Opt-out for always-on VPN
Always-on VPN is a feature introduced in N. Since then, all VPN apps
targeting N+ are assumed to support the feature, and the user or the DPC
can turn on / off always-on for any such VPN app. However, a few VPN
apps are not designed to support the always-on feature. Enabling
always-on for these apps will result in undefined behavior and confusing
"Always-on VPN disconnected" notification.
This feature provides a new manifest meta-data field through which a VPN
app can opt out of the always-on feature explicitly. This will stop the
always-on feature from being enabled for the app, both by the user and
by the DPC, and will clear its existing always-on state.
A @hide API is provided to check whether an app supports always-on VPN.
Documentation is updated to reflect the behavior change.
Bug: 36650087
Test: runtest --path java/com/android/server/connectivity/VpnTest.java
Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedDeviceOwnerTest#testAlwaysOnVpnUnsupportedPackage'
Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedDeviceOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced'
Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackage'
Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced'
Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackage'
Test: cts-tradefed run cts --module CtsDevicePolicyManagerTestCases --test 'com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testAlwaysOnVpnUnsupportedPackageReplaced'
Change-Id: I477897a29175e3994d4ecf8ec546e26043c90f13
diff --git a/core/java/android/app/admin/DevicePolicyManager.java b/core/java/android/app/admin/DevicePolicyManager.java
index c4d22a3..d8da8c5 100644
--- a/core/java/android/app/admin/DevicePolicyManager.java
+++ b/core/java/android/app/admin/DevicePolicyManager.java
@@ -3929,26 +3929,18 @@
/**
* Called by a device or profile owner to configure an always-on VPN connection through a
- * specific application for the current user.
- *
- * @deprecated this version only exists for compability with previous developer preview builds.
- * TODO: delete once there are no longer any live references.
- * @hide
- */
- @Deprecated
- public void setAlwaysOnVpnPackage(@NonNull ComponentName admin, @Nullable String vpnPackage)
- throws NameNotFoundException, UnsupportedOperationException {
- setAlwaysOnVpnPackage(admin, vpnPackage, /* lockdownEnabled */ true);
- }
-
- /**
- * Called by a device or profile owner to configure an always-on VPN connection through a
* specific application for the current user. This connection is automatically granted and
* persisted after a reboot.
* <p>
- * The designated package should declare a {@link android.net.VpnService} in its manifest
- * guarded by {@link android.Manifest.permission#BIND_VPN_SERVICE}, otherwise the call will
- * fail.
+ * To support the always-on feature, an app must
+ * <ul>
+ * <li>declare a {@link android.net.VpnService} in its manifest, guarded by
+ * {@link android.Manifest.permission#BIND_VPN_SERVICE};</li>
+ * <li>target {@link android.os.Build.VERSION_CODES#N API 24} or above; and</li>
+ * <li><i>not</i> explicitly opt out of the feature through
+ * {@link android.net.VpnService#METADATA_SUPPORTS_ALWAYS_ON}.</li>
+ * </ul>
+ * The call will fail if called with the package name of an unsupported VPN app.
*
* @param vpnPackage The package name for an installed VPN app on the device, or {@code null} to
* remove an existing always-on VPN configuration.