• In addition, the IoT device needs the ability to execute encryption algorithms in a way that remains immune to penetration, all the while maintaining the overall performance of the IoT device. ...


    The demonstrated ability of hackers to penetrate IoT devices says more about the level of security of these devices than the skill of the hackers: in most cases, the affected products lack the most basic security provisions. That said, basic security is simple conceptually, but its implementation requires careful attention at every node in a system to avoid vulnerabilities.

    A pre-built security solution from Microchip Technology allows developers to implement zero-touch device provisioning in IoT applications built around the Amazon Web Services (AWS) IoT service.

    Security requirements 

    A world of IoT connected devices presents a rich prize to hackers intent on controlling, disrupting, or corrupting critical applications in industry, transportation, health, and emergency services, among others. Increasingly, IoT developers are addressing the safety of data in transit by encrypting communications between devices and their hosts. Yet, data encryption represents only a portion of the requirements for end-to-end security.

    A secure IoT application also depends upon secure authentication to ensure that known devices communicate with trusted hosts. The lack of assurance in device or host identity leaves an open door for attackers to take control of the data stream using man-in-the-middle attacks. In these attacks, bad actors represent themselves as trusted end devices in order to insert corrupted data streams into an application. Alternatively, attackers falsely represent themselves as known hosts to take control of IoT devices.

    Although their ability to break encryption lies at the heart of these approaches, the real damage lies in their ability to intrude themselves as authorized entities into trusted networks with all the potential harm that might entail. Consequently, IoT applications lend themselves to more sophisticated service platforms that address security on a broad level.

    Use a secure cloud platform

    Amazon Web Services (AWS) IoT platform provides a comprehensive environment that embeds security as a fundamental capability as it serves the diverse functional requirements of IoT applications. As a specialized front end to diverse AWS services, AWS IoT sits between the IoT device and its application, using a message-based architecture to secure and administer IoT devices (Figure 1).
    亚马逊网络服务(AWS)物联网平台提供了一个全面的环境,将安全性作为基本功能嵌入其中,因为它满足物联网应用的各种功能需求。作为各种AWS服务的专用前端,AWS IoT位于物联网设备及其应用之间,使用基于消息的架构来保护和管理物联网设备(图1)。

    Image of Amazon Web Services IoT platform


    Figure 1: The Amazon Web Services IoT platform connects IoT devices with the broad family of AWS services, leveraging AWS security mechanisms to perform mutual authentication between IoT devices and the AWS platform. (Image source: Amazon Web Services)


    As messages arrive from IoT end devices, developer-defined rules initiate appropriate actions involving other AWS services that work on behalf of the IoT application. In turn, the IoT application software interacts with cloud-based device shadows that maintain the last known state of the corresponding physical IoT devices. This shadowing ensures continued operation of the IoT application, even if the physical devices momentarily go offline. This service model depends upon a sophisticated set of security mechanisms that are designed to identify trusted entities and control their access to available resources.

    At the heart of the AWS security model are identity and access management (IAM) policies. These spell out which devices, users, or services are permitted to access which specific resources within the IoT network, AWS environment, or the application. To a large extent, the success of this security model hinges upon reliable authentication of the entity (user, device, or service) requesting access to a particular resource. If bad actors are able to fool the security system into authenticating them as fully trusted users, the barriers presented by access rights rules effectively dissolve.

    As with general web access, AWS uses public key infrastructure (PKI) keys and standard X.509 certificates. In fact, AWS security services use an authentication model familiar to web users. For secure web links, web browsers rely on underlying mechanisms such as transport layer security (TLS) services that check site certificates to authenticate the host server prior to establishing secure communications. More sensitive web-based applications supplement host authentication with client authentication, using a client certificate in the user's browser to confirm the user's identity.

    Deployments of this kind of mutual authentication remain relatively rare in general web usage because few users are willing or able to take the steps needed to acquire their own client certificates and provision their browsers with those certificates. Yet, mutual authentication is key to reducing the attack surfaces available to bad actors. In fact, the AWS IoT service requires mutual authentication between an IoT device and the AWS cloud. If mutual authentication is difficult in general web usage, it presents significant challenges to IoT developers.
    在一般的Web使用中,这种相互认证的部署仍然相对较少,因为很少有用户愿意或能够采取获取他们自己的客户端证书所需的步骤并为他们的浏览器提供这些证书。然而,相互认证是减少坏人可用的攻击面的关键。实际上,AWS IoT服务需要在物联网设备和AWS云之间进行相互身份验证。如果在一般Web使用中难以进行相互身份验证,则会给物联网开发人员带来重大挑战。

    To implement mutual authentication in IoT devices, developers need to overcome multiple hurdles. Besides dealing with the logistics of key and certificate acquisition, developers need to store those secrets securely with no possibility of unauthorized access. In addition, the IoT device needs the ability to execute encryption algorithms in a way that remains immune to penetration, all the while maintaining the overall performance of the IoT device.

    Developed in collaboration with AWS, pre-configured versions of the "generic" Microchip
    CryptoAuthentication device meets these requirements, providing a simple drop-in solution for designers building devices for AWS IoT.
    与AWS合作开发的"通用"Microchip预配置版本ATECC508A CryptoAuthentication设备满足这些要求,为设计人员构建AWS IoT设备提供了简单的插入式解决方案。

    Dedicated crypto

    Created specifically for secure authentication, the ATECC508A IC combines hardware-based PKI algorithms and secure storage in a design that resists attack through physical, electrical, or software means. The device connects through its I^2^C interface to a design's host CPU. The host CPU then uses a simple command set to perform encryption, update the stored certificate, and access other ATECC508A functions. In fact, the ATECC508A internally generates private keys and stores them securely, eliminating the need for off-chip key management. Because the integrated crypto engine works with secure data within the same chip, the crypto secrets are never exposed on the external bus where they might be intercepted.
    ATECC508A IC专为安全认证而设计,将基于硬件的PKI算法和安全存储结合在一起,通过物理,电气或软件方式抵御攻击。该设备通过其I ^ 2 ^ C接口连接到设计的主机CPU。然后,主机CPU使用简单的命令集来执行加密,更新存储的证书以及访问其他ATECC508A功能。实际上,ATECC508A在内部生成私钥并安全存储它们,无需进行片外密钥管理。由于集成加密引擎与同一芯片内的安全数据一起工作,因此加密秘密永远不会暴露在可能被截获的外部总线上。

