called only by a device administrator application that is enabled.

Modules to Import

import { restrictions } from '@kit.MDMKit';

restrictions.setDisallowedPolicy

setDisallowedPolicy(admin: Want, feature: string, disallow: boolean): void

Disallows a feature.

Required permissions: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS or ohos.permission.PERSONAL_MANAGE_RESTRICTIONS¹⁵⁺

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
feature	string	Yes	Feature to set. - bluetooth: Bluetooth capability of the device. - modifyDateTime: capability of modifying the system time. Currently, this feature is available only for 2-in-1 devices. - printer: printing capability. Currently, this feature is available only for 2-in-1 devices. - hdc: OpenHarmony Device Connector (hdc). - microphone: microphone capability of the device. - fingerprint: fingerprint authentication capability of the device. If the fingerprint authentication capability has been disabled for a user using setDisallowedPolicyForAccount, a policy conflict will be reported when this API is invoked to enable the fingerprint authentication capability. - usb: USB capability of the device. The external USB device cannot be used after this capability is disabled. That is, when the current device is in host mode, other external devices cannot be connected. If you use this API to disable the USB capability of a device in the following scenarios, a policy conflict will be reported: 1. Available USB devices are added using the addAllowedUsbDevices API. 2. The access policy of the USB storage device is set to read-only or disabled through the setUsbStorageDeviceAccessPolicy API. 3. A forbidden USB device type is added using the addDisallowedUsbDevices API. - wifi: Wi-Fi capability of the device. - tethering¹⁴⁺: network sharing capability. Currently, this feature is available only for 2-in-1 devices. - inactiveUserFreeze¹⁴⁺: capability of freezing inactive users. Currently, this feature is available only for 2-in-1 devices. When the system switches to the enterprise space user, the personal space users are inactive users. - camera¹⁴⁺: camera capability of the device. - mtpClient¹⁸⁺: MTP client capability. Currently, this feature is available only for 2-in-1 devices. The Media Transfer Protocol (MTP) allows users to access media files linearly on mobile devices. - mtpServer¹⁸⁺: MTP server capability. Currently, this feature is available only for mobile phones, tablets, and 2-in-1 devices. Note: Since API version 15, an application must request the ohos.permission.PERSONAL_MANAGE_RESTRICTIONS permission and call adminManager.startAdminProvision to set the features including bluetooth, hdc, microphone, usb, wifi, tethering, and camera.
disallow	boolean	Yes	Whether to disallow the feature. The value true means to disallow the feature; the value false means the opposite.

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200001	The application is not an administrator application of the device.
9200002	The administrator application does not have permission to manage the device.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
let wantTemp: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};

try {
  restrictions.setDisallowedPolicy(wantTemp, 'printer', true);
  console.info('Succeeded in setting printer disabled');
} catch (err) {
  console.error(`Failed to set printer disabled. Code is ${err.code}, message is ${err.message}`);
}

restrictions.getDisallowedPolicy

getDisallowedPolicy(admin: Want, feature: string): boolean

Obtains a disabled feature.

Required permissions: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS or ohos.permission.PERSONAL_MANAGE_RESTRICTIONS¹⁵⁺

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
feature	string	Yes	Feature to set. - bluetooth: Bluetooth capability of the device. - modifyDateTime: capability of modifying the system time. Currently, this feature is available only for 2-in-1 devices. - printer: printing capability. Currently, this feature is available only for 2-in-1 devices. - hdc: OpenHarmony Device Connector (hdc). - microphone: microphone capability of the device. - fingerprint: fingerprint authentication capability of the device. - usb: USB capability of the device. External USB devices cannot be used after this capability is disabled. That is, when the current device is in host mode, other external devices cannot be connected. - wifi: Wi-Fi capability of the device. - tethering¹⁴⁺: network sharing capability. Currently, this feature is available only for 2-in-1 devices. - inactiveUserFreeze¹⁴⁺: capability of freezing inactive users. Currently, this feature is available only for 2-in-1 devices. When the system switches to the enterprise space user, the personal space users are inactive users. - camera¹⁴⁺: camera capability of the device. - mtpClient¹⁸⁺: MTP client capability. Currently, this feature is available only for 2-in-1 devices. The Media Transfer Protocol (MTP) allows users to access media files linearly on mobile devices. - mtpServer¹⁸⁺: MTP server capability. Currently, this feature is available only for mobile phones, tablets, and 2-in-1 devices. Note: Since API version 15, an application must request the ohos.permission.PERSONAL_MANAGE_RESTRICTIONS permission and call adminManager.startAdminProvision to set the features including bluetooth, hdc, microphone, usb, wifi, tethering, and camera.

