02.02.2019

Mobile Net Switch v1.9.3 serial key or number

By admin Mobile Net Switch v1.9.3 serial key or number 0 Comments

Mobile Net Switch v1.9.3 serial key or number

Android 11 Compatibility Definition

1. Introduction

This document enumerates the requirements that must be met in order for devices to be compatible with Android 11.

The use of “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” is per the IETF standard defined in RFC2119.

As used in this document, a “device implementer” or “implementer” is a person or organization developing a hardware/software solution running Android 11. A “device implementation” or “implementation" is the hardware/software solution so developed.

To be considered compatible with Android 11, device implementations MUST meet the requirements presented in this Compatibility Definition, including any documents incorporated via reference.

Where this definition or the software tests described in section 10 is silent, ambiguous, or incomplete, it is the responsibility of the device implementer to ensure compatibility with existing implementations.

For this reason, the Android Open Source Project is both the reference and preferred implementation of Android. Device implementers are STRONGLY RECOMMENDED to base their implementations to the greatest extent possible on the “upstream” source code available from the Android Open Source Project. While some components can hypothetically be replaced with alternate implementations, it is STRONGLY RECOMMENDED to not follow this practice, as passing the software tests will become substantially more difficult. It is the implementer’s responsibility to ensure full behavioral compatibility with the standard Android implementation, including and beyond the Compatibility Test Suite. Finally, note that certain component substitutions and modifications are explicitly forbidden by this document.

Many of the resources linked to in this document are derived directly or indirectly from the Android SDK and will be functionally identical to the information in that SDK’s documentation. In any cases where this Compatibility Definition or the Compatibility Test Suite disagrees with the SDK documentation, the SDK documentation is considered authoritative. Any technical details provided in the linked resources throughout this document are considered by inclusion to be part of this Compatibility Definition.

1.1 Document Structure

1.1.1. Requirements by Device Type

Section 2 contains all of the requirements that apply to a specific device type. Each subsection of Section 2 is dedicated to a specific device type.

All the other requirements, that universally apply to any Android device implementations, are listed in the sections after Section 2. These requirements are referenced as "Core Requirements" in this document.

1.1.2. Requirement ID

Requirement ID is assigned for MUST requirements.

The ID is assigned for MUST requirements only.
STRONGLY RECOMMENDED requirements are marked as [SR] but ID is not assigned.
The ID consists of : Device Type ID - Condition ID - Requirement ID (e.g. C-0-1).

Each ID is defined as below:

Device Type ID (see more in 2. Device Types)
- C: Core (Requirements that are applied to any Android device implementations)
- H: Android Handheld device
- T: Android Television device
- A: Android Automotive implementation
- W: Android Watch implementation
- Tab: Android Tablet implementation
Condition ID
- When the requirement is unconditional, this ID is set as 0.
- When the requirement is conditional, 1 is assigned for the 1st condition and the number increments by 1 within the same section and the same device type.
Requirement ID
- This ID starts from 1 and increments by 1 within the same section and the same condition.

1.1.3. Requirement ID in Section 2

The Requirement ID in Section 2 starts with the corresponding section ID that is followed by the Requirement ID described above.

The ID in Section 2 consists of : Section ID / Device Type ID - Condition ID - Requirement ID (e.g. 7.4.3/A-0-1).

2. Device Types

While the Android Open Source Project provides a software stack that can be used for a variety of device types and form factors, there are a few device types that have a relatively better established application distribution ecosystem.

This section describes those device types, and additional requirements and recommendations applicable for each device type.

All Android device implementations that do not fit into any of the described device types MUST still meet all requirements in the other sections of this Compatibility Definition.

2.1 Device Configurations

For the major differences in hardware configuration by device type, see the device-specific requirements that follow in this section.

2.2. Handheld Requirements

An Android Handheld device refers to an Android device implementation that is typically used by holding it in the hand, such as an mp3 player, phone, or tablet.

Android device implementations are classified as a Handheld if they meet all the following criteria:

Have a power source that provides mobility, such as a battery.
Have a physical diagonal screen size in the range of 3.3 inches (or 2.5 inches for devices which launched on an API level earlier than Android 11) to 8 inches.

The additional requirements in the rest of this section are specific to Android Handheld device implementations.

Note: Requirements that do not apply to Android Tablet devices are marked with an *.

2.2.1. Hardware

Handheld device implementations:

[7.1.1.1/H-0-1] MUST have at least one Android-compatible display that meets all requirements described on this document.
[7.1.1.3/H-SR] Are STRONGLY RECOMMENDED to provide users an affordance to change the display size (screen density).

If Handheld device implementations support software screen rotation, they:

[7.1.1.1/H-1-1]* MUST make the logical screen that is made available for third party applications be at least 2 inches on the short edge(s) and 2.7 inches on the long edge(s). Devices which launched on an API level earlier than that of this document are exempted from this requirement.

If Handheld device implementations do not support software screen rotation, they:

[7.1.1.1/H-2-1]* MUST make the logical screen that is made available for third party applications be at least 2.7 inches on the short edge(s). Devices which launched on an API level earlier than that of this document are exempted from this requirement.

If Handheld device implementations claim support for high dynamic range displays through , they:

[7.1.4.5/H-1-1] MUST advertise support for the , , , , and extensions.

Handheld device implementations:

[7.1.4.6/H-0-1] MUST report whether the device supports the GPU profiling capability via a system property .

If Handheld device implementations declare support via a system property , they:

Handheld device implementations:

[7.1.5/H-0-1] MUST include support for legacy application compatibility mode as implemented by the upstream Android open source code. That is, device implementations MUST NOT alter the triggers or thresholds at which compatibility mode is activated, and MUST NOT alter the behavior of the compatibility mode itself.
[7.2.1/H-0-1] MUST include support for third-party Input Method Editor (IME) applications.
[7.2.3/H-0-3] MUST provide the Home function on all the Android-compatible displays that provide the home screen.
[7.2.3/H-0-4] MUST provide the Back function on all the Android-compatible displays and the Recents function on at least one of the Android-compatible displays.
[7.2.3/H-0-2] MUST send both the normal and long press event of the Back function () to the foreground application. These events MUST NOT be consumed by the system and CAN be triggered by outside of the Android device (e.g. external hardware keyboard connected to the Android device).
[7.2.4/H-0-1] MUST support touchscreen input.
[7.2.4/H-SR] Are STRONGLY RECOMMENDED to launch the user-selected assist app, in other words the app that implements VoiceInteractionService, or an activity handling the on long-press of or if the foreground activity does not handle those long-press events.
[7.3.1/H-SR] Are STRONGLY RECOMMENDED to include a 3-axis accelerometer.

If Handheld device implementations include a 3-axis accelerometer, they:

[7.3.1/H-1-1] MUST be able to report events up to a frequency of at least 100 Hz.

If Handheld device implementations include a GPS/GNSS receiver and report the capability to applications through the feature flag, they:

[7.3.3/H-2-1] MUST report GNSS measurements, as soon as they are found, even if a location calculated from GPS/GNSS is not yet reported.
[7.3.3/H-2-2] MUST report GNSS pseudoranges and pseudorange rates, that, in open-sky conditions after determining the location, while stationary or moving with less than 0.2 meter per second squared of acceleration, are sufficient to calculate position within 20 meters, and speed within 0.2 meters per second, at least 95% of the time.

If Handheld device implementations include a 3-axis gyroscope, they:

[7.3.4/H-3-1] MUST be able to report events up to a frequency of at least 100 Hz.
[7.3.4/H-3-2] MUST be capable of measuring orientation changes up to 1000 degrees per second.

Handheld device implementations that can make a voice call and indicate any value other than in :

[7.3.8/H] SHOULD include a proximity sensor.

Handheld device implementations:

[7.3.11/H-SR] Are RECOMMENDED to support pose sensor with 6 degrees of freedom.
[7.4.3/H] SHOULD include support for Bluetooth and Bluetooth LE.

If Handheld device implementations include a metered connection, they:

[7.4.7/H-1-1] MUST provide the data saver mode.

If Handheld device implementations include a logical camera device that lists capabilities using , they:

[7.5.4/H-1-1] MUST have normal field of view (FOV) by default and it MUST be between 50 and 90 degrees.

Handheld device implementations:

[7.6.1/H-0-1] MUST have at least 4 GB of non-volatile storage available for application private data (a.k.a. "/data" partition).
[7.6.1/H-0-2] MUST return “true” for when there is less than 1GB of memory available to the kernel and userspace.

If Handheld device implementations declare support of only a 32-bit ABI:

[7.6.1/H-1-1] The memory available to the kernel and userspace MUST be at least 416MB if the default display uses framebuffer resolutions up to qHD (e.g. FWVGA).
[7.6.1/H-2-1] The memory available to the kernel and userspace MUST be at least 592MB if the default display uses framebuffer resolutions up to HD+ (e.g. HD, WSVGA).
[7.6.1/H-3-1] The memory available to the kernel and userspace MUST be at least 896MB if the default display uses framebuffer resolutions up to FHD (e.g. WSXGA+).
[7.6.1/H-4-1] The memory available to the kernel and userspace MUST be at least 1344MB if the default display uses framebuffer resolutions up to QHD (e.g. QWXGA).

If Handheld device implementations declare support of 32-bit and 64-bit ABIs:

[7.6.1/H-5-1] The memory available to the kernel and userspace MUST be at least 816MB if the default display uses framebuffer resolutions up to qHD (e.g. FWVGA).
[7.6.1/H-6-1] The memory available to the kernel and userspace MUST be at least 944MB if the default display uses framebuffer resolutions up to HD+ (e.g. HD, WSVGA).
[7.6.1/H-7-1] The memory available to the kernel and userspace MUST be at least 1280MB if the default display uses framebuffer resolutions up to FHD (e.g. WSXGA+).
[7.6.1/H-8-1] The memory available to the kernel and userspace MUST be at least 1824MB if the default display uses framebuffer resolutions up to QHD (e.g. QWXGA).

Note that the "memory available to the kernel and userspace" above refers to the memory space provided in addition to any memory already dedicated to hardware components such as radio, video, and so on that are not under the kernel’s control on device implementations.

If Handheld device implementations include less than or equal to 1GB of memory available to the kernel and userspace, they:

[7.6.1/H-9-1] MUST declare the feature flag .
[7.6.1/H-9-2] MUST have at least 1.1 GB of non-volatile storage for application private data (a.k.a. "/data" partition).

If Handheld device implementations include more than 1GB of memory available to the kernel and userspace, they:

[7.6.1/H-10-1] MUST have at least 4GB of non-volatile storage available for application private data (a.k.a. "/data" partition).
SHOULD declare the feature flag .

Handheld device implementations:

[7.6.2/H-0-1] MUST NOT provide an application shared storage smaller than 1 GiB.
[7.7.1/H] SHOULD include a USB port supporting peripheral mode.

If handheld device implementations include a USB port supporting peripheral mode, they:

[7.7.1/H-1-1] MUST implement the Android Open Accessory (AOA) API.

If Handheld device implementations include a USB port supporting host mode, they:

[7.7.2/H-1-1] MUST implement the USB audio class as documented in the Android SDK documentation.

Handheld device implementations:

[7.8.1/H-0-1] MUST include a microphone.
[7.8.2/H-0-1] MUST have an audio output and declare .

If Handheld device implementations are capable of meeting all the performance requirements for supporting VR mode and include support for it, they:

[7.9.1/H-1-1] MUST declare the feature flag.
[7.9.1/H-1-2] MUST include an application implementing that can be enabled by VR applications via .

If Handheld device implementations include one or more USB-C port(s) in host mode and implement (USB audio class), in addition to requirements in section 7.7.2, they:

[7.8.2.2/H-1-1] MUST provide the following software mapping of HID codes:

Function	Mappings	Context	Behavior
A	HID usage page: 0x0C HID usage: 0x0CD Kernel key: Android key:	Media playback	Input: Short press Output: Play or pause
		Media playback	Input: Long press Output: Launch voice command Sends: if the device is locked or its screen is off. Sends otherwise
		Incoming call	Input: Short press Output: Accept call
		Incoming call	Input: Long press Output: Reject call
		Ongoing call	Input: Short press Output: End call
		Ongoing call	Input: Long press Output: Mute or unmute microphone
B	HID usage page: 0x0C HID usage: 0x0E9 Kernel key: Android key:	Media playback, Ongoing call	Input: Short or long press Output: Increases the system or headset volume
C	HID usage page: 0x0C HID usage: 0x0EA Kernel key: Android key:	Media playback, Ongoing call	Input: Short or long press Output: Decreases the system or headset volume
D	HID usage page: 0x0C HID usage: 0x0CF Kernel key: Android key:	All. Can be triggered in any instance.	Input: Short or long press Output: Launch voice command

[7.8.2.2/H-1-2] MUST trigger ACTION_HEADSET_PLUG upon a plug insert, but only after the USB audio interfaces and endpoints have been properly enumerated in order to identify the type of terminal connected.