    In offloading crypto execution from the host processor, the ATECC508A not only enhances security, but it does so without compromising performance. Designs using the ATECC508A can achieve TLS connections significantly faster than software-only TLS implementations. In benchmark tests, ATECC508A-based systems completed TLS connections more than five times faster on average than software-only implementations using a high performance ARM® Cortex®-M0-based processor^1^.
    在从主处理器卸载加密执行时,ATECC508A不仅增强了安全性,而且在不影响性能的情况下实现了这一点。使用ATECC508A进行设计可以比仅使用软件的TLS实现更快地实现TLS连接。在基准测试中,基于ATECC508A的系统完成TLS连接的速度比使用高性能ARM®Cortex®-M0处理器的纯软件实现平均快5倍^ 1 ^。

    The ATECC508A offers substantial benefits for IoT designers, but in its generic form it remains essentially a blank slate for authentication applications. Although the device internally generates private keys, it requires development organizations to acquire and load trusted X.509 certificates. Certificates build on a hierarchy of trust, where root certificates sign certificates used on hosts and clients. Building this trust hierarchy is fundamental to secure systems and applications. For developers, however, the detailed logistics of certificate generation and registration represents a significant complication. Worse, certificate generation for prototypes or pre-production systems can simply be a waste of time when production units use a separate root certificate or a different chain of certificates. A pre-configured ATECC508A provides a simpler solution for engineers using the AWS IoT platform in pre-production designs.
    ATECC508A为物联网设计人员提供了巨大的好处,但在其通用形式中,它基本上仍然是认证应用的空白板块。虽然设备在内部生成私钥,但它需要开发组织获取和加载受信任的X.509证书。证书构建在信任层次结构上,其中根证书签署主机和客户端上使用的证书。构建此信任层次结构是安全系统和应用程序的基础。然而,对于开发人员而言,证书生成和注册的详细后勤代表了一个重要的复杂因素。更糟糕的是,当生产单元使用单独的根证书或不同的证书链时,原型或预生产系统的证书生成可能只是浪费时间。预先配置的ATECC508A为在预生产设计中使用AWS IoT平台的工程师提供了更简单的解决方案。

    Using the pre-configured ATECC508A devices, designers can implement authentication simply by dropping the device into their designs and connecting it to their host MCU through an I^2^C port. Available in 8-lead UDFN (
    使用预先配置的ATECC508A器件,设计人员只需将器件放入其设计并通过I ^ 2 ^ C端口连接到主机MCU即可实现验证。提供8引脚UDFN(ATECC508A-MAHAW-S) and 8-lead SOIC (
    ) and 8-lead SOIC (ATECC508A-SSHAW-T) versions, the devices are pre-provisioned with the necessary client certificates and pre-configured to work with AWS IoT. Developers can solder the device into their own designs and interact with AWS IoT using application programming interfaces (APIs). These APIs reside within the AWS software development kit (SDK) libraries hosted on their target system.
    )版本,设备预先配置了必要的客户端证书,并预先配置为使用AWS IoT。开发人员可以将设备焊接到他们自己的设计中,并使用应用程序编程接口(API)与AWS IoT进行交互。这些API位于其目标系统上托管的AWS软件开发工具包(SDK)库中。

    Alternatively, they can evaluate the device using the Microchip AWS zero-touch provisioning kit (Figure 2).
    或者,他们可以使用Microchip评估器件AT88CKECC-AWS-XSTK AWS零接触配置套件(图2)。

    Image of Microchip Technology AT88CKECC-AWS-XSTK AWS Zero Touch Provisioning Kit


    Figure 2: The Microchip Technology AT88CKECC-AWS-XSTK AWS Zero Touch Provisioning Kit provides a complete wireless IoT design built around a SAM G MCU board (center), ATECC508A-xxxAW device board (left), ATWINC1500-XSTK RF board (right), and ATOLED1-XPRO display board with buttons and switches to mimic IoT events (bottom). (Image source: Microchip Technology)


    Along with
    Along with ATCRYPTOAUTH-XPRO Crypto eval boards for the ATECC508, the kit provides a complete IoT design prototype, comprising the
    用于ATECC508的加密评估板,该套件提供了完整的物联网设计原型,包括ATSAMG55-XPRO SAM G MCU board,
    SAM G MCU board, ATWINC1500-XSTK RF board, and the
    RF board, and the ATOLED1-XPRO board with display, buttons, and switches used to simulate IoT data events.

    Zero-touch provisioning

    Whether working from a custom prototype or the starter kit, developers can implement AWS mutual authentication with the ATECC508A-xxxAW by simply plugging the device into a design. The advantages of the ATECC508A-xxxAW become evident the first time the device connects with AWS IoT.
    无论是使用自定义原型还是入门套件,开发人员都可以通过简单地将设备插入设计中来实现与ATECC508A-xxxAW的AWS相互认证。当设备首次与AWS IoT连接时,ATECC508A-xxxAW的优势变得明显。

    On initial connection, the ATECC508A-xxxAW device interacts with AWS IoT to automatically complete the AWS just-in-time registration (JITR) process that uniquely identifies each IoT device within AWS IoT. Additionally, IoT developers can extend this concept of zero-touch provisioning beyond designs based on these pre-configured ATECC508A versions.
    在初始连接时,ATECC508A-xxxAW设备与AWS IoT交互以自动完成AWS实时注册(JITR)流程,该流程可唯一标识AWS IoT中的每个IoT设备。此外,物联网开发人员可以将这种零接触配置概念扩展到基于这些预先配置的ATECC508A版本的设计之外。

    Commonly used in IT network environments, zero-touch provisioning (ZTP) allows network equipment deployments to proceed without user intervention. At startup, the network identifies new network equipment and authorizes its connection to the network, just as AWS JITR automatically provisions pre-configured IoT devices. For IoT applications expected to encompass massive numbers of devices, ZTP represents a particularly important concept. Using the Microchip AT88CKECC-AWS-XSTK starter kit, developers can gain a better understanding of the details behind certificate provisioning and ZTP using AWS JITR. In particular, developers can explore the use of custom software using AWS's serverless Lambda service to address unique requirements for the ZTP process.
    零触摸配置(ZTP)通常用于IT网络环境,允许在无需用户干预的情况下继续进行网络设备部署。在启动时,网络识别新的网络设备并授权其与网络的连接,就像AWS JITR自动配置预先配置的IoT设备一样。对于预计包含大量设备的物联网应用,ZTP代表了一个特别重要的概念。使用Microchip AT88CKECC-AWS-XSTK入门套件,开发人员可以使用AWS JITR更好地了解证书配置和ZTP背后的详细信息。特别是,开发人员可以使用AWS的无服务器Lambda服务探索定制软件的使用,以满足ZTP流程的独特需求。

    Along with the IoT design hardware mentioned above, the starter kit comes with the Microchip
    与上面提到的物联网设计硬件一起,入门套件随Microchip一起提供AT88CKECCROOTroot module utility and
    根模块实用程序和AT88CKECCSIGNER signer module utility. The root and signer modules each come with a USB dongle that contains root keys and signing keys, respectively.

