Back to top

Why do I need to set Lockscreen on devices to install certificates via Knox Manage?

Last updated July 26th, 2023

Categories:

Environment

  • Knox Manage (KM)
  • Android Enterprise (AE)

Overview

Certificates are commonly used for secure authentication and it is considered more secure than password-based authentication.

It can be used via Knox Manage to authenticate users for:

  • Wi-Fi: Authorizes connection.
  • VPN: Authorizes encrypted VPN communication.
  • Exchange: Authorizes the user authentication and services in Exchange.

This article shows how to set lock screens manually to allow the installation of external certificates via Knox Manage and confirm that the user certificate is available.

Why do I need to set a Lockscreen on devices to install certificates?

When installing a certificate on an Android device, it is stored on the Android Keystore system. This system stores cryptographic keys in a secure container and makes it difficult to be extracted.

When storing a certificate in Android KeyStore, it is only authorized to be used if the user has been authenticated. The user is authenticated using a subset of their secure lock screen credentials (pattern, PIN, password, or biometric credentials). For more details about the Android Keystore system, please review this article.

How do I set Lockscreen on devices manually to install certificates via Knox Manage?

  1. To add an external certificate on Knox Manage, please refer to the external certifications documentation.

  2. Ensure a certificate is added to the Knox Manage console and a policy that uses the certificate is in place (E.g. To configure a Wi-Fi network with EAP-PEAP authentication using an external certificate in Knox Manage, please refer to this knowledge base article.)

  3. From the device side, the user will receive information in the Knox Manage agent to Download configuration.

  4. If the device does not have a policy applied to set a lockscreen, user will receive the following pop-up message:

  1. At this point, if the user does not set a lock screen password, the certificate will not be installed, due to the keystore being locked. It means that until a lock screen password is configured on the device, the Android platform will not authorize the use of the keystore and the certificate will not be installed.

  2. After configuring the lock screen password, the user can check if the user certificate is installed following the path: Settings > Biometrics and security > Other security settings > User certificates.

Is this page helpful?