When the USB audio terminal types 0x0302 is detected, they:

[7.8.2.2/H-2-1] MUST broadcast Intent ACTION_HEADSET_PLUG with "microphone" extra set to 0.

When the USB audio terminal types 0x0402 is detected, they:

[7.8.2.2/H-3-1] MUST broadcast Intent ACTION_HEADSET_PLUG with "microphone" extra set to 1.

When API AudioManager.getDevices() is called while the USB peripheral is connected they:

[7.8.2.2/H-4-1] MUST list a device of type AudioDeviceInfo.TYPE_USB_HEADSET and role isSink() if the USB audio terminal type field is 0x0302.
[7.8.2.2/H-4-2] MUST list a device of type AudioDeviceInfo.TYPE_USB_HEADSET and role isSink() if the USB audio terminal type field is 0x0402.
[7.8.2.2/H-4-3] MUST list a device of type AudioDeviceInfo.TYPE_USB_HEADSET and role isSource() if the USB audio terminal type field is 0x0402.
[7.8.2.2/H-4-4] MUST list a device of type AudioDeviceInfo.TYPE_USB_DEVICE and role isSink() if the USB audio terminal type field is 0x603.
[7.8.2.2/H-4-5] MUST list a device of type AudioDeviceInfo.TYPE_USB_DEVICE and role isSource() if the USB audio terminal type field is 0x604.
[7.8.2.2/H-4-6] MUST list a device of type AudioDeviceInfo.TYPE_USB_DEVICE and role isSink() if the USB audio terminal type field is 0x400.
[7.8.2.2/H-4-7] MUST list a device of type AudioDeviceInfo.TYPE_USB_DEVICE and role isSource() if the USB audio terminal type field is 0x400.
[7.8.2.2/H-SR] Are STRONGLY RECOMMENDED upon connection of a USB-C audio peripheral, to perform enumeration of USB descriptors, identify terminal types and broadcast Intent ACTION_HEADSET_PLUG in less than 1000 milliseconds.

If Handheld device implementations include at least one haptic actuator, they:

[7.10/H-SR]* Are STRONGLY RECOMMENDED NOT to use an eccentric rotating mass (ERM) haptic actuator(vibrator).
[7.10/H]* SHOULD position the placement of the actuator near the location where the device is typically held or touched by hands.
[7.10/H-SR]* Are STRONGLY RECOMMENDED to implement all public constants for clear haptics in android.view.HapticFeedbackConstants namely (CLOCK_TICK, CONTEXT_CLICK, KEYBOARD_PRESS, KEYBOARD_RELEASE, KEYBOARD_TAP, LONG_PRESS, TEXT_HANDLE_MOVE, VIRTUAL_KEY, VIRTUAL_KEY_RELEASE, CONFIRM, REJECT, GESTURE_START and GESTURE_END).
[7.10/H-SR]* Are STRONGLY RECOMMENDED to implement all public constants for clear haptics in android.os.VibrationEffect namely (EFFECT_TICK, EFFECT_CLICK, EFFECT_HEAVY_CLICK and EFFECT_DOUBLE_CLICK) and all public constants for rich haptics in android.os.VibrationEffect.Composition namely (PRIMITIVE_CLICK and PRIMITIVE_TICK).
[7.10/H-SR]* Are STRONGLY RECOMMENDED to use these linked haptic constants mappings.
[7.10/H-SR]* Are STRONGLY RECOMMENDED to follow quality assessment for createOneShot() and createWaveform() API's.
[7.10/H-SR]* Are STRONGLY RECOMMENDED to verify the capabilities for amplitude scalability by running android.os.Vibrator.hasAmplitudeControl().

Linear resonant actuator (LRA) is a single mass spring system which has a dominant resonant frequency where the mass translates in the direction of desired motion.

If Handheld device implementations include at least one linear resonant actuator, they:

[7.10/H]* SHOULD move the haptic actuator in the X-axis of portrait orientation.

If Handheld device implementations have a haptic actuator which is X-axis Linear resonant actuator (LRA), they:

[7.10/H-SR]* Are STRONGLY RECOMMENDED to have the resonant frequency of the X-axis LRA be under 200 Hz.

If handheld device implementations follow haptic constants mapping, they:

2.2.2. Multimedia

Handheld device implementations MUST support the following audio encoding and decoding formats and make them available to third-party applications:

[5.1/H-0-1] AMR-NB
[5.1/H-0-2] AMR-WB
[5.1/H-0-3] MPEG-4 AAC Profile (AAC LC)
[5.1/H-0-4] MPEG-4 HE AAC Profile (AAC+)
[5.1/H-0-5] AAC ELD (enhanced low delay AAC)

Handheld device implementations MUST support the following video encoding formats and make them available to third-party applications:

[5.2/H-0-1] H.264 AVC
[5.2/H-0-2] VP8

Handheld device implementations MUST support the following video decoding formats and make them available to third-party applications:

[5.3/H-0-1] H.264 AVC
[5.3/H-0-2] H.265 HEVC
[5.3/H-0-3] MPEG-4 SP
[5.3/H-0-4] VP8
[5.3/H-0-5] VP9

2.2.3. Software

Handheld device implementations:

[3.2.3.1/H-0-1] MUST have an application that handles the , , , and intents as described in the SDK documents, and provide the user affordance to access the document provider data by using API.
[3.2.3.1/H-0-2]* MUST preload one or more applications or service components with an intent handler, for all the public intent filter patterns defined by the following application intents listed here.
[3.2.3.1/H-SR] Are STRONGLY RECOMMENDED to preload an email application which can handle ACTION_SENDTO or ACTION_SEND or ACTION_SEND_MULTIPLE intents to send an email.
[3.4.1/H-0-1] MUST provide a complete implementation of the API.
[3.4.2/H-0-1] MUST include a standalone Browser application for general user web browsing.
[3.8.1/H-SR] Are STRONGLY RECOMMENDED to implement a default launcher that supports in-app pinning of shortcuts, widgets and widgetFeatures.
[3.8.1/H-SR] Are STRONGLY RECOMMENDED to implement a default launcher that provides quick access to the additional shortcuts provided by third-party apps through the ShortcutManager API.
[3.8.1/H-SR] Are STRONGLY RECOMMENDED to include a default launcher app that shows badges for the app icons.
[3.8.2/H-SR] Are STRONGLY RECOMMENDED to support third-party app widgets.
[3.8.3/H-0-1] MUST allow third-party apps to notify users of notable events through the and API classes.
[3.8.3/H-0-2] MUST support rich notifications.
[3.8.3/H-0-3] MUST support heads-up notifications.
[3.8.3/H-0-4] MUST include a notification shade, providing the user the ability to directly control (e.g. reply, snooze, dismiss, block) the notifications through user affordance such as action buttons or the control panel as implemented in the AOSP.
[3.8.3/H-0-5] MUST display the choices provided through in the notification shade.
[3.8.3/H-SR] Are STRONGLY RECOMMENDED to display the first choice provided through in the notification shade without additional user interaction.
[3.8.3/H-SR] Are STRONGLY RECOMMENDED to display all the choices provided through in the notification shade when the user expands all notifications in the notification shade.
[3.8.3.1/H-SR] Are STRONGLY RECOMMENDED to display actions for which is set as in-line with the replies displayed by .
[3.8.4/H-SR] Are STRONGLY RECOMMENDED to implement an assistant on the device to handle the Assist action.

If Handheld device implementations support Assist action, they:

[3.8.4/H-SR] Are STRONGLY RECOMMENDED to use long press on key as the designated interaction to launch the assist app as described in section 7.2.3. MUST launch the user-selected assist app, in other words the app that implements , or an activity handling the intent.

If Handheld device implementations support and group them into a separate section from alerting and silent non-conversation notifications, they:

[3.8.4/H-1-1]* MUST display conversation notifications ahead of non conversation notifications with the exception of ongoing foreground service notifications and importance:high notifications.

If Android Handheld device implementations support a lock screen, they:

[3.8.10/H-1-1] MUST display the Lock screen Notifications including the Media Notification Template.

If Handheld device implementations support a secure lock screen, they:

[3.9/H-1-1] MUST implement the full range of device administration policies defined in the Android SDK documentation.
[3.9/H-1-2] MUST declare the support of managed profiles via the feature flag, except when the device is configured so that it would report itself as a low RAM device or so that it allocates internal (non-removable) storage as shared storage.

If Handheld device implementations include support for and APIs and allow third-party applications to publish , then they:

[3.8.16/H-1-1] MUST declare the feature flag and set it to .
[3.8.16/H-1-2] MUST provide a user affordance with the ability to add, edit, select, and operate the user’s favorite device controls from the controls registered by the third-party applications through the and the APIs.
[3.8.16/H-1-3] MUST provide access to this user affordance within three interactions from a default Launcher.
[3.8.16/H-1-4] MUST accurately render in this user affordance the name and icon of each third-party app that provides controls via the API as well as any specified fields provided by the APIs.

Conversely, If Handheld device implementations do not implement such controls, they:

Handheld device implementations:

[3.10/H-0-1] MUST support third-party accessibility services.
[3.10/H-SR] Are STRONGLY RECOMMENDED to preload accessibility services on the device comparable with or exceeding functionality of the Switch Access and TalkBack (for languages supported by the preinstalled Text-to-speech engine) accessibility services as provided in the talkback open source project.
[3.11/H-0-1] MUST support installation of third-party TTS engines.
[3.11/H-SR] Are STRONGLY RECOMMENDED to include a TTS engine supporting the languages available on the device.
[3.13/H-SR] Are STRONGLY RECOMMENDED to include a Quick Settings UI component.

If Android handheld device implementations declare or support, they:

[3.16/H-1-1] MUST support the companion device pairing feature.

If the navigation function is provided as an on-screen, gesture-based action:

[7.2.3/H] The gesture recognition zone for the Home function SHOULD be no higher than 32 dp in height from the bottom of the screen.

If Handheld device implementations provide a navigation function as a gesture from anywhere on the left and right edges of the screen:

[7.2.3/H-0-1] The navigation function's gesture area MUST be less than 40 dp in width on each side. The gesture area SHOULD be 24 dp in width by default.

2.2.4. Performance and Power

[8.1/H-0-1] Consistent frame latency. Inconsistent frame latency or a delay to render frames MUST NOT happen more often than 5 frames in a second, and SHOULD be below 1 frames in a second.
[8.1/H-0-2] User interface latency. Device implementations MUST ensure low latency user experience by scrolling a list of 10K list entries as defined by the Android Compatibility Test Suite (CTS) in less than 36 secs.
[8.1/H-0-3] Task switching. When multiple applications have been launched, re-launching an already-running application after it has been launched MUST take less than 1 second.

Handheld device implementations:

[8.2/H-0-1] MUST ensure a sequential write performance of at least 5 MB/s.
[8.2/H-0-2] MUST ensure a random write performance of at least 0.5 MB/s.
[8.2/H-0-3] MUST ensure a sequential read performance of at least 15 MB/s.
[8.2/H-0-4] MUST ensure a random read performance of at least 3.5 MB/s.

If Handheld device implementations include features to improve device power management that are included in AOSP or extend the features that are included in AOSP, they:

[8.3/H-1-1] MUST provide user affordance to enable and disable the battery saver feature.
[8.3/H-1-2] MUST provide user affordance to display all apps that are exempted from App Standby and Doze power-saving modes.

Handheld device implementations:

[8.4/H-0-1] MUST provide a per-component power profile that defines the current consumption value for each hardware component and the approximate battery drain caused by the components over time as documented in the Android Open Source Project site.
[8.4/H-0-2] MUST report all power consumption values in milliampere hours (mAh).
[8.4/H-0-3] MUST report CPU power consumption per each process's UID. The Android Open Source Project meets the requirement through the kernel module implementation.
[8.4/H-0-4] MUST make this power usage available via the shell command to the app developer.
[8.4/H] SHOULD be attributed to the hardware component itself if unable to attribute hardware component power usage to an application.