    Working with the starter kit, developers connect the AT88CKECC-AWS-XSTK and modules via USB to their PC, which should be running the starter kit software package. The starter kit application walks users through the details of registering certificates on AWS IoT. It uses the root and signer modules mentioned above to represent the roles of the actual root certificates and signing certificates that will eventually be used during manufacturing. For production units, a similar process would occur in the Microchip manufacturing facility where "blank" ATECC508As are configured using certificates that build upon the development organization's own root of trust (Figure 3).
    开发人员使用入门工具包,开发人员将AT88CKECC-AWS-XSTK和模块通过USB连接到PC,PC应运行入门工具包软件包。入门工具包应用程序向用户介绍在AWS IoT上注册证书的详细信息。它使用上面提到的根和签名者模块来表示最终将在制造期间使用的实际根证书和签名证书的角色。对于生产单元,Microchip制造工厂中会出现类似的过程,其中"空白"ATECC508A使用基于开发组织自身信任根的证书进行配置(图3)。

    Diagram of Microchip ATECC508A-xxxAW series


    Figure 3: Although the ATECC508A-xxxAW series comes pre-configured by Microchip for AWS IoT, production of devices for customer designs would use a tool such as the AT88CKECCSIGNER signer module to create custom device certificates that build on the development organization's root of trust. (Image source: Microchip Technology)


    Microchip supports the starter kit with a software package that reduces operations and interactions with AWS IoT to a few simple software calls. For example, the main routine in the sample application calls aws_demo_tasks_init(), which launches a series of separate tasks associated with each hardware component in the starter kit.
    Microchip通过软件包支持入门工具包,该软件包可将操作和与AWS IoT的交互减少到几个简单的软件调用。例如,示例应用程序中的主例程调用aws_demo_tasks_init(),它会启动与入门工具包中的每个硬件组件关联的一系列单独任务。

    Developers can leverage the sample code set to create their own ATECC508-based designs for AWS IoT applications. In fact, the kit builds on the same CryptoAuthLib C-language offered as a standard package for ATECC508 software support. The starter kit simply converts higher-level calls to a series of low-level calls to the CryptoAuthLib library's "at" routines (Listing 1).
    开发人员可以利用示例代码集为AWS IoT应用程序创建自己的基于ATECC508的设计。事实上,该套件基于相同的CryptoAuthLib C语言,作为ATECC508软件支持的标准软件包提供。入门工具包只是将更高级别的调用转换为对CryptoAuthLib库的"at"例程的一系列低级调用(清单1)。


    * \brief Send a command array to ATECC508A over I2C.


    * \param[in] tx_buffer Buffer to be sent

    * \return ATCA_SUCCESS On success


    uint8_t aws_prov_send_command(uint8_t *tx_buffer)


    uint8_t status = ATCA_SUCCESS;

    uint8_t cmd_index;

    uint16_t rx_length;

    uint16_t execution_time = 0;

    uint8_t *cmd_buffer;

    ATCADevice _gDevice = NULL;

    ATCACommand _gCommandObj = NULL;

    ATCAIface _gIface = NULL;

    do {

    if (tx_buffer == NULL)


    /* Collect command information from TX buffer. */

    if (aws_prov_get_commands_info(tx_buffer, &cmd_index, &rx_length) != ATCA_SUCCESS)


    cmd_buffer = (uint8_t *)malloc(tx_buffer[0] + 1);

    memcpy(&cmd_buffer[1], tx_buffer, tx_buffer[0]);

    /* Initialize every objects. */

    _gDevice= atcab_getDevice();

    _gCommandObj = atGetCommands(_gDevice);

    _gIface = atGetIFace(_gDevice);

    /* Get command execution time. */

    execution_time = atGetExecTime(_gCommandObj, cmd_index);

    if ((status = atcab_wakeup()) != ATCA_SUCCESS )


    /* Send command. */

    if ((status = atsend( _gIface, (uint8_t *)cmd_buffer, tx_buffer[0])) != ATCA_SUCCESS)





    } while(0);

    return status;



    Listing 1: The starter kit software package builds on the standard ATECC508 CryptoAuthLib C library, using a series of CryptoAuthLib "at" calls to implement higher order functionality such as sending commands from the MCU to the ATECC508A. (Code source: Microchip Technology)


    For developers working in custom environments, the CryptoAuthLib provides a well-defined architecture that isolates hardware dependencies into a hardware abstraction layer (HAL) (Figure 4). By modifying the HAL routines, developers can build in support for their unique operating environments.

    Diagram of Microchip multilayered CryptoAuthLib architecture


    Figure 4: The multilayered CryptoAuthLib architecture isolates hardware dependencies into a hardware abstraction layer that simplifies porting the library to different operating environments. (Image source: Microchip Technology)



    Mutual authentication provides the most secure approach to communications between devices, users, and services, and has emerged as a requirement in AWS IoT. Yet, implementation of mutual authentication presents significant challenges for IoT device deployments. Its success depends on efficient methods for reliably provisioning IoT devices with the intellectual property underlying secure communications protocols.
    相互身份验证为设备,用户和服务之间的通信提供了最安全的方法,并且已成为AWS IoT中的一项要求。然而,相互认证的实施对物联网设备部署提出了重大挑战。它的成功取决于有效配置具有安全通信协议的知识产权的物联网设备的有效方法。