Return value

Type	Description
boolean	Returns true if the feature is disallowed; returns false otherwise.

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200001	The application is not an administrator application of the device.
9200002	The administrator application does not have permission to manage the device.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
let wantTemp: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};

try {
  let result: boolean = restrictions.getDisallowedPolicy(wantTemp, 'printer');
  console.info(`Succeeded in querying is the printing function disabled : ${result}`);
} catch (err) {
  console.error(`Failed to set printer disabled. Code is ${err.code}, message is ${err.message}`);
}

restrictions.setDisallowedPolicyForAccount¹⁴⁺

setDisallowedPolicyForAccount(admin: Want, feature: string, disallow: boolean, accountId: number): void

Enables or disables a feature of a specified user.

Required permissions: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
feature	string	Yes	Feature to set. - fingerprint: device fingerprint authentication capability. Currently, this feature is available only for 2-in-1 devices. The rules for using this parameter are as follows: 1. The device fingerprint authentication capability is disabled through the setDisallowedPolicy API. If this parameter is transferred through this API, a policy conflict is reported. 2. After this API is used to disable or enable the device fingerprint authentication capability of a specified user, if the setDisallowedPolicy API is used to disable the device fingerprint authentication capability, the latter will overwrite the former. All users can use the device fingerprint authentication capability enabled by the setDisallowedPolicy API.
disallow	boolean	Yes	Whether to disallow the feature. The value true means to disallow the feature; the value false means the opposite.
accountId	number	Yes	User ID, which must be greater than or equal to 0. You can call the getOsAccountLocalId API to obtain the user ID.

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200001	The application is not an administrator application of the device.
9200002	the administrator application does not have permission to manage the device.
9200010	A conflict policy has been configured.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
let wantTemp: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};

try {
  restrictions.setDisallowedPolicyForAccount(wantTemp, 'fingerprint', true, 100);
  console.info('Succeeded in setting fingerprint disabled');
} catch (err) {
  console.error(`Failed to set fingerprint disabled. Code is ${err.code}, message is ${err.message}`);
}

restrictions.getDisallowedPolicyForAccount¹⁴⁺

getDisallowedPolicyForAccount(admin: Want, feature: string, accountId: number): boolean

Obtains the status of a feature of a specified user.

Required permissions: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
feature	string	Yes	Feature to set. - fingerprint: device fingerprint authentication capability. Currently, this feature is available only for 2-in-1 devices. When this parameter is used, the following rules apply: After setDisallowedPolicyForAccount is used to disable or enable the device fingerprint authentication capability of a specified user, if the setDisallowedPolicy API is used to disable the device fingerprint authentication capability, the latter will overwrite the former. And the calling result is false.
accountId	number	Yes	User ID, which must be greater than or equal to 0. You can call getOsAccountLocalId to obtain the user ID.

Return value

Type	Description
boolean	If true is returned, the feature is disabled. If false is returned, the feature is not disabled.

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200001	The application is not an administrator application of the device.
9200002	the administrator application does not have permission to manage the device.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
let wantTemp: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};

try {
  let result: boolean = restrictions.getDisallowedPolicyForAccount(wantTemp, 'fingerprint', 100);
  console.info(`Succeeded in querying is the fingerprint function disabled : ${result}`);
} catch (err) {
  console.error(`Failed to set fingerprint disabled. Code is ${err.code}, message is ${err.message}`);
}

restrictions.addDisallowedListForAccount¹⁴⁺

addDisallowedListForAccount(admin: Want, feature: string, list: Array<string>, accountId: number): void

Add a list of applications that are not allowed to use a feature for a specified user.