If Handheld device implementations include a screen or video output, they:

2.2.5. Security Model

Handheld device implementations:

[9.1/H-0-1] MUST allow third-party apps to access the usage statistics via the permission and provide a user-accessible mechanism to grant or revoke access to such apps in response to the intent.

Handheld device implementations (* Not applicable for Tablet):

[9.11/H-0-2]* MUST back up the keystore implementation with an isolated execution environment.
[9.11/H-0-3]* MUST have implementations of RSA, AES, ECDSA, and HMAC cryptographic algorithms and MD5, SHA1, and SHA-2 family hash functions to properly support the Android Keystore system's supported algorithms in an area that is securely isolated from the code running on the kernel and above. Secure isolation MUST block all potential mechanisms by which kernel or userspace code might access the internal state of the isolated environment, including DMA. The upstream Android Open Source Project (AOSP) meets this requirement by using the Trusty implementation, but another ARM TrustZone-based solution or a third-party reviewed secure implementation of a proper hypervisor-based isolation are alternative options.
[9.11/H-0-4]* MUST perform the lock screen authentication in the isolated execution environment and only when successful, allow the authentication-bound keys to be used. Lock screen credentials MUST be stored in a way that allows only the isolated execution environment to perform lock screen authentication. The upstream Android Open Source Project provides the Gatekeeper Hardware Abstraction Layer (HAL) and Trusty, which can be used to satisfy this requirement.
[9.11/H-0-5]* MUST support key attestation where the attestation signing key is protected by secure hardware and signing is performed in secure hardware. The attestation signing keys MUST be shared across large enough number of devices to prevent the keys from being used as device identifiers. One way of meeting this requirement is to share the same attestation key unless at least 100,000 units of a given SKU are produced. If more than 100,000 units of an SKU are produced, a different key MAY be used for each 100,000 units.

Note that if a device implementation is already launched on an earlier Android version, such a device is exempted from the requirement to have a keystore backed by an isolated execution environment and support the key attestation, unless it declares the feature which requires a keystore backed by an isolated execution environment.

When Handheld device implementations support a secure lock screen, they:

[9.11/H-1-1] MUST allow the user to choose the shortest sleep timeout, that is a transition time from the unlocked to the locked state, as 15 seconds or less.
[9.11/H-1-2] MUST provide user affordance to hide notifications and disable all forms of authentication except for the primary authentication described in 9.11.1 Secure Lock Screen. The AOSP meets the requirement as lockdown mode.

2.2.6. Developer Tools and Options Compatibility

Handheld device implementations (* Not applicable for Tablet):

[6.1/H-0-1]* MUST support the shell command .

Handheld device implementations (* Not applicable for Tablet):

Perfetto
- [6.1/H-0-2]* MUST expose a binary to the shell user which cmdline complies with the perfetto documentation.
- [6.1/H-0-3]* The perfetto binary MUST accept as input a protobuf config that complies with the schema defined in the perfetto documentation.
- [6.1/H-0-4]* The perfetto binary MUST write as output a protobuf trace that complies with the schema defined in the perfetto documentation.
- [6.1/H-0-5]* MUST provide, through the perfetto binary, at least the data sources described in the perfetto documentation.
- [6.1/H-0-6]* The perfetto traced daemon MUST be enabled by default (system property ).

2.3. Television Requirements

An Android Television device refers to an Android device implementation that is an entertainment interface for consuming digital media, movies, games, apps, and/or live TV for users sitting about ten feet away (a “lean back” or “10-foot user interface”).

Android device implementations are classified as a Television if they meet all the following criteria:

Have provided a mechanism to remotely control the rendered user interface on the display that might sit ten feet away from the user.
Have an embedded screen display with the diagonal length larger than 24 inches OR include a video output port, such as VGA, HDMI, DisplayPort, or a wireless port for display.

The additional requirements in the rest of this section are specific to Android Television device implementations.

2.3.1. Hardware

Television device implementations:

[7.2.2/T-0-1] MUST support D-pad.
[7.2.3/T-0-1] MUST provide the Home and Back functions.
[7.2.3/T-0-2] MUST send both the normal and long press event of the Back function () to the foreground application.
[7.2.6.1/T-0-1] MUST include support for game controllers and declare the feature flag.
[7.2.7/T] SHOULD provide a remote control from which users can access non-touch navigation and core navigation keys inputs.

If Television device implementations include a 3-axis gyroscope, they:

[7.3.4/T-1-1] MUST be able to report events up to a frequency of at least 100 Hz.
[7.3.4/T-1-2] MUST be capable of measuring orientation changes up to 1000 degrees per second.

Television device implementations:

[7.4.3/T-0-1] MUST support Bluetooth and Bluetooth LE.
[7.6.1/T-0-1] MUST have at least 4 GB of non-volatile storage available for application private data (a.k.a. "/data" partition).

If Television device implementations include a USB port that supports host mode, they:

[7.5.3/T-1-1] MUST include support for an external camera that connects through this USB port but is not necessarily always connected.

If TV device implementations are 32-bit:

[7.6.1/T-1-1] The memory available to the kernel and userspace MUST be at least 896MB if any of the following densities are used:
- 400dpi or higher on small/normal screens
- xhdpi or higher on large screens
- tvdpi or higher on extra large screens

If TV device implementations are 64-bit:

[7.6.1/T-2-1] The memory available to the kernel and userspace MUST be at least 1280MB if any of the following densities are used:
- 400dpi or higher on small/normal screens
- xhdpi or higher on large screens
- tvdpi or higher on extra large screens

Television device implementations:

[7.8.1/T] SHOULD include a microphone.
[7.8.2/T-0-1] MUST have an audio output and declare .

2.3.2. Multimedia

Television device implementations MUST support the following audio encoding and decoding formats and make them available to third-party applications:

[5.1/T-0-1] MPEG-4 AAC Profile (AAC LC)
[5.1/T-0-2] MPEG-4 HE AAC Profile (AAC+)
[5.1/T-0-3] AAC ELD (enhanced low delay AAC)

Television device implementations MUST support the following video encoding formats and make them available to third-party applications:

[5.2/T-0-1] H.264
[5.2/T-0-2] VP8

Television device implementations:

[5.2.2/T-SR] Are STRONGLY RECOMMENDED to support H.264 encoding of 720p and 1080p resolution videos at 30 frames per second.

Television device implementations MUST support the following video decoding formats and make them available to third-party applications:

Television device implementations MUST support MPEG-2 decoding, as detailed in Section 5.3.1, at standard video frame rates and resolutions up to and including:

[5.3.1/T-1-1] HD 1080p at 59.94 frames per second with Main Profile High Level.
[5.3.1/T-1-2] HD 1080i at 59.94 frames per second with Main Profile High Level. They MUST deinterlace interlaced MPEG-2 video to its progressive equivalent (e.g. from 1080i at 59.94 frames per second to 1080p at 29.97 frames per second) and make it available to third-party applications.

Television device implementations MUST support H.264 decoding, as detailed in Section 5.3.4, at standard video frame rates and resolutions up to and including:

[5.3.4/T-1-1] HD 1080p at 60 frames per second with Baseline Profile
[5.3.4/T-1-2] HD 1080p at 60 frames per second with Main Profile
[5.3.4/T-1-3] HD 1080p at 60 frames per second with High Profile Level 4.2

Television device implementations with H.265 hardware decoders MUST support H.265 decoding, as detailed in Section 5.3.5, at standard video frame rates and resolutions up to and including:

[5.3.5/T-1-1] HD 1080p at 60 frames per second with Main Profile Level 4.1

If Television device implementations with H.265 hardware decoders support H.265 decoding and the UHD decoding profile, they:

[5.3.5/T-2-1] MUST support UHD 3480p at 60 frames per second with Main10 Level 5 Main Tier profile

Television device implementations MUST support VP8 decoding, as detailed in Section 5.3.6, at standard video frame rates and resolutions up to and including:

[5.3.6/T-1-1] HD 1080p at 60 frames per second decoding profile

Television device implementations with VP9 hardware decoders MUST support VP9 decoding, as detailed in Section 5.3.7, at standard video frame rates and resolutions up to and including:

[5.3.7/T-1-1] HD 1080p at 60 frames per second with profile 0 (8 bit color depth)

If Television device implementations with VP9 hardware decoders support VP9 decoding and the UHD decoding profile, they:

[5.3.7/T-2-1] MUST support UHD 3480p at 60 frames per second with profile 0 (8 bit color depth).
[5.3.7/T-2-1] Are STRONGLY RECOMMENDED to support UHD 3480p at 60 frames per second with profile 2 (10 bit color depth).

Television device implementations:

[5.5/T-0-1] MUST include support for system Master Volume and digital audio output volume attenuation on supported outputs, except for compressed audio passthrough output (where no audio decoding is done on the device).

If Television device implementations do not have a built in display, but instead support an external display connected via HDMI, they:

[5.8/T-0-1] MUST set the HDMI output mode to select the maximum resolution that can be supported with either a 50Hz or 60Hz refresh rate.
[5.8/T-SR] Are STRONGLY RECOMMENDED to provide a user configurable HDMI refresh rate selector.
[5.8] SHOULD set the HDMI output mode refresh rate to either 50Hz or 60Hz, depending on the video refresh rate for the region the device is sold in.

If Television device implementations do not have a built in display, but instead support an external display connected via HDMI, they:

[5.8/T-1-1] MUST support HDCP 2.2.

If Television device implementations do not support UHD decoding, but instead support an external display connected via HDMI, they:

[5.8/T-2-1] MUST support HDCP 1.4

2.3.3. Software

Television device implementations:

[3/T-0-1] MUST declare the features and .
[3.2.3.1/T-0-1] MUST preload one or more applications or service components with an intent handler, for all the public intent filter patterns defined by the following application intents listed here.
[3.4.1/T-0-1] MUST provide a complete implementation of the API.

If Android Television device implementations support a lock screen,they:

[3.8.10/T-1-1] MUST display the Lock screen Notifications including the Media Notification Template.

Television device implementations:

[3.8.14/T-SR] Are STRONGLY RECOMMENDED to support picture-in-picture (PIP) mode multi-window.
[3.10/T-0-1] MUST support third-party accessibility services.
[3.10/T-SR] Are STRONGLY RECOMMENDED to preload accessibility services on the device comparable with or exceeding functionality of the Switch Access and TalkBack (for languages supported by the preinstalled Text-to-speech engine) accessibility services as provided in the talkback open source project.

If Television device implementations report the feature , they:

[3.11/T-SR] Are STRONGLY RECOMMENDED to include a TTS engine supporting the languages available on the device.
[3.11/T-1-1] MUST support installation of third-party TTS engines.

Television device implementations:

[3.12/T-0-1] MUST support TV Input Framework.

2.3.4. Performance and Power

[8.1/T-0-1] Consistent frame latency. Inconsistent frame latency or a delay to render frames MUST NOT happen more often than 5 frames in a second, and SHOULD be below 1 frames in a second.
[8.2/T-0-1] MUST ensure a sequential write performance of at least 5MB/s.
[8.2/T-0-2] MUST ensure a random write performance of at least 0.5MB/s.
[8.2/T-0-3] MUST ensure a sequential read performance of at least 15MB/s.
[8.2/T-0-4] MUST ensure a random read performance of at least 3.5MB/s.

If Television device implementations include features to improve device power management that are included in AOSP or extend the features that are included in AOSP, they:

[8.3/T-1-1] MUST provide user affordance to enable and disable the battery saver feature.

If Television device implementations do not have a battery they:

If Television device implementations have a battery they:

[8.3/T-1-3] MUST provide user affordance to display all apps that are exempted from App Standby and Doze power-saving modes.

Television device implementations:

[8.4/T-0-1] MUST provide a per-component power profile that defines the current consumption value for each hardware component and the approximate battery drain caused by the components over time as documented in the Android Open Source Project site.
[8.4/T-0-2] MUST report all power consumption values in milliampere hours (mAh).
[8.4/T-0-3] MUST report CPU power consumption per each process's UID. The Android Open Source Project meets the requirement through the kernel module implementation.
[8.4/T] SHOULD be attributed to the hardware component itself if unable to attribute hardware component power usage to an application.
[8.4/T-0-4] MUST make this power usage available via the shell command to the app developer.