    Microchip's pre-configured ATECC508 devices remove traditional barriers to implementation of mutual authentication and provide developers with a drop-in solution to IoT applications designed for AWS IoT. Using these devices, developers can implement ZTP that eliminates manual intervention in IoT device deployment, relying instead on automatic recognition and registration of IoT devices.
    Microchip预先配置的ATECC508器件消除了实现相互认证的传统障碍,并为开发人员提供了针对AWS IoT设计的物联网应用的直接解决方案。使用这些设备,开发人员可以实施ZTP,消除物联网设备部署中的人工干预,而不是依赖于物联网设备的自动识别和注册。


    1. wolfSSL Atmel ATECC508A

    Disclaimer: The opinions, beliefs, and viewpoints expressed by the various authors and/or forum participants on this website do not necessarily reflect the opinions, beliefs, and viewpoints of Digi-Key Electronics or official policies of Digi-Key Electronics.
    免责声明:本网站上各作者和/或论坛参与者表达的观点,信念和观点不一定反映Digi-Key Electronics的意见,信念和观点,也不一定反映Digi-Key Electronics的官方政策。








  • 手机升级到iOS 10之后,运行真机出现了Development cannot be enabled while your device is locked. 这里是你对这台电脑设置了不信任; 解决方法是:打开手机设置->通用->还原->还原位置与隐私; 然后会有弹窗提示...

    手机升级到iOS 10之后,运行真机出现了Development cannot be enabled while your device is locked.




  • devicelock 573

    2012-11-27 10:49:48
    devicelock 可以满足XP下锁定USB,光驱等电脑外接端口。操作非常方便,只要你想锁定USB不让别人使用,这款软件决对没有问题。 注:win7下不是特别好用。
  • Device owner调研

    2020-10-24 01:32:14
    什么是Device owner? Device Owner 是在设备上以管理员身份运行的应用程序. 此应用可以使用 DevicePolicyManager类中的编程方法来控制设备上的配置,安全性和其他应用程序。 可以将Device owner视为具有特殊权限...

    一.什么是Device owner?

    Device Owner 是在设备上以管理员身份运行的应用程序.
     此应用可以使用 DevicePolicyManager类中 的编程方法 来控制设备上的配置,安全性和其他应用程序。 可以将Device owner视为具有特殊权限的Device Admin。
    Android提供了三种设备管理方案,Device Administration(设备管理员), Profile Owner(配置文件所有者)和 Device Owner(设备所有者)。这三种权限管理策略的能力大小依次增加 为 DeviceAdmin < ProfileOwner < DeviceOwner。 同样的,要将一个应用设置成为这些管理设备,需要的权限也依次增加。应用需要最大的授权才能成为Device Owner,Device Owner具有设备的最高权限.
    1.DeviceAdmin是Android2.2引入的方案,通过用户授权自己的应用设备管理权限后,可以在代码中修改一些系统设置,主要的功能是围绕锁屏这一块对权限比较“敏感”的区域。Android系统在同一时间可以拥有多个Device Admin程序,并且可以有多个同时处于激活状态。
    由于设备管理员不太适合支持当今的企业要求,因此我们建议客户和合作伙伴从现在开始采用托管设备和工作资料模式来管理其设备。为了支持此过渡并将资源集中于Android当前的管理功能,官方在Android 9.0版本中弃用了用于企业的设备管理员,并在Android 10.0版本中删除了这些功能。Device Administration 在Android9.0(Android Pie)被废弃,Google推荐企业管理使用Profile Owner或Device Owner。
    DeviceAdmin功能有 比如设置锁屏方式、恢复出厂设置、设置密码、强制清除密码,修改密码等操作。
    2.ProfileOwner 译为配置文件所有者,在Android5.0系统推出。ProfileOwner涵盖了所有DeviceAdmin用户的管理能力,并且额外添加了很多管理权限。Android系统只能设置一个Profile Owner程序,并且该程序在设置为ProfileOwner后不能取消,应用不能卸载,唯一可以取消的途径是恢复出厂设置。
    ProfileOwner 具有功能有: 包含DeviceAdmin的功能 截屏截图\设置组织名\应用授权\设置应用是否可以卸载\静音\设置内容提供者\禁用特定用户\隐藏应用\清除应用限制\开启和禁止来电\挂起应用\获取应用所有权限\安装与卸载证书\锁屏密码重置
    3.DeviceOwner 译为设备所有者,在Android5.0系统推出。DeviceOwner涵盖了DeviceAdmin用户的所有管理能力,也涵盖了ProfileOwner的所有管理能力,并且额外拥有在设备上创建和移除二级用户以及配置全局设置的能力。您的设备所有者应用可以使用 DevicePolicyManager 类中的方法对托管设备上的配置、安全性和应用进行精细控制。一台设备在同一时间只能有一名活动的设备所有者。 要部署和激活设备所有者,您必须在设备处于未配置状态.


    二.Device owner的功能

    功能有: 包含Device Admin和Profile Owner的功能, 连带有重启设备/获取wifi/设置状态栏/设置系统更新策略/创建切换删除用户/设置全局HTTP代理/蓝牙获取联系人等.


    Device Admin, Profile Owner 和 Device Owner的功能区别?