Required permissions: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
feature	string	Yes	Feature to set. - snapshotSkip: screen snapshot capability.
list	Array<string>	Yes	List of content such as the bundle names.
accountId	number	Yes	User ID, which must be greater than or equal to 0. You can call the getOsAccountLocalId API to obtain the user ID.

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200001	The application is not an administrator application of the device.
9200002	The administrator application does not have permission to manage the device.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
let wantTemp: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};
let valueList:Array<string> = ["com.xx.aa.", "com.xx.bb"];
try {
  restrictions.addDisallowedListForAccount(wantTemp, 'snapshotSkip', valueList, 100);
  console.info('Succeeded in adding disallowed snapshotSkip feature');
} catch (err) {
  console.error(`Failed to add disallowed snapshotSkip feature. Code is ${err.code}, message is ${err.message}`);
}

restrictions.removeDisallowedListForAccount¹⁴⁺

removeDisallowedListForAccount(admin: Want, feature: string, list: Array<string>, accountId: number): void

Removes a list of applications that are not allowed to use a feature for a specified user.

Required permissions: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
feature	string	Yes	Feature to set. - snapshotSkip: screen snapshot capability.
list	Array<string>	Yes	List of content such as the bundle names.
accountId	number	Yes	User ID, which must be greater than or equal to 0. You can call the getOsAccountLocalId API to obtain the user ID.

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200001	The application is not an administrator application of the device.
9200002	The administrator application does not have permission to manage the device.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
let wantTemp: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};
let valueList:Array<string> = ["com.xx.aa.", "com.xx.bb"];
try {
  restrictions.removeDisallowedListForAccount(wantTemp, 'snapshotSkip', valueList, 100);
  console.info('Succeeded in removing disallowed snapshotSkip feature');
} catch (err) {
  console.error(`Failed to remove disallowed snapshotSkip feature. Code is ${err.code}, message is ${err.message}`);
}

restrictions.getDisallowedListForAccount¹⁴⁺

getDisallowedListForAccount(admin: Want, feature: string, accountId: number): Array<string>

Obtains the list of applications that are not allowed to use a feature for a specified user.

Required permissions: ohos.permission.ENTERPRISE_MANAGE_RESTRICTIONS

System capability: SystemCapability.Customization.EnterpriseDeviceManager

Parameters

Name	Type	Mandatory	Description
admin	Want	Yes	EnterpriseAdminExtensionAbility.
feature	string	Yes	Feature to set. - snapshotSkip: screen snapshot capability.
accountId	number	Yes	User ID, which must be greater than or equal to 0. You can call getOsAccountLocalId to obtain the user ID.

Return value

Type	Description
Array<string>	List of applications that have been added by the user and for which a certain feature is disabled.

Error codes

For details about the error codes, see Enterprise Device Management Error Codes and Universal Error Codes.

ID	Error Message
9200001	The application is not an administrator application of the device.
9200002	The administrator application does not have permission to manage the device.
201	Permission verification failed. The application does not have the permission required to call the API.
401	Parameter error. Possible causes: 1. Mandatory parameters are left unspecified; 2. Incorrect parameter types; 3. Parameter verification failed.

Example

import { Want } from '@kit.AbilityKit';
let wantTemp: Want = {
  bundleName: 'com.example.myapplication',
  abilityName: 'EntryAbility',
};

try {
  let result: Array<string> = restrictions.getDisallowedListForAccount(wantTemp, 'snapshotSkip', 100);
  console.info('Succeeded in querying disallowed list for account');
} catch (err) {
  console.error(`Failed to query disallowed list for account. Code is ${err.code}, message is ${err.message}`);
}