2.3.5. Security Model

Television device implementations:

[9.11/T-0-1] MUST back up the keystore implementation with an isolated execution environment.
[9.11/T-0-2] MUST have implementations of RSA, AES, ECDSA and HMAC cryptographic algorithms and MD5, SHA1, and SHA-2 family hash functions to properly support the Android Keystore system's supported algorithms in an area that is securely isolated from the code running on the kernel and above. Secure isolation MUST block all potential mechanisms by which kernel or userspace code might access the internal state of the isolated environment, including DMA. The upstream Android Open Source Project (AOSP) meets this requirement by using the Trusty implementation, but another ARM TrustZone-based solution or a third-party reviewed secure implementation of a proper hypervisor-based isolation are alternative options.
[9.11/T-0-3] MUST perform the lock screen authentication in the isolated execution environment and only when successful, allow the authentication-bound keys to be used. Lock screen credentials MUST be stored in a way that allows only the isolated execution environment to perform lock screen authentication. The upstream Android Open Source Project provides the Gatekeeper Hardware Abstraction Layer (HAL) and Trusty, which can be used to satisfy this requirement.
[9.11/T-0-4] MUST support key attestation where the attestation signing key is protected by secure hardware and signing is performed in secure hardware. The attestation signing keys MUST be shared across large enough number of devices to prevent the keys from being used as device identifiers. One way of meeting this requirement is to share the same attestation key unless at least 100,000 units of a given SKU are produced. If more than 100,000 units of an SKU are produced, a different key MAY be used for each 100,000 units.

If Television device implementations support a secure lock screen, they:

[9.11/T-1-1] MUST allow the user to choose the Sleep timeout for transition from the unlocked to the locked state, with a minimum allowable timeout up to 15 seconds or less.

2.3.6. Developer Tools and Options Compatibility

Television device implementations:

Источник: [https://torrent-igruha.org/3551-portal.html]

, Mobile Net Switch v1.9.3 serial key or number

802.1X Authentication

IEEE 802.1X standard for port-based network access control and protects Ethernet LANs from unauthorized user access. It blocks all traffic to and from a supplicant (client) at the interface until the supplicant's credentials are presented and matched on the authentication server (a RADIUS server). When the supplicant is authenticated, the switch stops blocking access and opens the interface to the supplicant. Read this topic for more information.

802.1X for Switches Overview

How 802.1X Authentication Works

802.1X authentication works by using an authenticator port access entity (the switch) to block ingress traffic from a supplicant (end device) at the port until the supplicant's credentials are presented and match on the authentication server (a RADIUS server). When authenticated, the switch stops blocking traffic and opens the port to the supplicant.

The end device is authenticated in mode, mode, or mode:

single supplicant—Authenticates only the first end device. All other end devices that connect later to the port are allowed full access without any further authentication. They effectively piggyback on the first end device’s authentication.
single-secure supplicant—Allows only one end device to connect to the port. No other end device is allowed to connect until the first device logs out.
multiple supplicant—Allows multiple end devices to connect to the port. Each end device is authenticated individually.

Network access can be further defined by using VLANs and firewall filters, both of which act as filters to separate and match groups of end devices to the areas of the LAN they require. For example, you can configure VLANs to handle different categories of authentication failures depending upon:

Whether or not the end device is 802.1X-enabled.
Whether or not MAC RADIUS authentication is configured on the switch interfaces to which the hosts are connected.
Whether the RADIUS authentication server becomes unavailable or sends a RADIUS access-reject message. See Configuring RADIUS Server Fail Fallback (CLI Procedure).

802.1X Features Overview

The following 802.1X features are supported on Juniper Networks Ethernet Switches:

Guest VLAN—Provides limited access to a LAN, typically only to the Internet, for nonresponsive end devices that are not 802.1X-enabled when MAC RADIUS authentication is not configured on the switch interfaces to which the hosts are connected. Also, a guest VLAN can be used to provide limited access to a LAN for guest users. Typically, the guest VLAN provides access only to the Internet and to other guests’ end devices.
Server-reject VLAN—Provides limited access to a LAN, typically only to the Internet, for responsive end devices that are 802.1X-enabled but that have sent the wrong credentials. If the end device that is authenticated using the server-reject VLAN is an IP phone, voice traffic is not allowed.
Server-fail VLAN—Provides limited access to a LAN, typically only to the Internet, for 802.1X end devices during a RADIUS server timeout.
Dynamic VLAN—Enables an end device, after authentication, to be a member of a VLAN dynamically.
Private VLAN—Enables configuration of 802.1X authentication on interfaces that are members of private VLANs (PVLANs).
Dynamic changes to a user session—Enables the switch administrator to terminate an already authenticated session. This feature is based on support of the RADIUS Disconnect Message defined in RFC 3576.
VoIP VLAN—Supports IP telephones. The implementation of a voice VLAN on an IP telephone is vendor-specific. If the phone is 802.1X-enabled, it is authenticated as any other supplicant is. If the phone is not 802.1X-enabled, but has another 802.1X-compatible device connected to its data port, that device is authenticated, and then VoIP traffic can flow to and from the phone (provided that the interface is configured in single supplicant mode and not in single-secure supplicant mode).
RADIUS accounting—Sends accounting information to the RADIUS accounting server. Accounting information is sent to the server whenever a subscriber logs in or logs out and whenever a subscriber activates or deactivates a subscription.
RADIUS server attributes for 802.1X—The Juniper-Switching-Filter is a vendor-specific attribute (VSA) that can be configured on the RADIUS server to further define a supplicant's access during the 802.1X authentication process. Centrally configuring attributes on the authentication server obviates the need to configure these same attributes in the form of firewall filters on every switch in the LAN to which the supplicant might connect to the LAN. This feature is based on RLI 4583, AAA RADIUS BRAS VSA Support.

The following features are supported to authenticate devices that are not 802.1X-enabled:

Static MAC bypass—Provides a bypass mechanism to authenticate devices that are not 802.1X-enabled (such as printers). Static MAC bypass connects these devices to 802.1X-enabled ports, bypassing 802.1X authentication.
MAC RADIUS authentication—Provides a means to permit hosts that are not 802.1X-enabled to access the LAN. MAC-RADIUS simulates the supplicant functionality of the client device, using the MAC address of the client as username and password.

802.1X Authentication on Trunk Ports

Starting in Junos OS Release 18.3R1, you can configure 802.1X authentication on trunk interfaces, which allows the network access device (NAS) to authenticate an access point (AP) or another connected Layer 2 device. An AP or switch connected to the NAS will support multiple VLANs, so must connect to a trunk port. Enabling 802.1X authentication on the trunk interface protects the NAS from a security breach in which an attacker might disconnect the AP and connect a laptop to get free access to network for all the configured VLANs.

Please note the following caveats when configuring 802.1X authentication on trunk interfaces.

Only single and single-secure supplicant modes are supported on trunk interfaces.
You must configure 802.1X authentication locally on the trunk interface. If you configure 802.1X authentication globally using the set protocol dot1x interface all command, the configuration is not applied to the trunk interface.
Dynamic VLANS are not supported on trunk interfaces.
Guest VLAN and server-reject VLAN are not supported on trunk interfaces.
Server fail fallback for VoIP clients is not supported on trunk interfaces (server-fail-voip).
Authentication on trunk port is not supported using captive portal.
Authentication on trunk port is not supported on aggregated interfaces.
Configuration of 802.1X authentication on interfaces that are members of private VLANs (PVLANs) is not supported on trunk ports.

802.1X Authentication on Layer 3 Interfaces

Starting in Junos OS Release 20.2R1, you can configure 802.1X authentication on layer 3 interfaces. Please note the following caveats when configuring 802.1X authentication on layer 3 interfaces:

Only EAP-capable clients are supported.
Only single supplicant mode is supported.
You must configure 802.1X authentication locally on layer 3 interfaces. If you configure 802.1X authentication globally using the set protocol dot1x interface all command, the configuration is not applied to layer 3 interfaces.
Support for layer 3 interfaces does not include IRB or sub-interfaces.
Guest VLAN, server-reject VLAN, and server-fail VLAN are not supported.
Server fail fallback for VoIP clients is not supported (server-fail-voip).
Only the following attributes are accepted from the authentication server as part of RADIUS access-accept or COA messages for clients authenticated on layer 3 interfaces:
- User-Name
- Session-Timeout
- Calling-Station-ID
- Acct-Session-ID
- NAS-Port-Id
- Port-Bounce

Configuring 802.1X Interface Settings (CLI Procedure)

IEEE 802.1X authentication provides network edge security, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from a supplicant (client) at the interface until the supplicant's credentials are presented and matched on the (a RADIUS server). When the supplicant is authenticated, the switch stops blocking access and opens the interface to the supplicant.

Before you begin, specify the RADIUS server or servers to be used as the authentication server. See Specifying RADIUS Server Connections on Switches (CLI Procedure).

To configure 802.1X on an interface:

Configure the supplicant mode as single (authenticates the first supplicant), single-secure (authenticates only one supplicant), or multiple (authenticates multiple supplicants):
Enable reauthentication and specify the reauthentication interval:
Configure the interface timeout value for the response from the supplicant:
Configure the timeout for the interface before it resends an authentication request to the RADIUS server:
Configure how long, in seconds, the interface waits before retransmitting the initial EAPOL PDUs to the supplicant:
Configure the maximum number of times an EAPOL request packet is retransmitted to the supplicant before the authentication session times out:
Configure the number of times the switch attempts to authenticate the port after an initial failure. The port remains in a wait state during the quiet period after the authentication attempt.
Set the server-fail to deny so that the server does not fail.

Understanding RADIUS-Initiated Changes to an Authorized User Session

When using an authentication service that is based on a client/server RADIUS model, requests are typically initiated by the client and sent to the RADIUS server. There are instances in which a request might be initiated by the server and sent to the client in order to dynamically modify an authenticated user session already in progress. The client that receives and processes the messages is the switch, which acts as the network access server, or NAS. The server can send the switch a Disconnect message requesting to terminate a session, or a Change of Authorization (CoA) message requesting to modify the session authorization attributes.

The switch listens for unsolicited RADIUS requests on UPD port 3799, and accepts requests only from a trusted source. Authorization to send a Disconnect or CoA request is determined based on the source address and the corresponding shared secret, which must be configured on the switch as well as on the RADIUS server. For more information about configuring the source address and shared secret on the switch, see Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.

Disconnect Messages

The RADIUS server sends a Disconnect-Request message to the switch in order to terminate a user session and discard all associated session context. The switch responds to a Disconnect-Request packet with a Disconnect-ACK message if the request is successful, that is, all associated session context is discarded and the user session is no longer connected, or with a Disconnect-NAK packet if the request fails, that is, the authenticator is unable to disconnect the session and discard all associated session context.

In Disconnect-Request messages, RADIUS attributes are used to uniquely identify the switch (NAS) and the user session. The combination of NAS identification attributes and session identification attributes included in the message must match at least one session for the request to be successful; otherwise, the switch responds with a Disconnect-NAK message. A Disconnect-Request message can contain only NAS and session identification attributes; if any other attributes are included, the switch responds with a Disconnect-NAK message.

Change of Authorization Messages

Change of Authorization (CoA) messages contain information for dynamically modifying the authorization attributes for a user session to change the authorization level. This occurs as part of a two-step authentication process, in which the endpoint is first authenticated using MAC RADIUS authentication, and is then profiled based on the type of device. The CoA message is used to apply an enforcement policy that is appropriate for the device, typically by changing the data filters or the VLAN.

The switch responds to a CoA message with a CoA-ACK message if the authorization change is successful, or a with CoA-NAK message if the change is unsuccessful. If one or more authorization changes specified in a CoA-Request message cannot be carried out, the switch responds with a CoA-NAK message.

In CoA-Request messages, RADIUS attributes are used to uniquely identify the switch (acting as the NAS) and the user session. The combination of NAS identification attributes and session identification attributes included in the message must match the identification attributes of at least one session for the request to be successful; otherwise, the switch responds with a CoA-NAK message.

CoA-Request packets also include the session authorization attributes that will be modified if the request is accepted. The supported session authorization attributes are listed below. The CoA message can contain any or all of these attributes. If any attribute is not included as part of the CoA-Request message, the NAS assumes that the value for that attribute is to remain unchanged.