    The Android Device Administrator was introduced back in Android 2.2. It included support for the DevicePolicyManager class, along with the DeviceAdminReceiver and DeviceAdminInfo classes. The Device Owner app is a Device Administrator. A Profile Owner app is also a Device Administrator. But, the Device Owner can perform functions that a Profile Owner cannot. You can think of a Device Owner as a Device Administrator with special privileges. Even the semantics of some normal API methods change for a Device Owner. For example, any activity can call startLockTask(), but it only enables full kiosk mode for the Device Owner.
    Android Device Admin 是在Android 2.2中引入的。它包括对DevicePolicyManager类以及DeviceAdminReceiver和DeviceAdminInfo类的支持。Device Owner应用是设备管理员。Profile Owner应用程序也是设备管理员。但是,Device Owner可以执行Profile Owner无法执行的功能。您可以将Device Owner视为具有特殊特权的设备管理员。甚至某些常规API方法的语义对于Device Owner 也会发生变化。例如,任何活动都可以调用startLockTask(),但它仅为设备所有者启用完全信息亭模式。
    A Device Owner and a Profile Owner can perform many of the same functions, and the functionality of both may indeed be provided by a single app (like a Device Policy Controller (DPC) from your EMM provider). Profile Owner functionality is usually utilized on a device that has both work and personal data. The Profile Owner app creates a user profile on the device that separates the work data from personal data. The apps that are installed on the device in the work profile contain the Android for Work “briefcase” badge in order to distinguish those work apps from personal apps. Devices with both personal and work profiles fall into either the BYOD (Bring Your Own Device) or COPE (Corporate Owned, Personally Enabled) device classes.
    A Device Owner can perform some functions that a Profile Owner cannot. It can disable Wi-Fi and Bluetooth, wipe device data, configure kiosk applications (whitelist “lock task” packages), and more. In other words, for corporate-liable devices that have no personal data, you want to configure a Device Owner, rather than a Profile Owner. Some apps, like EMM Agents (DPCs), may be written to function as both Device Owner and Profile Owner. See this Google developer information for more details on Profile and Device Owner.
    设备所有者和配置文件所有者可以执行许多相同的功能,并且两者的功能确实可以由单个应用程序提供(例如,您的EMM提供程序中的设备策略控制器(DPC))。配置文件所有者功能通常在同时具有工作和个人数据的设备上使用。Profile Owner应用程序在设备上创建一个用户配置文件,以将工作数据与个人数据分开。在工作资料中设备上安装的应用程序包含Android for Work“公文包”徽章,以便将这些工作应用程序与个人应用程序区分开。
    设备策略控制器是在Android设备上管理公司策略的应用程序。 它可以实现配置文件所有者,设备所有者或两者。 有时称为设备EMM代理,它是EMM提供程序中的应用程序,对设备实施安全性和使用限制。

    .创建Device Owner




        a. 利用NFC功能在手机初始化的时候发送一个DeviceOwner应用到手机上。
        b. 利用ADB命令。
        adb shell dpm set-device-owner com.xjli.deviceownerdemo/.MyDeviceOwnerReceiver
        c. 在已root设备上进行,先在/data/system/目录下创建一个device_owner.xml文件。
        内容如下 <?xml version="1.0" encoding="utf-8" standalone="yes" ?>
        <device-owner package="your owner app packagename" />


    种设备管理方案 都是调用 DevicePolicyManager 类 从而调用 IDevicePolicyManager .aidl 设备 策略服务的内部 IPC 接口。
    (DevicePolicyManager) activity.getSystemService(Context.DEVICE_POLICY_SERVICE);
    reboot(ComponentName admin);重启设备
    getWifiMacAddress( ComponentName admin);获取wifi Mac地址
    setStatusBarDisabled(ComponentName admin, boolean disabled);禁用或启用状态栏
    setKeyguardDisabled(ComponentName admin, boolean disabled) 将锁屏模式设置为None,当用户设置了密码时无效
    resetPassword(String password, int flags);修改锁屏密码
    setSystemUpdatePolicy(ComponentName admin, SystemUpdatePolicy policy)  设置系统更新策略
    SystemUpdatePolicy getSystemUpdatePolicy(); 获取系统更新策略
    setGlobalSetting(ComponentName admin, String setting, String value) 设置系统设置中Global相关的属性 如:Settings.BLUETOOTH_ON 蓝牙是否启用/禁用
    setCameraDisabled(@NonNull ComponentName admin, boolean disabled) 停用相机 禁止使用所有设备摄像头
    createUser(@NonNull ComponentName admin, String name) 用户管理
    setUninstallBlocked(@NonNull ComponentName admin, String packageName, boolean uninstallBlocked) 禁止卸载应用
    setScreenCaptureDisabled(@NonNull ComponentName admin, boolean disabled); 禁止截图


    五.Device Owner的代码展示

    见DeviceOwnerDemo ,参考DeviceAdmin简单实践  http://floatingmuseum.github.io/2016/07/device-admin-practice

    Android DeviceOwner 应用的能力  https://blog.csdn.net/visionliao/article/details/84767383
    一键设置 DeviceAdmin/ProfileOwner/DeviceOwner 应用  https://blog.csdn.net/visionliao/article/details/84768035
    Android Device Administration 应用的能力 https://blog.csdn.net/visionliao/article/details/84766876
    Android ProfileOwner 应用的能力 https://blog.csdn.net/visionliao/article/details/84767136
    什么是设备策略控制器(DPC)? https://support.google.com/work/android/answer/6192678?hl=en
    Android极速开发之设备管理器(DevicePolicyManager) https://www.jianshu.com/p/8934d47aed3b
    DeviceOwner设备所有者配置   https://www.jianshu.com/p/5b1a552b5040
  • Android device owner简述

    千次阅读 2018-08-29 15:41:50
    一 、设置device owner命令: adb shell dpm set-device-owner 'packagename/ReceiverClass' dpm主要是和DevicePolicyManage进行交互,通过用户授权应用设备管理权限后,可以在代码修改很多系统设置。 激活命令: ...

    一 、设置device owner命令:

    adb shell dpm set-device-owner 'packagename/ReceiverClass'





         * @hide
        public void setActiveAdmin(@NonNull ComponentName policyReceiver, boolean refreshing,
                int userHandle) {
            if (mService != null) {
                try {
                    mService.setActiveAdmin(policyReceiver, refreshing, userHandle);
                } catch (RemoteException e) {
                    Log.w(TAG, "Failed talking with device policy service", e);



