Back to top

Universal Credential Management

Last updated March 7th, 2024

Knox Serivce Plugin provides a group of policies to manage universal authentication credentials in both external and internal device storage, for example, a smartcard, micro SD card, or embedded Secure Element. Depending upon your network and security needs, you can enable or disable Universal Credential Management (UCM) policies as well as configure advanced settings for your UCM plugins.

Before you can enable UCM plugins for your devices, you must create and configure at least one UCM configuration policy.

Option 1 — Create a UCM configuration

You can create a new UCM configuration from scratch. As an example, the following procedure uses a policy called Screen lock that defines the UCM app, the rules for when it locks, and the other apps that can access credentials.

To create a UCM configuration for screen locking:

  1. On your EMM console, begin editing the app assignment of Knox Service Plugin.

  2. In the managed configuration, under the UCM plugin configurations section, create a new UCM configuration:

    UCM configuration setting Value
    Name of UCM plugin configuration Screen lock
    Package name of UCM plugin application Enter the package name of the UCM app. Visit the app’s page on Google Play to retrieve the package name.
    Credential usage Screen lock
    Pin properties > PIN timeout type If the UCM app can cache PINs, select Same as screen lock. When set, the UCM app and the device lock are synchronized, and the device user will always need to re-authenticate with the UCM app after they unlock the device.
    Application access controls > Type of access restrictions Unrestricted access
    Application access controls > Application signature For increased security, you can enter the certificate fingerprint of the app’s signature in MD5, SHA-1, or SHA-256 format. For more details about app signing and how to obtain the fingerprint, see Use Play App Signing § Set up and manage Play App Signing in Play Console Help.
    Access control when device or workspace is locked > Lock credential storage when device or workspace is locked True
    List of apps allowed to access credential storage when locked Enter a comma-separated list of package names of the apps that can have access to the credentials while the device is locked.
  3. Save the UCM configuration.

  4. Prepare the configuration based on the device management mode:

    • For fully manage devices, set Device-wide policies to True.
    • For devices with a work profile, set Enable work profile policies to True.
  5. Save the app assignment and push it to your devices.

When the managed configuration is applied, the UCM app locks in sync with the device’s lock, and only the allowed apps can access the credentials under the jurisdiction of UCM.

Option 2 — Use an existing UCM configuration

The following example shows you how to use the Screen lock UCM configuration policy that you created earlier to automatically secure target devices in the High security devices device group when the screen is locked.

  1. After you’ve created the Screen lock UCM configuration policy in your chosen Device Configuration Policy, go to Groups > All groups.

  2. On the All groups page, confirm that the High security devices device group exists. Refer to your UEM console’s help documentation for information on creating a new or editing an existing device group.

  3. Go to the Device Configuration Policy that contains the Screen lock UCM configuration policy > click Assignments > Include tab.

  4. On the Include page, in the Assign to list, select High security devices > click Save.

  5. Depending upon the settings you’ve chosen for deploying Device Configuration Policy changes, the new UCM Configuration Policy is deployed on the devices in the High security devices group.

Is this page helpful?