Filter-ID
Tunnel-Private-Group-ID
Juniper-Switching-Filter
Juniper-VoIP-VLAN
Session-Timeout

CoA Request Port Bounce

When a CoA message is used to change the VLAN for an authenticated host, end devices such as printers do not have a mechanism to detect the VLAN change, so they do not renew the lease for their DHCP address in the new VLAN. Starting in Junos OS Release 17.3, the port bounce feature can be used to force the end device to initiate DHCP re-negotiation by causing a link flap on the authenticated port.

The command to bounce the port is sent from the RADIUS server using a Juniper Networks vendor-specific attribute (VSA). The port is bounced if the following VSA attribute-value pair is received in the CoA message from the RADIUS server:

Juniper-AV-Pair = “Port-Bounce”

To enable the port bounce feature, you must update the Junos dictionary file () on the RADIUS server with the Juniper-AV-Pair VSA. Locate the dictionary file and add the following text to the file:

For more information about adding the VSA, consult the FreeRADIUS documentation.

You can disable the feature by configuring the ignore-port-bounce statement at the [edit protocols dot1x authenticator interface interface-name] hierachy level.

Error-Cause Codes

When a disconnect or CoA operation is unsuccessful, an Error-Cause attribute (RADIUS attribute 101) can be included in the response message sent by the NAS to the server to provide detail about the cause of the problem. If the detected error does not map to one of the supported Error-Cause attribute values, the router sends the message without an error-cause attribute. See Table 1 for descriptions of error-cause codes that can be included in response messages sent from the NAS.

Filtering 802.1X Supplicants by Using RADIUS Server Attributes

There are two ways to configure the a RADIUS server with port firewall filters (Layer 2 firewall filters):

Include one or more filter terms in the Juniper-Switching-Filter attribute. The Juniper-Switching-Filter attribute is a vendor-specific attribute (VSA) listed under attribute ID number 48 in the Juniper dictionary on the RADIUS server. Use this VSA to configure simple filter conditions for 802.1X authenticated users. Nothing needs to be configured on the switch; all of the configuration is on the RADIUS server.
Configure a local firewall filter on each switch and apply that firewall filter to users authenticated through the RADIUS server. Use this method for more complex filters. The firewall filter must be configured on each switch.

This topic includes the following tasks:

Configuring Firewall Filters on the RADIUS Server
Applying a Locally Configured Firewall Filter from the RADIUS Server

Configuring Firewall Filters on the RADIUS Server

You can configure simple filter conditions by using the Juniper-Switching-Filter attribute in the Juniper dictionary on the RADIUS server. These filters are sent to a switch whenever a new user is authenticated successfully. The filters are created and applied on all EX Series switches that authenticate users through that RADIUS server without the need for you to configure anything on each individual switch.

To configure the Juniper-Switching-Filter attribute, enter one or more filter terms by using the CLI for the RADIUS server. Each filter term consists of match conditions with a corresponding action. Enter the filter terms enclosed within quotation marks (" ") by using the following syntax:

More than one match condition can be included in a filter term. When multiple conditions are specified in a filter term, they must all be fulfilled for the packet to match the filter term. For example, the following filter term requires a packet to match both the destination IP address and the destination MAC address to meet the term criteria:

Multiple filter terms should be separated with commas—for example:

See Juniper-Switching-Filter VSA Match Conditions and Actions for definitions of match conditions and actions.

To configure match conditions on the RADIUS server:

Verify that the Juniper dictionary is loaded on your RADIUS server and includes the filtering attribute Juniper-Switching-Filter (attribute ID 48):
Enter the match conditions and actions. For example:
- To deny authentication based on the 802.1Q tag (here, the 802.1Q tag is 10):
  For each relevant user, add the Juniper-Switching-Filter attribute:
- To deny access based on a destination IP address:
  For each relevant user, add the Juniper-Switching-Filter attribute:
- To set the packet loss priority (PLP) to high based on a destination MAC address and the IP protocol:
  For each relevant user, add the Juniper-Switching-Filter attribute:
Stop and restart the RADIUS process to activate the configuration.

Applying a Locally Configured Firewall Filter from the RADIUS Server

You can apply a port firewall filter (Layer 2 firewall filter) to user policies centrally from the RADIUS server. The RADIUS server can then specify the firewall filters that are to be applied to each user that requests authentication, reducing the need to configure the same firewall filter on multiple switches. Use this method when the firewall filter contains a large number of conditions or you want to use different conditions for the same filter on different switches. The firewall filters must be configured on each switch.

For more information about firewall filters, see Firewall Filters for EX Series Switches Overview.

To apply a port firewall filter centrally from the RADIUS server:

Create the firewall filter on the local switch. See Configuring Firewall Filters (CLI Procedure) for more information on configuring a port firewall filter.
On the RADIUS server, open the file to display the local user profiles of the end devices to which you want to apply the filter:
Apply the filter to each user profile by adding the Filter-ID attribute with the filter name as the attribute value:
For example, the user profile below for supplicant1 includes the Filter-ID attribute with the filter name filter1:
Stop and restart the RADIUS process to activate the configuration.

Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch

802.1X is the IEEE standard for port-based network access control (PNAC). You use 802.1X to control network access. Only users and devices providing credentials that have been verified against a user database are allowed access to the network. You can use a RADIUS server as the user database for 802.1X authentication, as well as for MAC RADIUS authentication.

This example describes how to connect a RADIUS server to an EX Series switch, and configure it for 802.1X:

Requirements

This example uses the following software and hardware components:

Junos OS Release 9.0 or later for EX Series switches
One EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you connect the server to the switch, be sure you have:

Overview and Topology

The EX Series switch acts as an authenticator PAE. It blocks all traffic and acts as a control gate until the supplicant (client) is authenticated by the server. All other users and devices are denied access.

Figure 1 shows one EX4200 switch that is connected to the devices listed in Table 2.

In this example, connect the RADIUS server to access port ge-0/0/10 on the EX4200 switch. The switch acts as the authenticator and forwards credentials from the supplicant to the user database on the RADIUS server. You must configure connectivity between the EX4200 and the RADIUS server by specifying the address of the server and configuring the secret password. This information is configured in an access profile on the switch.

Configuration

CLI Quick Configuration

To quickly connect the RADIUS server to the switch, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To connect the RADIUS server to the switch:

Define the address of the servers, and configure the secret password. The secret password on the switch must match the secret password on the server:
Configure the authentication order, making radius the first method of authentication:
Configure a list of server IP addresses to be tried in sequential order to authenticate the supplicant:

Results

Display the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verify That the Switch and RADIUS Server Are Properly Connected

Purpose

Verify that the RADIUS server is connected to the switch on the specified port.

Action

Ping the RADIUS server to verify the connection between the switch and the server:

Meaning

ICMP echo request packets are sent from the switch to the target server at 10.0.0.100 to test whether the server is reachable across the IP network. ICMP echo responses are being returned from the server, verifying that the switch and the server are connected.

Understanding Dynamic Filters Based on RADIUS Attributes

You can use RADIUS server attributes to implement port firewall filters on a RADIUS authentication server. These filters can be dynamically applied to supplicants that request authentication through that server. RADIUS server attributes are clear-text fields encapsulated in Access-Accept messages sent from the authentication server to the switch when a supplicant connected to the switch is successfully authenticated. The switch, acting as the authenticator, uses the information in the RADIUS attributes to apply the related filters to the supplicant. Dynamic filters can be applied to multiple ports on the same switch, or to multiple switches that the use same authentication server, providing centralized access control for the network.

You can define firewall filters directly on the RADIUS server by using the Juniper-Switching-Filter attribute, which is a RADIUS attribute specific to Juniper Networks, also known as a vendor-specific attribute (VSA). VSAs are described in RFC 2138, Remote Authentication Dial In User Service (RADIUS). The Juniper-Switching-Filter VSA is listed under attribute ID number 48 in the Juniper dictionary on the RADIUS server, with the vendor ID set to the Juniper Networks ID number 2636. Using this attribute, you define filters on the authentication server, which are applied on all switches that authenticate supplicants through that server. This method eliminates the need to configure the same filters on multiple switches.

Alternatively, you can apply a port firewall filter to multiple ports on the same switch by using the Filter-ID attribute, which is RADIUS attribute ID number 11. To use the Filter-ID attribute, you must first configure a filter on the switch, and then add the filter name to user policies on the RADIUS server as the value of the Filter-ID attribute. When a supplicant defined in one of those policies is authenticated by the RADIUS server, the filter is applied to the switch port that has been authenticated for the supplicant. Use this method when the firewall filter has complex conditions, or if you want to use different conditions for the same filter on different switches. The filter named in the Filter-ID attribute must be configured locally on the switch at the [edit firewall family ethernet-switching filter] hierarchy level.

VSAs are supported only for 802.1X single supplicant configurations and multiple supplicant configurations.

Understanding Dynamic VLAN Assignment Using RADIUS Attributes

VLANs can be dynamically assigned by a RADIUS server to supplicants requesting 802.1X authentication through that server. You configure the VLAN on the RADIUS server using RADIUS server attributes, which are clear-text fields encapsulated in messages sent from the authentication server to the switch when a supplicant connected to the switch requests authentication. The switch, acting as the authenticator, uses the information in the RADIUS attributes to assign the VLAN to the supplicant. Based on the results of the authentication, a supplicant that began authentication in one VLAN might be assigned to another VLAN.

Successful authentication requires that the VLAN ID or VLAN name is configured on the switch acting as 802.1X authenticator, and that it matches the VLAN ID or VLAN name sent by the RADIUS server during authentication. If neither exists, the end device is not authenticated. If a guest VLAN is established, the unauthenticated end device is automatically moved to the guest VLAN.

The RADIUS server attributes used for dynamic VLAN assignment described in RFC 2868, RADIUS Attributes for Tunnel Protocol Support.

Tunnel-Type—Defined as RADIUS attribute type 64. The value should be set to VLAN.
Tunnel-Medium-Type—Defined as RADIUS attribute type 65. The value should be set to IEEE-802.
Tunnel-Private-Group-ID—Defined as RADIUS attribute type 81. The value should be set to the VLAN ID or the VLAN name.

For more information about configuring dynamic VLANs on your RADIUS server, see the documentation for your RADIUS server.

Understanding Guest VLANs for 802.1X on Switches

Guest VLANs can be configured on switches that are using 802.1X authentication to provide limited access—typically only to the Internet—for corporate guests. Guest VLAN is used as a fallback when:

The supplicant is not 802.1X-enabled and does not respond to EAP messages.
MAC RADIUS authentication has not been configured on the switch interfaces to which the supplicant is connected.
Captive portal has not been configured on the switch interfaces to which the supplicant is connected.

A guest VLAN is not used for supplicants that send incorrect credentials. Those supplicants are directed to the server-reject VLAN instead.

For end devices that are not 802.1X-enabled, a guest VLAN can allow limited access to a server from which the non-802.1X-enabled end device can download the supplicant software and attempt authentication again.

Example: Configuring 802.1X Authentication Options When the RADIUS Server Is Unavailable to an EX Series Switch

Server fail fallback enables you to specify how 802.1X supplicants connected to the switch are supported if the RADIUS authentication server becomes unavailable.

You use 802.1X to control network access. Only users and devices (supplicants) providing credentials that have been verified against a user database are allowed access to the network. You use a RADIUS server as the user database.

This example describes how to configure an interface to move a supplicant to a VLAN in the event of a RADIUS server timeout:

Requirements

This example uses the following software and hardware components:

Junos OS Release 9.3 or later for EX Series switches
One EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.

Before you connect the server to the switch, be sure you have:

Overview and Topology

A RADIUS server timeout occurs if no authentication RADIUS servers are reachable when a supplicant logs in and attempts to access the LAN. Using server fail fallback, you configure alternative options for supplicants attempting LAN access. You can configure the switch to accept or deny access to supplicants or to maintain the access already granted to supplicants before the RADIUS server timeout. Additionally, you can configure the switch to move supplicants to a specific VLAN if a RADIUS timeout occurs.

Figure 2 shows the topology used for this example. The RADIUS server is connected to the EX4200 switch on access port ge-0/0/10. The switch acts as the authenticator port access entity (PAE) and forwards credentials from the supplicant to the user database on the RADIUS server. The switch blocks all traffic and acts as a control gate until the supplicant is authenticated by the authentication server. A supplicant is connected to the switch through interface ge-0/0/1.

Table 3 describes the components in this topology.