         * @param adminReceiver The admin to add
         * @param refreshing true = update an active admin, no error
        public void setActiveAdmin(ComponentName adminReceiver, boolean refreshing, int userHandle) {
            if (!mHasFeature) {
            setActiveAdmin(adminReceiver, refreshing, userHandle, null);    //这里调用的是私有方法setActiveAdmin
     private void setActiveAdmin(ComponentName adminReceiver, boolean refreshing, int userHandle,
                Bundle onEnableData) {
                    android.Manifest.permission.MANAGE_DEVICE_ADMINS, null);    //权限检查,这里检查的是用户是否有android.Manifest.permission.MANAGE_DEVICE_ADMINS权限,这个权限是需要签名权限或者priv-app下的应用才能使用
            enforceFullCrossUsersPermission(userHandle);    //权限检查,这里检查的是不同用户之间的权限
            DevicePolicyData policy = getUserData(userHandle);    //获取当前用户的DevicePolicyData
            DeviceAdminInfo info = findAdmin(adminReceiver, userHandle,
                    /* throwForMissionPermission= */ true);    //获取当前用户的ComponentName获取DeviceAdminInfo
            if (info == null) {
                throw new IllegalArgumentException("Bad admin: " + adminReceiver);
            if (!info.getActivityInfo().applicationInfo.isInternal()) {
                throw new IllegalArgumentException("Only apps in internal storage can be active admin: "
                        + adminReceiver);
            synchronized (this) {
                long ident = mInjector.binderClearCallingIdentity();
                try {
                    final ActiveAdmin existingAdmin
                            = getActiveAdminUncheckedLocked(adminReceiver, userHandle);    //取出系统当前默认的设备管理器
                    if (!refreshing && existingAdmin != null) {
                        throw new IllegalArgumentException("Admin is already added");    //如果refreshing为false,并且不存在默认设备管理器,直接报错~
                    if (policy.mRemovingAdmins.contains(adminReceiver)) {    //如果设置当前用户DevicePolicyData中已经移除过的设备管理器,直接报错
                        throw new IllegalArgumentException(
                                "Trying to set an admin which is being removed");
                    ActiveAdmin newAdmin = new ActiveAdmin(info, /* parent */ false);    //新创建一个设备管理器
                    newAdmin.testOnlyAdmin =
                            (existingAdmin != null) ? existingAdmin.testOnlyAdmin
                                    : isPackageTestOnly(adminReceiver.getPackageName(), userHandle);
                    policy.mAdminMap.put(adminReceiver, newAdmin);    //把componentName和ActiveAdmin放到当前用户的DevicePolicyData的ArrayMap中
                    int replaceIndex = -1;
                    final int N = policy.mAdminList.size();    //获取当前DevicePolicyData中的mAdminList的大小
                    for (int i=0; i < N; i++) {
                        ActiveAdmin oldAdmin = policy.mAdminList.get(i);
                        if (oldAdmin.info.getComponent().equals(adminReceiver)) {    //找到默认设备管理器的位置,并将位置标记
                            replaceIndex = i;
                    if (replaceIndex == -1) {
                        policy.mAdminList.add(newAdmin);    //如果替换位置没有找到,添加新的AdminActive到mAdminList中
                        enableIfNecessary(info.getPackageName(), userHandle);
                    } else {
                        policy.mAdminList.set(replaceIndex, newAdmin);    //如果替换位置已经找到,就将当前的ActiveAdmin插入到该位置,替换为新的默认设备管理器
                    saveSettingsLocked(userHandle);    //保存当前用户的设置
                    sendAdminCommandLocked(newAdmin,     DeviceAdminReceiver.ACTION_DEVICE_ADMIN_ENABLED,
                            onEnableData, null);    //发送通知给新的默认设备管理器
                } finally {




         * @hide
         * Sets the given package as the device owner. The package must already be installed. There
         * must not already be a device owner.
         * Only apps with the MANAGE_PROFILE_AND_DEVICE_OWNERS permission and the shell uid can call
         * this method.
         * Calling this after the setup phase of the primary user has completed is allowed only if
         * the caller is the shell uid, and there are no additional users and no accounts.
         * @param packageName the package name of the application to be registered as the device owner.
         * @param ownerName the human readable name of the institution that owns this device.
         * @return whether the package was successfully registered as the device owner.
         * @throws IllegalArgumentException if the package name is null or invalid
         * @throws IllegalStateException If the preconditions mentioned are not met.
        public boolean setDeviceOwner(String packageName, String ownerName)
                throws IllegalArgumentException, IllegalStateException {
            if (mService != null) {
                try {
                    return mService.setDeviceOwner(packageName, ownerName);
                } catch (RemoteException re) {
                    Log.w(TAG, "Failed to set device owner");
            return false;



        public boolean setDeviceOwner(String packageName, String ownerName) {
            if (!mHasFeature) {
                return false;
            if (packageName == null
                    || !DeviceOwner.isInstalled(packageName, mContext.getPackageManager())) {
                throw new IllegalArgumentException("Invalid package name " + packageName
                        + " for device owner");
            synchronized (this) {
                // Shutting down backup manager service permanently.
                long ident = Binder.clearCallingIdentity();
                try {
                    IBackupManager ibm = IBackupManager.Stub.asInterface(
                    ibm.setBackupServiceActive(UserHandle.USER_OWNER, false);
                } catch (RemoteException e) {
                    throw new IllegalStateException("Failed deactivating backup service.", e);
                } finally {
                if (mDeviceOwner == null) {
                    // Device owner is not set and does not exist, set it.
                    mDeviceOwner = DeviceOwner.createWithDeviceOwner(packageName, ownerName);  //如果现在没有设置默认设备管理器,就新建一个
                } else {
                    // Device owner state already exists, update it.
                    mDeviceOwner.setDeviceOwner(packageName, ownerName);    //如果已经存在,就更新一下
                updateDeviceOwnerLocked();    //更新并锁定新的DeviceOwner
                Intent intent = new Intent(DevicePolicyManager.ACTION_DEVICE_OWNER_CHANGED);
                ident = Binder.clearCallingIdentity();
                try {
                    mContext.sendBroadcastAsUser(intent, UserHandle.OWNER);
                } finally {
                return true;




         * @hide
         * @deprecated Use #ACTION_SET_PROFILE_OWNER
         * Sets the given component as an active admin and registers the package as the profile
         * owner for this user. The package must already be installed and there shouldn't be
         * an existing profile owner registered for this user. Also, this method must be called
         * before the user setup has been completed.
         * <p>
         * This method can only be called by system apps that hold MANAGE_USERS permission and
         * MANAGE_DEVICE_ADMINS permission.
         * @param admin The component to register as an active admin and profile owner.
         * @param ownerName The user-visible name of the entity that is managing this user.
         * @return whether the admin was successfully registered as the profile owner.
         * @throws IllegalArgumentException if packageName is null, the package isn't installed, or
         *         the user has already been set up.
        public boolean setProfileOwner(@NonNull ComponentName admin, @Deprecated String ownerName,
                int userHandle) throws IllegalArgumentException {
            if (admin == null) {
                throw new NullPointerException("admin cannot be null");
            if (mService != null) {
                try {
                    if (ownerName == null) {
                        ownerName = "";
                    return mService.setProfileOwner(admin, ownerName, userHandle);
                } catch (RemoteException re) {
                    Log.w(TAG, "Failed to set profile owner", re);
                    throw new IllegalArgumentException("Couldn't set profile owner.", re);
            return false;