In this example, configure interface ge-0/0/1 to move a supplicant attempting access to the LAN during a RADIUS timeout to another VLAN. A RADIUS timeout prevents the normal exchange of EAP messages that carry information from the RADIUS server to the switch and permit the authentication of a supplicant. The default VLAN is configured on interface ge-0/0/1. When a RADIUS timeout occurs, supplicants on the interface will be moved from the default VLAN to the VLAN named vlan-sf.

Configuration

CLI Quick Configuration

To quickly configure server fail fallback on the switch, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure an interface to divert supplicants to a specific VLAN when a RADIUS timeout occurs (here, the VLAN is vlan-sf):

Define the VLAN to which supplicants are diverted:

Results

Display the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That the Supplicants Are Moved to an Alternative VLAN During a RADIUS Timeout

Purpose

Verify that the interface moves supplicants to an alternative VLAN during a RADIUS timeout.

Action

Display the VLANs configured on the switch; the interface ge-0/0/1.0 is a member of the default VLAN:

Display 802.1X protocol information on the switch to view supplicants that are authenticated on interface ge-0/0/1.0:

A RADIUS server timeout occurs. Display the Ethernet switching table to show that the supplicant with the MAC address 00:00:00:00:00:01 previously accessing the LAN through the default VLAN is now being learned on the VLAN named vlan-sf:

Display 802.1X protocol information to show that interface ge-0/0/1.0 is connecting and will open LAN access to supplicants:

Meaning

The show vlans command displays interface ge-0/0/1.0 as a member of the default VLAN. The show dot1x interface brief command shows that a supplicant (abc) is authenticated on interface ge-0/0/1.0 and has the MAC address 00:00:00:00:00:01. A RADIUS server timeout occurs, and the authentication server cannot be reached by the switch. The show-ethernet-switching table command shows that MAC address 00:00:00:00:00:01 is learned on VLAN vlan-sf. The supplicant has been moved from the default VLAN to the vlan-sf VLAN. The supplicant is then connected to the LAN through the VLAN named vlan-sf.

Example: Configuring Fallback Options on EX Series Switches for EAP-TTLS Authentication and Odyssey Access Clients

For 802.1X user authentication, EX Series switches support RADIUS authentication servers that are using Extensible Authentication Protocol–Tunneled TLS (EAP-TTLS) to authenticate Odyssey Access Client (OAC) supplicants. OAC networking software runs on endpoint computers (desktop, laptop, or notepad computers and supported wireless devices) and provides secure access to both wired and wireless networks.

This example describes how to configure an 802.1X-enabled interface on the switch to provide fallback support for OAC users who have entered incorrect login credentials:

Requirements

This example uses the following software and hardware components:

Junos OS Release 11.2 or later for EX Series switches
One EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
One RADIUS authentication server that supports 802.1X. The authentication server acts as the backend database and contains credential information for hosts (supplicants) that have permission to connect to the network.
One OAC end device acting as a supplicant.

Before you begin configuring the fallback option, ensure that you have:

Overview and Topology

OAC is networking software that runs on endpoint computers (desktop, laptop, or notepad) and supported wireless devices. OAC provides full support for EAP, which is required for secure wireless LAN access.

In this topology, OAC is deployed with an 802.1X-enabled switch and a RADIUS server. The switch functions as an enforcement point in the network security architecture. This topology:

Ensures that only authorized users can connect.
Maintains privacy of login credentials.
Maintains data privacy over the wireless link.

This example includes the configuration of a server-reject VLAN on the switch, which can be used to prevent accidental lockout for users who have entered incorrect login credentials. These users can be given limited LAN access.

However, this fallback configuration is complicated by the fact that the OAC supplicant and RADIUS server are using EAP-TTLS. EAP-TTLS creates a secure encrypted tunnel between the server and the end device to complete the authentication process. When the user enters incorrect login credentials, the RADIUS server sends EAP failure messages directly to the client through this tunnel. The EAP failure message causes the client to restart the authentication procedure, so that the switch’s 802.1X authentication process tears down the session that was established with the switch using the server-reject VLAN. You can enable the remedial connection to continue by configuring:

eapol-block—Enable the EAPoL block timer on the 802.1X interface that is configured to belong to the server-reject VLAN. The block timer causes the authentication port access entity to ignore EAP start messages from the client, attempting to restart the authentication procedure.
block-interval—Configure the amount of time that you want the EAPoL block timer to continue to ignore EAP start messages. If you do not configure the block interval, the EAPoL block timer defaults to 120 seconds.

When the 802.1X interface ignores the EAP start messages from the client, the switch allows the existing remedial session that was established through the server-reject VLAN to remain open.

These configuration options apply to single, single-secure, and multiple supplicant authentication modes. In this example, the 802.1X interface is configured in single supplicant mode.

Figure 3 shows an EX Series switch connecting an OAC end device to a RADIUS server, and indicates the protocols being used to connect the network entities.

Table 4 describes the components in this OAC deployment:.

Configuration

CLI Quick Configuration

To quickly configure the fallback options for EAP-TTLS and OAC supplicants, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

To configure the fallback options for EAP-TTLS and OAC supplicants:

Configure a VLAN that will function as the server-reject VLAN to provide limited LAN access for users who have entered incorrect login credentials:
Configure the number of times for the client to be prompted for username and password before an incorrect login is directed to the server-reject VLAN:
Configure the 802.1X authenticator interface to use the server-reject VLAN as a fallback for incorrect logins:
Enable the EAPoL block timer on the 802.1X interface that is configured to belong to the server-reject VLAN.
Configure the amount of time for the EAPoL block to remain in effect:

Results

Check the results of the configuration:

Verification

To confirm that the configuration and the fallback options are working correctly, perform this task:

Источник: [https://torrent-igruha.org/3551-portal.html]

Mobile Net Switch v1.9.3 serial key or number

Android 11 Compatibility Definition

1. Introduction

This document enumerates the requirements that must be met in order for devices to be compatible with Android

The use of “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” is per the IETF standard defined in RFC

As used in this document, a “device implementer” or “implementer” is a person or organization developing a hardware/software solution running Android A “device implementation” or “implementation" is the hardware/software solution so developed.

To be considered compatible with Android 11, device implementations MUST meet the requirements presented in this Compatibility Definition, including any documents incorporated via reference.

Document Structure

Requirements by Device Type

Section 2 contains all of the requirements that apply to a specific device type. Each subsection of Section 2 is dedicated to a specific device type.

Requirement ID

Requirement ID is assigned for MUST requirements.

The ID is assigned for MUST requirements only.
STRONGLY RECOMMENDED requirements are marked as [SR] but ID is not assigned.
The ID consists of : Device Type ID - Condition ID - Requirement ID (e.g. C).

Each ID is defined as below:

Device Type ID (see more in 2. Device Types)
- C: Core (Requirements that are applied to any Android device implementations)
- H: Android Handheld device
- T: Android Television device
- A: Android Automotive implementation
- W: Android Watch implementation
- Tab: Android Tablet implementation
Condition ID
- When the requirement is unconditional, this ID is set as 0.
- When the requirement is conditional, 1 is assigned for the 1st condition and the number increments by 1 within the same section and the same device type.
Requirement ID
- This ID starts from 1 and increments by 1 within the same section and the same condition.

Requirement ID in Section 2

The Requirement ID in Section 2 starts with the corresponding section ID that is followed by the Requirement ID described above.

The ID in Section 2 consists of : Section ID / Device Type ID - Condition ID - Requirement ID (e.g. /A).

2. Device Types

This section describes those device types, and additional requirements and recommendations applicable for each device type.

All Android device implementations that do not fit into any of the described device types MUST still meet all requirements in the other sections of this Compatibility Definition.

Device Configurations

For the major differences in hardware configuration by device type, see the device-specific requirements that follow in this section.

Handheld Requirements

An Android Handheld device refers to an Android device implementation that is typically used by holding it in the hand, such as an mp3 player, phone, or tablet.

Android device implementations are classified as a Handheld if they meet all the following criteria:

Have a power source that provides mobility, such as a battery.
Have a physical diagonal screen size in the range of inches (or inches for devices which launched on an API level earlier than Android 11) to 8 inches.

The additional requirements in the rest of this section are specific to Android Handheld device implementations.

Note: Requirements that do not apply to Android Tablet devices are marked with an *.

Hardware

Handheld device implementations:

[/H] MUST have at least one Android-compatible display that meets all requirements described on this document.
[/H-SR] Are STRONGLY RECOMMENDED to provide users an affordance to change the display size (screen density).

If Handheld device implementations support software screen rotation, they:

[/H]* MUST make the logical screen that is made available for third party applications be at least 2 inches on the short edge(s) and inches on the long edge(s). Devices which launched on an API level earlier than that of this document are exempted from this requirement.

If Handheld device implementations do not support software screen rotation, they:

[/H]* MUST make the logical screen that is made available for third party applications be at least inches on the short edge(s). Devices which launched on an API level earlier than that of this document are exempted from this requirement.

If Handheld device implementations claim support for high dynamic range displays through , they:

[/H] MUST advertise support for the , , , , and extensions.

Handheld device implementations:

[/H] MUST report whether the device supports the GPU profiling capability via a system property .

If Handheld device implementations declare support via a system property , they:

Handheld device implementations:

[/H] MUST include support for legacy application compatibility mode as implemented by the upstream Android open source code. That is, device implementations MUST NOT alter the triggers or thresholds at which compatibility mode is activated, and MUST NOT alter the behavior of the compatibility mode itself.
[/H] MUST include support for third-party Input Method Editor (IME) applications.
[/H] MUST provide the Home function on all the Android-compatible displays that provide the home screen.
[/H] MUST provide the Back function on all the Android-compatible displays and the Recents function on at least one of the Android-compatible displays.
[/H] MUST send both the normal and long press event of the Back function () to the foreground application. These events MUST NOT be consumed by the system and CAN be triggered by outside of the Android device (e.g. external hardware keyboard connected to the Android device).
[/H] MUST support touchscreen input.
[/H-SR] Are STRONGLY RECOMMENDED to launch the user-selected assist app, in other words the app that implements VoiceInteractionService, or an activity handling the on long-press of or if the foreground activity does not handle those long-press events.
[/H-SR] Are STRONGLY RECOMMENDED to include a 3-axis accelerometer.

If Handheld device implementations include a 3-axis accelerometer, they:

[/H] MUST be able to report events up to a frequency of at least Hz.

If Handheld device implementations include a GPS/GNSS receiver and report the capability to applications through the feature flag, they:

[/H] MUST report GNSS measurements, as soon as they are found, even if a location calculated from GPS/GNSS is not yet reported.
[/H] MUST report GNSS pseudoranges and pseudorange rates, that, in open-sky conditions after determining the location, while stationary or moving with less than meter per second squared of acceleration, are sufficient to calculate position within 20 meters, and speed within meters per second, at least 95% of the time.

If Handheld device implementations include a 3-axis gyroscope, they:

[/H] MUST be able to report events up to a frequency of at least Hz.
[/H] MUST be capable of measuring orientation changes up to degrees per second.

Handheld device implementations that can make a voice call and indicate any value other than in :

[/H] SHOULD include a proximity sensor.

Handheld device implementations:

[/H-SR] Are RECOMMENDED to support pose sensor with 6 degrees of freedom.
[/H] SHOULD include support for Bluetooth and Bluetooth LE.

If Handheld device implementations include a metered connection, they:

[/H] MUST provide the data saver mode.

If Handheld device implementations include a logical camera device that lists capabilities using , they:

[/H] MUST have normal field of view (FOV) by default and it MUST be between 50 and 90 degrees.

Handheld device implementations:

[/H] MUST have at least 4 GB of non-volatile storage available for application private data (a.k.a. "/data" partition).
[/H] MUST return “true” for when there is less than 1GB of memory available to the kernel and userspace.

If Handheld device implementations declare support of only a bit ABI:

[/H] The memory available to the kernel and userspace MUST be at least MB if the default display uses framebuffer resolutions up to qHD (e.g. FWVGA).
[/H] The memory available to the kernel and userspace MUST be at least MB if the default display uses framebuffer resolutions up to HD+ (e.g. HD, WSVGA).
[/H] The memory available to the kernel and userspace MUST be at least MB if the default display uses framebuffer resolutions up to FHD (e.g. WSXGA+).
[/H] The memory available to the kernel and userspace MUST be at least MB if the default display uses framebuffer resolutions up to QHD (e.g. QWXGA).

If Handheld device implementations declare support of bit and bit ABIs:

[/H] The memory available to the kernel and userspace MUST be at least MB if the default display uses framebuffer resolutions up to qHD (e.g. FWVGA).
[/H] The memory available to the kernel and userspace MUST be at least MB if the default display uses framebuffer resolutions up to HD+ (e.g. HD, WSVGA).
[/H] The memory available to the kernel and userspace MUST be at least MB if the default display uses framebuffer resolutions up to FHD (e.g. WSXGA+).
[/H] The memory available to the kernel and userspace MUST be at least MB if the default display uses framebuffer resolutions up to QHD (e.g. QWXGA).

If Handheld device implementations include less than or equal to 1GB of memory available to the kernel and userspace, they:

[/H] MUST declare the feature flag .
[/H] MUST have at least GB of non-volatile storage for application private data (a.k.a. "/data" partition).

If Handheld device implementations include more than 1GB of memory available to the kernel and userspace, they:

[/H] MUST have at least 4GB of non-volatile storage available for application private data (a.k.a. "/data" partition).
SHOULD declare the feature flag .

Handheld device implementations:

[/H] MUST NOT provide an application shared storage smaller than 1 GiB.
[/H] SHOULD include a USB port supporting peripheral mode.

If handheld device implementations include a USB port supporting peripheral mode, they:

[/H] MUST implement the Android Open Accessory (AOA) API.

If Handheld device implementations include a USB port supporting host mode, they:

[/H] MUST implement the USB audio class as documented in the Android SDK documentation.

Handheld device implementations:

[/H] MUST include a microphone.
[/H] MUST have an audio output and declare .

If Handheld device implementations are capable of meeting all the performance requirements for supporting VR mode and include support for it, they:

[/H] MUST declare the feature flag.
[/H] MUST include an application implementing that can be enabled by VR applications via .

If Handheld device implementations include one or more USB-C port(s) in host mode and implement (USB audio class), in addition to requirements in section , they:

[/H] MUST provide the following software mapping of HID codes:

Function	Mappings	Context	Behavior
A	HID usage page: 0x0C HID usage: 0x0CD Kernel key: Android key:	Media playback	Input: Short press Output: Play or pause
		Media playback	Input: Long press Output: Launch voice command Sends: if the device is locked or its screen is off. Sends otherwise
		Incoming call	Input: Short press Output: Accept call
		Incoming call	Input: Long press Output: Reject call
		Ongoing call	Input: Short press Output: End call
		Ongoing call	Input: Long press Output: Mute or unmute microphone
B	HID usage page: 0x0C HID usage: 0x0E9 Kernel key: Android key:	Media playback, Ongoing call	Input: Short or long press Output: Increases the system or headset volume
C	HID usage page: 0x0C HID usage: 0x0EA Kernel key: Android key:	Media playback, Ongoing call	Input: Short or long press Output: Decreases the system or headset volume
D	HID usage page: 0x0C HID usage: 0x0CF Kernel key: Android key:	All. Can be triggered in any instance.	Input: Short or long press Output: Launch voice command

[/H] MUST trigger ACTION_HEADSET_PLUG upon a plug insert, but only after the USB audio interfaces and endpoints have been properly enumerated in order to identify the type of terminal connected.

When the USB audio terminal types 0x is detected, they:

[/H] MUST broadcast Intent ACTION_HEADSET_PLUG with "microphone" extra set to 0.

When the USB audio terminal types 0x is detected, they:

[/H] MUST broadcast Intent ACTION_HEADSET_PLUG with "microphone" extra set to 1.

When API manicapital.comices() is called while the USB peripheral is connected they:

[/H] MUST list a device of type manicapital.com_USB_HEADSET and role isSink() if the USB audio terminal type field is 0x
[/H] MUST list a device of type manicapital.com_USB_HEADSET and role isSink() if the USB audio terminal type field is 0x
[/H] MUST list a device of type manicapital.com_USB_HEADSET and role isSource() if the USB audio terminal type field is 0x
[/H] MUST list a device of type manicapital.com_USB_DEVICE and role isSink() if the USB audio terminal type field is 0x
[/H] MUST list a device of type manicapital.com_USB_DEVICE and role isSource() if the USB audio terminal type field is 0x
[/H] MUST list a device of type manicapital.com_USB_DEVICE and role isSink() if the USB audio terminal type field is 0x
[/H] MUST list a device of type manicapital.com_USB_DEVICE and role isSource() if the USB audio terminal type field is 0x
[/H-SR] Are STRONGLY RECOMMENDED upon connection of a USB-C audio peripheral, to perform enumeration of USB descriptors, identify terminal types and broadcast Intent ACTION_HEADSET_PLUG in less than milliseconds.

If Handheld device implementations include at least one haptic actuator, they:

[/H-SR]* Are STRONGLY RECOMMENDED NOT to use an eccentric rotating mass (ERM) haptic actuator(vibrator).
[/H]* SHOULD position the placement of the actuator near the location where the device is typically held or touched by hands.
[/H-SR]* Are STRONGLY RECOMMENDED to implement all public constants for clear haptics in manicapital.comFeedbackConstants namely (CLOCK_TICK, CONTEXT_CLICK, KEYBOARD_PRESS, KEYBOARD_RELEASE, KEYBOARD_TAP, LONG_PRESS, TEXT_HANDLE_MOVE, VIRTUAL_KEY, VIRTUAL_KEY_RELEASE, CONFIRM, REJECT, GESTURE_START and GESTURE_END).
[/H-SR]* Are STRONGLY RECOMMENDED to implement all public constants for clear haptics in manicapital.comionEffect namely (EFFECT_TICK, EFFECT_CLICK, EFFECT_HEAVY_CLICK and EFFECT_DOUBLE_CLICK) and all public constants for rich haptics in manicapital.comition namely (PRIMITIVE_CLICK and PRIMITIVE_TICK).
[/H-SR]* Are STRONGLY RECOMMENDED to use these linked haptic constants mappings.
[/H-SR]* Are STRONGLY RECOMMENDED to follow quality assessment for createOneShot() and createWaveform() API's.
[/H-SR]* Are STRONGLY RECOMMENDED to verify the capabilities for amplitude scalability by running manicapital.comlitudeControl().

Linear resonant actuator (LRA) is a single mass spring system which has a dominant resonant frequency where the mass translates in the direction of desired motion.

If Handheld device implementations include at least one linear resonant actuator, they:

[/H]* SHOULD move the haptic actuator in the X-axis of portrait orientation.

If Handheld device implementations have a haptic actuator which is X-axis Linear resonant actuator (LRA), they:

[/H-SR]* Are STRONGLY RECOMMENDED to have the resonant frequency of the X-axis LRA be under Hz.

If handheld device implementations follow haptic constants mapping, they:

Multimedia

Handheld device implementations MUST support the following audio encoding and decoding formats and make them available to third-party applications:

[/H] AMR-NB
[/H] AMR-WB
[/H] MPEG-4 AAC Profile (AAC LC)
[/H] MPEG-4 HE AAC Profile (AAC+)
[/H] AAC ELD (enhanced low delay AAC)

Handheld device implementations MUST support the following video encoding formats and make them available to third-party applications:

[/H] H AVC
[/H] VP8

Handheld device implementations MUST support the following video decoding formats and make them available to third-party applications:

[/H] H AVC
[/H] H HEVC
[/H] MPEG-4 SP
[/H] VP8
[/H] VP9

Software

Handheld device implementations:

[/H] MUST have an application that handles the , , , and intents as described in the SDK documents, and provide the user affordance to access the document provider data by using API.
[/H]* MUST preload one or more applications or service components with an intent handler, for all the public intent filter patterns defined by the following application intents listed here.
[/H-SR] Are STRONGLY RECOMMENDED to preload an email application which can handle ACTION_SENDTO or ACTION_SEND or ACTION_SEND_MULTIPLE intents to send an email.
[/H] MUST provide a complete implementation of the API.
[/H] MUST include a standalone Browser application for general user web browsing.
[/H-SR] Are STRONGLY RECOMMENDED to implement a default launcher that supports in-app pinning of shortcuts, widgets and widgetFeatures.
[/H-SR] Are STRONGLY RECOMMENDED to implement a default launcher that provides quick access to the additional shortcuts provided by third-party apps through the ShortcutManager API.
[/H-SR] Are STRONGLY RECOMMENDED to include a default launcher app that shows badges for the app icons.
[/H-SR] Are STRONGLY RECOMMENDED to support third-party app widgets.
[/H] MUST allow third-party apps to notify users of notable events through the and API classes.
[/H] MUST support rich notifications.
[/H] MUST support heads-up notifications.
[/H] MUST include a notification shade, providing the user the ability to directly control (e.g. reply, snooze, dismiss, block) the notifications through user affordance such as action buttons or the control panel as implemented in the AOSP.
[/H] MUST display the choices provided through in the notification shade.
[/H-SR] Are STRONGLY RECOMMENDED to display the first choice provided through in the notification shade without additional user interaction.
[/H-SR] Are STRONGLY RECOMMENDED to display all the choices provided through in the notification shade when the user expands all notifications in the notification shade.
[/H-SR] Are STRONGLY RECOMMENDED to display actions for which is set as in-line with the replies displayed by .
[/H-SR] Are STRONGLY RECOMMENDED to implement an assistant on the device to handle the Assist action.

If Handheld device implementations support Assist action, they:

[/H-SR] Are STRONGLY RECOMMENDED to use long press on key as the designated interaction to launch the assist app as described in section MUST launch the user-selected assist app, in other words the app that implements , or an activity handling the intent.

If Handheld device implementations support and group them into a separate section from alerting and silent non-conversation notifications, they:

[/H]* MUST display conversation notifications ahead of non conversation notifications with the exception of ongoing foreground service notifications and importance:high notifications.

If Android Handheld device implementations support a lock screen, they:

[/H] MUST display the Lock screen Notifications including the Media Notification Template.

If Handheld device implementations support a secure lock screen, they:

[/H] MUST implement the full range of device administration policies defined in the Android SDK documentation.
[/H] MUST declare the support of managed profiles via the feature flag, except when the device is configured so that it would report itself as a low RAM device or so that it allocates internal (non-removable) storage as shared storage.

If Handheld device implementations include support for and APIs and allow third-party applications to publish , then they:

[/H] MUST declare the feature flag and set it to .
[/H] MUST provide a user affordance with the ability to add, edit, select, and operate the user’s favorite device controls from the controls registered by the third-party applications through the and the APIs.
[/H] MUST provide access to this user affordance within three interactions from a default Launcher.
[/H] MUST accurately render in this user affordance the name and icon of each third-party app that provides controls via the API as well as any specified fields provided by the APIs.

Conversely, If Handheld device implementations do not implement such controls, they:

Handheld device implementations:

[/H] MUST support third-party accessibility services.
[/H-SR] Are STRONGLY RECOMMENDED to preload accessibility services on the device comparable with or exceeding functionality of the Switch Access and TalkBack (for languages supported by the preinstalled Text-to-speech engine) accessibility services as provided in the talkback open source project.
[/H] MUST support installation of third-party TTS engines.
[/H-SR] Are STRONGLY RECOMMENDED to include a TTS engine supporting the languages available on the device.
[/H-SR] Are STRONGLY RECOMMENDED to include a Quick Settings UI component.

If Android handheld device implementations declare or support, they:

[/H] MUST support the companion device pairing feature.

If the navigation function is provided as an on-screen, gesture-based action:

[/H] The gesture recognition zone for the Home function SHOULD be no higher than 32 dp in height from the bottom of the screen.

If Handheld device implementations provide a navigation function as a gesture from anywhere on the left and right edges of the screen:

[/H] The navigation function's gesture area MUST be less than 40 dp in width on each side. The gesture area SHOULD be 24 dp in width by default.

Performance and Power

[/H] Consistent frame latency. Inconsistent frame latency or a delay to render frames MUST NOT happen more often than 5 frames in a second, and SHOULD be below 1 frames in a second.
[/H] User interface latency. Device implementations MUST ensure low latency user experience by scrolling a list of 10K list entries as defined by the Android Compatibility Test Suite (CTS) in less than 36 secs.
[/H] Task switching. When multiple applications have been launched, re-launching an already-running application after it has been launched MUST take less than 1 second.

Handheld device implementations:

[/H] MUST ensure a sequential write performance of at least 5 MB/s.
[/H] MUST ensure a random write performance of at least MB/s.
[/H] MUST ensure a sequential read performance of at least 15 MB/s.
[/H] MUST ensure a random read performance of at least MB/s.