     这里的setProfileOwner 调用的是DevicePolicyManagerService中的setProfileOwner 

    DevicePolicyManagerService中setProfileOwner 实现代码如下:

        public boolean setProfileOwner(ComponentName who, String ownerName, int userHandle) {
            if (!mHasFeature) {
                return false;
            if (who == null
                    || !DeviceOwner.isInstalledForUser(who.getPackageName(), userHandle)) {
                throw new IllegalArgumentException("Component " + who
                        + " not installed for userId:" + userHandle);
            synchronized (this) {
                if (mDeviceOwner == null) {
                    // Device owner state does not exist, create it.
                    mDeviceOwner = DeviceOwner.createWithProfileOwner(who, ownerName,
                } else {
                    // Device owner state already exists, update it.
                    mDeviceOwner.setProfileOwner(who, ownerName, userHandle);
                return true;


    对adb shell中dpm命令进行处理的是Dpm,路径为framework/base/cmds/dpm/src/com/android/commands/dpm/Dpm.java
    android Dpm源码如下:

     * Copyright (C) 2014 The Android Open Source Project
     * Licensed under the Apache License, Version 2.0 (the "License");
     * you may not use this file except in compliance with the License.
     * You may obtain a copy of the License at
     *      http://www.apache.org/licenses/LICENSE-2.0
     * Unless required by applicable law or agreed to in writing, software
     * distributed under the License is distributed on an "AS IS" BASIS,
     * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     * See the License for the specific language governing permissions and
     * limitations under the License.
    package com.android.commands.dpm;
    import android.app.admin.IDevicePolicyManager;
    import android.content.ComponentName;
    import android.content.Context;
    import android.os.RemoteException;
    import android.os.ServiceManager;
    import android.os.UserHandle;
    import com.android.internal.os.BaseCommand;
    import java.io.PrintStream;
    public final class Dpm extends BaseCommand {
         * Command-line entry point.
         * @param args The command-line arguments
        public static void main(String[] args) {
          (new Dpm()).run(args);
        private static final String COMMAND_SET_ACTIVE_ADMIN = "set-active-admin";
        private static final String COMMAND_SET_DEVICE_OWNER = "set-device-owner";
        private static final String COMMAND_SET_PROFILE_OWNER = "set-profile-owner";
        private IDevicePolicyManager mDevicePolicyManager;
        private int mUserId = UserHandle.USER_OWNER;
        private ComponentName mComponent = null;
        public void onShowUsage(PrintStream out) {
                    "usage: dpm [subcommand] [options]\n" +
                    "usage: dpm set-active-admin [ --user <USER_ID> ] <COMPONENT>\n" +
                    "usage: dpm set-device-owner <COMPONENT>\n" +
                    "usage: dpm set-profile-owner [ --user <USER_ID> ] <COMPONENT>\n" +
                    "\n" +
                    "dpm set-active-admin: Sets the given component as active admin" +
                    " for an existing user.\n" +
                    "\n" +
                    "dpm set-device-owner: Sets the given component as active admin, and its\n" +
                    "  package as device owner.\n" +
                    "\n" +
                    "dpm set-profile-owner: Sets the given component as active admin and profile" +
                    "  owner for an existing user.\n");
        public void onRun() throws Exception {
            mDevicePolicyManager = IDevicePolicyManager.Stub.asInterface(
            if (mDevicePolicyManager == null) {
                showError("Error: Could not access the Device Policy Manager. Is the system running?");
            String command = nextArgRequired();
            switch (command) {
                case COMMAND_SET_ACTIVE_ADMIN:
                case COMMAND_SET_DEVICE_OWNER:
                case COMMAND_SET_PROFILE_OWNER:
                    throw new IllegalArgumentException ("unknown command '" + command + "'");
        private void parseArgs(boolean canHaveUser) {
            String nextArg = nextArgRequired();
            if (canHaveUser && "--user".equals(nextArg)) {
                mUserId = parseInt(nextArgRequired());
                nextArg = nextArgRequired();
            mComponent = parseComponentName(nextArg);
        private void runSetActiveAdmin() throws RemoteException {
            mDevicePolicyManager.setActiveAdmin(mComponent, true /*refreshing*/, mUserId);
            System.out.println("Success: Active admin set to component " + mComponent.toShortString());
        private void runSetDeviceOwner() throws RemoteException {
            ComponentName component = parseComponentName(nextArgRequired());
            mDevicePolicyManager.setActiveAdmin(component, true /*refreshing*/, UserHandle.USER_OWNER);
            String packageName = component.getPackageName();
            try {
                if (!mDevicePolicyManager.setDeviceOwner(packageName, null /*ownerName*/)) {
                    throw new RuntimeException(
                            "Can't set package " + packageName + " as device owner.");
            } catch (Exception e) {
                // Need to remove the admin that we just added.
                mDevicePolicyManager.removeActiveAdmin(component, UserHandle.USER_OWNER);
                throw e;
            System.out.println("Success: Device owner set to package " + packageName);
            System.out.println("Active admin set to component " + component.toShortString());
        private void runSetProfileOwner() throws RemoteException {
            mDevicePolicyManager.setActiveAdmin(mComponent, true /*refreshing*/, mUserId);
            try {
                if (!mDevicePolicyManager.setProfileOwner(mComponent, "" /*ownerName*/, mUserId)) {
                    throw new RuntimeException("Can't set component " + mComponent.toShortString() +
                            " as profile owner for user " + mUserId);
            } catch (Exception e) {
                // Need to remove the admin that we just added.
                mDevicePolicyManager.removeActiveAdmin(mComponent, mUserId);
                throw e;
            System.out.println("Success: Active admin and profile owner set to "
                    + mComponent.toShortString() + " for user " + mUserId);
        private ComponentName parseComponentName(String component) {
            ComponentName cn = ComponentName.unflattenFromString(component);
            if (cn == null) {
                throw new IllegalArgumentException ("Invalid component " + component);
            return cn;
        private int parseInt(String argument) {
            try {
                return Integer.parseInt(argument);
            } catch (NumberFormatException e) {
                throw new IllegalArgumentException ("Invalid integer argument '" + argument + "'", e);

    device_admin 管理的权限:

    <limit-password />    //设置密码规则

    <watch-login />       //监控屏幕解锁尝试次数

    <reset-password />    //更改屏幕解锁密码

    <force-lock />        //设备自动解锁

    <wipe-data />         //清除数据

    <expire-password />   //激活密码

    <encrypted-storage />   //数据加密  

    <disable-camera />    //禁用摄像头








  • Android DeviceOwner 应用的能力

    千次阅读 2018-12-03 15:26:07
    Device Owner 概述 DeviceOwner 译为设备所有者,在Android5.0系统推出。DeviceOwner涵盖了DeviceAdmin用户的所有管理能力,也涵盖了ProfileOwner的所有管理能力,并且在这些基础上额外添加了一些管理权限,如重启...
  • 在Android P的Auto版本中,多用户会根据Global.DEVICE_PROVISIONED的值选择一个导航栏的锁屏画面。 官网解释: https://developer.android.com/reference/android/provider/Settings.Global#DEVICE_PROVISIONED ...
  • Device Admin示例介绍了类DeviceAdminReceiver,DevicePolicyManager和ActivityManager。 类DevicePolicyManager 用于管理Android设备定义的一些策略,主要指密码定义的长度,密码是否要含大写字母,小写字母等...
  • linux设备模型七(device_driver细节)

    千次阅读 2018-08-06 23:04:41
    阅读这篇之前,建议先阅读我的下面这篇博客了解device_driver的数据结构和大概作用。 https://blog.csdn.net/qq_16777851/article/details/81429257 了解我的下面这篇博客可以对device部分了解清晰。同时,下面...
  • windows自动登录锁定Windows 10’s Creators Update adds Dynamic Lock, which tries to automatically lock your PC when you step away. Dynamic Lock uses Bluetooth to check the signal strength of your ...
  • 场景描述:重新安装了VMware 14,导入他人的虚拟服务器时出现VMware Workstation 与 Device/Credential Guard 不兼容的Error。 原因: 出现此问题的原因是Device Guard或Credential Guard与Workstation不兼容。启用...
  • Deviceadmin简单使用

    千次阅读 2016-01-21 16:21:25
    屏幕锁定和恢复出厂设置 1.创建 MyAdmin 的广播接受者 继承 DeviceAdminReceiver      android:resource="@xml/my_admin" />        
  • D3D9学习笔记(三) Device

    万次阅读 2012-11-22 15:29:40
    基本的device类型:hal:硬件渲染(发布)。这也不是直接访问硬件驱动,而是访问在上一层的hal。(在顶点处理过程中,如果硬件处理失败,可尝试混合处理及纯软处理,设定标志D3DCREATE_MIXED_VERTEXPROCESSING)  ...
  • device-type.lock-源码

    2021-06-28 11:52:17
    这是 Z-Wave 锁定设备类型代码的自定义版本。 此代码通过使用 Smartapp 添加了对用户代码的支持。 此设备类型专为 Kwikset Deadbolt 设计,因此可能与其他锁不兼容。 安装 创建新的设备类型 ( ) 能力: 配置 电池 ...
  • When I tried to build and run, Xcode said my device was locked. 当我尝试构建和运行时,Xcode表示我的设备已被锁定。 I looke
  • html5+ Device-设备信息

    千次阅读 2018-10-08 16:54:57
    device-设备信息 Device模块管理设备信息,用于获取手机设备的相关信息,如IMEI、IMSI、型号、厂商等。通过plus.device获取设备信息管理对象。 属性: imei: 设备的国际移动设备身份码 imsi: 设备的国际移动用户...
  • 屏幕锁定后所有应用离线If you lose your Android device, it’s not likely you’ll get it back. However, there are some kind souls out there who will try to return it, but if the device is locked, they ...
  • 远程桌面 锁定Android and Apple have long given people a way to track and disable your gadgets remotely. Microsoft has also joined the club by letting you track and lock your Windows PC using the ...
  • Device is locked. Please unlock the device first 执行adb disable-verity提示:Device is locked. Please unlock the device first 解决方法: (1)进入开发者模式,打开OEM 解锁 (2)adb reboot ...

    千次阅读 2016-03-24 10:13:41
    实现某些功能的时候使用到了USB设备,需要根据USB设备的插拔来更改程序的状态,这个时候就用到了WM_DEVICECHANGE消息。 需要注意的是: 1. WM_DEVICECHANGE消息只能手动添加,类向导中没有 2. 这个消息只有顶层窗口...
  • iOS中项目运行到真机上提示设备被锁定解决方法Development cannot be enabled while your device is locked. 手机升级到iOS10之后,运行真机出现了Development cannot be enabled while your device is locked. ...
  • 查看设备连接问题,提示 device /dev/ttyS2 is locked。 分析 ttyS2就是我们串口使用的端口设备,提示被锁定,可以在/var/lock/目录下查看是否有锁定文件。 /var/lock功能介绍: 许多程序遵循在/var/lock 中产生一...
  • html5 设备管理信息 device

    万次阅读 2016-11-08 19:41:08
    通过plus.device获取设备信息管理对象。 属性: imei: 设备的国际移动设备身份码 imsi: 设备的国际移动用户识别码 model: 设备的型号 vendor: 设备的生产厂商 uuid: 设备的唯一标识 方法: dial: 拨打...
  • 深入浅出kubernetes之device-plugins

    万次阅读 2018-07-30 14:38:09
  • 史上最全linux内核配置--Device drivers

    千次阅读 2020-05-25 13:42:27
    linux内核配置–Device drivers 文章目录linux内核配置--Device driversGeneric Driver Options --->Bus Devices --->< > Connector - unified userspace <-> kernelspace linker Memory ...
  • 锁定屏幕

    2012-10-24 21:52:25
    Intent intent = new Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN); intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN,mDeviceAdminSample); intent.putExtra(DevicePolicyManager.EXTRA_ADD_...
  • android锁定屏幕通知When Google brought notifications to Android’s lock screen, it was a game changer. Instant access to important and relevant data is one of the things that makes smartphones so ...
  • 一、准备工作 配置DeviceAdmin 配置DeviceAdmin可参考 android权限级别探索(二),设备管理器开启和使用及常见api,创建DeviceReceiver继承DeviceAdminReceiver,并在AndroidManifest中注册,完成两步即可。无需将...



1 2 3 4 5 ... 20
收藏数 24,240
精华内容 9,696