If Handheld device implementations include features to improve device power management that are included in AOSP or extend the features that are included in AOSP, they:

[/H] MUST provide user affordance to enable and disable the battery saver feature.
[/H] MUST provide user affordance to display all apps that are exempted from App Standby and Doze power-saving modes.

Handheld device implementations:

[/H] MUST provide a per-component power profile that defines the current consumption value for each hardware component and the approximate battery drain caused by the components over time as documented in the Android Open Source Project site.
[/H] MUST report all power consumption values in milliampere hours (mAh).
[/H] MUST report CPU power consumption per each process's UID. The Android Open Source Project meets the requirement through the kernel module implementation.
[/H] MUST make this power usage available via the shell command to the app developer.
[/H] SHOULD be attributed to the hardware component itself if unable to attribute hardware component power usage to an application.

If Handheld device implementations include a screen or video output, they:

Security Model

Handheld device implementations:

[/H] MUST allow third-party apps to access the usage statistics via the permission and provide a user-accessible mechanism to grant or revoke access to such apps in response to the intent.

Handheld device implementations (* Not applicable for Tablet):

[/H]* MUST back up the keystore implementation with an isolated execution environment.
[/H]* MUST have implementations of RSA, AES, ECDSA, and HMAC cryptographic algorithms and MD5, SHA1, and SHA-2 family hash functions to properly support the Android Keystore system's supported algorithms in an area that is securely isolated from the code running on the kernel and above. Secure isolation MUST block all potential mechanisms by which kernel or userspace code might access the internal state of the isolated environment, including DMA. The upstream Android Open Source Project (AOSP) meets this requirement by using the Trusty implementation, but another ARM TrustZone-based solution or a third-party reviewed secure implementation of a proper hypervisor-based isolation are alternative options.
[/H]* MUST perform the lock screen authentication in the isolated execution environment and only when successful, allow the authentication-bound keys to be used. Lock screen credentials MUST be stored in a way that allows only the isolated execution environment to perform lock screen authentication. The upstream Android Open Source Project provides the Gatekeeper Hardware Abstraction Layer (HAL) and Trusty, which can be used to satisfy this requirement.
[/H]* MUST support key attestation where the attestation signing key is protected by secure hardware and signing is performed in secure hardware. The attestation signing keys MUST be shared across large enough number of devices to prevent the keys from being used as device identifiers. One way of meeting this requirement is to share the same attestation key unless at least , units of a given SKU are produced. If more than , units of an SKU are produced, a different key MAY be used for each , units.

When Handheld device implementations support a secure lock screen, they:

[/H] MUST allow the user to choose the shortest sleep timeout, that is a transition time from the unlocked to the locked state, as 15 seconds or less.
[/H] MUST provide user affordance to hide notifications and disable all forms of authentication except for the primary authentication described in Secure Lock Screen. The AOSP meets the requirement as lockdown mode.

Developer Tools and Options Compatibility

Handheld device implementations (* Not applicable for Tablet):

[/H]* MUST support the shell command .

Handheld device implementations (* Not applicable for Tablet):

Perfetto
- [/H]* MUST expose a binary to the shell user which cmdline complies with the perfetto documentation.
- [/H]* The perfetto binary MUST accept as input a protobuf config that complies with the schema defined in the perfetto documentation.
- [/H]* The perfetto binary MUST write as output a protobuf trace that complies with the schema defined in the perfetto documentation.
- [/H]* MUST provide, through the perfetto binary, at least the data sources described in the perfetto documentation.
- [/H]* The perfetto traced daemon MUST be enabled by default (system property ).

Television Requirements

Android device implementations are classified as a Television if they meet all the following criteria:

Have provided a mechanism to remotely control the rendered user interface on the display that might sit ten feet away from the user.
Have an embedded screen display with the diagonal length larger than 24 inches OR include a video output port, such as VGA, HDMI, DisplayPort, or a wireless port for display.

The additional requirements in the rest of this section are specific to Android Television device implementations.

Hardware

Television device implementations:

[/T] MUST support D-pad.
[/T] MUST provide the Home and Back functions.
[/T] MUST send both the normal and long press event of the Back function () to the foreground application.
[/T] MUST include support for game controllers and declare the feature flag.
[/T] SHOULD provide a remote control from which users can access non-touch navigation and core navigation keys inputs.

If Television device implementations include a 3-axis gyroscope, they:

[/T] MUST be able to report events up to a frequency of at least Hz.
[/T] MUST be capable of measuring orientation changes up to degrees per second.

Television device implementations:

[/T] MUST support Bluetooth and Bluetooth LE.
[/T] MUST have at least 4 GB of non-volatile storage available for application private data (a.k.a. "/data" partition).

If Television device implementations include a USB port that supports host mode, they:

[/T] MUST include support for an external camera that connects through this USB port but is not necessarily always connected.

If TV device implementations are bit:

[/T] The memory available to the kernel and userspace MUST be at least MB if any of the following densities are used:
- dpi or higher on small/normal screens
- xhdpi or higher on large screens
- tvdpi or higher on extra large screens

If TV device implementations are bit:

[/T] The memory available to the kernel and userspace MUST be at least MB if any of the following densities are used:
- dpi or higher on small/normal screens
- xhdpi or higher on large screens
- tvdpi or higher on extra large screens

Television device implementations:

[/T] SHOULD include a microphone.
[/T] MUST have an audio output and declare .

Multimedia

Television device implementations MUST support the following audio encoding and decoding formats and make them available to third-party applications:

[/T] MPEG-4 AAC Profile (AAC LC)
[/T] MPEG-4 HE AAC Profile (AAC+)
[/T] AAC ELD (enhanced low delay AAC)

Television device implementations MUST support the following video encoding formats and make them available to third-party applications:

[/T] H
[/T] VP8

Television device implementations:

[/T-SR] Are STRONGLY RECOMMENDED to support H encoding of p and p resolution videos at 30 frames per second.

Television device implementations MUST support the following video decoding formats and make them available to third-party applications:

Television device implementations MUST support MPEG-2 decoding, as detailed in Section , at standard video frame rates and resolutions up to and including:

[/T] HD p at frames per second with Main Profile High Level.
[/T] HD i at frames per second with Main Profile High Level. They MUST deinterlace interlaced MPEG-2 video to its progressive equivalent (e.g. from i at frames per second to p at frames per second) and make it available to third-party applications.

Television device implementations MUST support H decoding, as detailed in Section , at standard video frame rates and resolutions up to and including:

[/T] HD p at 60 frames per second with Baseline Profile
[/T] HD p at 60 frames per second with Main Profile
[/T] HD p at 60 frames per second with High Profile Level

Television device implementations with H hardware decoders MUST support H decoding, as detailed in Section , at standard video frame rates and resolutions up to and including:

[/T] HD p at 60 frames per second with Main Profile Level

If Television device implementations with H hardware decoders support H decoding and the UHD decoding profile, they:

[/T] MUST support UHD p at 60 frames per second with Main10 Level 5 Main Tier profile

Television device implementations MUST support VP8 decoding, as detailed in Section , at standard video frame rates and resolutions up to and including:

[/T] HD p at 60 frames per second decoding profile

Television device implementations with VP9 hardware decoders MUST support VP9 decoding, as detailed in Section , at standard video frame rates and resolutions up to and including:

[/T] HD p at 60 frames per second with profile 0 (8 bit color depth)

If Television device implementations with VP9 hardware decoders support VP9 decoding and the UHD decoding profile, they:

[/T] MUST support UHD p at 60 frames per second with profile 0 (8 bit color depth).
[/T] Are STRONGLY RECOMMENDED to support UHD p at 60 frames per second with profile 2 (10 bit color depth).

Television device implementations:

[/T] MUST include support for system Master Volume and digital audio output volume attenuation on supported outputs, except for compressed audio passthrough output (where no audio decoding is done on the device).

If Television device implementations do not have a built in display, but instead support an external display connected via HDMI, they:

[/T] MUST set the HDMI output mode to select the maximum resolution that can be supported with either a 50Hz or 60Hz refresh rate.
[/T-SR] Are STRONGLY RECOMMENDED to provide a user configurable HDMI refresh rate selector.
[] SHOULD set the HDMI output mode refresh rate to either 50Hz or 60Hz, depending on the video refresh rate for the region the device is sold in.

If Television device implementations do not have a built in display, but instead support an external display connected via HDMI, they:

[/T] MUST support HDCP

If Television device implementations do not support UHD decoding, but instead support an external display connected via HDMI, they:

[/T] MUST support HDCP

Software

Television device implementations:

[3/T] MUST declare the features and .
[/T] MUST preload one or more applications or service components with an intent handler, for all the public intent filter patterns defined by the following application intents listed here.
[/T] MUST provide a complete implementation of the API.

If Android Television device implementations support a lock screen,they:

[/T] MUST display the Lock screen Notifications including the Media Notification Template.

Television device implementations:

[/T-SR] Are STRONGLY RECOMMENDED to support picture-in-picture (PIP) mode multi-window.
[/T] MUST support third-party accessibility services.
[/T-SR] Are STRONGLY RECOMMENDED to preload accessibility services on the device comparable with or exceeding functionality of the Switch Access and TalkBack (for languages supported by the preinstalled Text-to-speech engine) accessibility services as provided in the talkback open source project.

If Television device implementations report the feature , they:

[/T-SR] Are STRONGLY RECOMMENDED to include a TTS engine supporting the languages available on the device.
[/T] MUST support installation of third-party TTS engines.

Television device implementations:

[/T] MUST support TV Input Framework.

Performance and Power

[/T] Consistent frame latency. Inconsistent frame latency or a delay to render frames MUST NOT happen more often than 5 frames in a second, and SHOULD be below 1 frames in a second.
[/T] MUST ensure a sequential write performance of at least 5MB/s.
[/T] MUST ensure a random write performance of at least MB/s.
[/T] MUST ensure a sequential read performance of at least 15MB/s.
[/T] MUST ensure a random read performance of at least MB/s.

If Television device implementations include features to improve device power management that are included in AOSP or extend the features that are included in AOSP, they:

[/T] MUST provide user affordance to enable and disable the battery saver feature.

If Television device implementations do not have a battery they:

If Television device implementations have a battery they:

[/T] MUST provide user affordance to display all apps that are exempted from App Standby and Doze power-saving modes.

Television device implementations:

[/T] MUST provide a per-component power profile that defines the current consumption value for each hardware component and the approximate battery drain caused by the components over time as documented in the Android Open Source Project site.
[/T] MUST report all power consumption values in milliampere hours (mAh).
[/T] MUST report CPU power consumption per each process's UID. The Android Open Source Project meets the requirement through the kernel module implementation.
[/T] SHOULD be attributed to the hardware component itself if unable to attribute hardware component power usage to an application.
[/T] MUST make this power usage available via the shell command to the app developer.

Security Model

Television device implementations:

[/T] MUST back up the keystore implementation with an isolated execution environment.
[/T] MUST have implementations of RSA, AES, ECDSA and HMAC cryptographic algorithms and MD5, SHA1, and SHA-2 family hash functions to properly support the Android Keystore system's supported algorithms in an area that is securely isolated from the code running on the kernel and above. Secure isolation MUST block all potential mechanisms by which kernel or userspace code might access the internal state of the isolated environment, including DMA. The upstream Android Open Source Project (AOSP) meets this requirement by using the Trusty implementation, but another ARM TrustZone-based solution or a third-party reviewed secure implementation of a proper hypervisor-based isolation are alternative options.
[/T] MUST perform the lock screen authentication in the isolated execution environment and only when successful, allow the authentication-bound keys to be used. Lock screen credentials MUST be stored in a way that allows only the isolated execution environment to perform lock screen authentication. The upstream Android Open Source Project provides the Gatekeeper Hardware Abstraction Layer (HAL) and Trusty, which can be used to satisfy this requirement.
[/T] MUST support key attestation where the attestation signing key is protected by secure hardware and signing is performed in secure hardware. The attestation signing keys MUST be shared across large enough number of devices to prevent the keys from being used as device identifiers. One way of meeting this requirement is to share the same attestation key unless at least , units of a given SKU are produced. If more than , units of an SKU are produced, a different key MAY be used for each , units.

If Television device implementations support a secure lock screen, they:

[/T] MUST allow the user to choose the Sleep timeout for transition from the unlocked to the locked state, with a minimum allowable timeout up to 15 seconds or less.