- Welcome
- Basics
- Device apps
- Overview
- Knox licenses
- Knox SDK
- Overview
- About the SDK
- What's new
- What's new
- Migrations
- Android 11
- Android Enterprise
- Device admin deprecation
- DA deprecation and Samsung
- DA deprecation and VMware
- FAQs
- FAQ Index
- What is DA Deprecation?
- What is being deprecated with device admin?
- What is API level 29, as it relates to DA deprecation?
- What is the impact of DA deprecation to Knox?
- As a Knox partner, what do I need to do?
- What happens to DA apps when upgraded to Android Q?
- When can I safely upgrade to Android Q?
- What if a device already has Android Q?
- Can my DA app coexist with a UEM app running as DO?
- Are there changes to Knox Configure due to DA deprecation?
- Can I use my DA app alongside Knox Configure?
- Does KME still support device enrollment using DA?
- As DA is not in Android Q, can I enroll via KME to Work Profile?
- Get started
- Sample app tutorials
- Features
- Independent Software Vendors
- ML Developers
- Introduction
- Whitepaper
- Model Protection APIs
- Protect ML model
- ML Encryption Tool
- Knox ML Encryption Tool Revision
- FAQs
- Are there any additional steps for Linux to give execute permissions to conversion tool?
- Do I to change my app to run the encrypted model?
- Where are the encrypted files saved?
- Which devices support Knox for Model Protection?
- Which ML file types are supported by Knox for Model Protection?
- Which operating systems (OS) support Knox ML Model Conversion Tool?
- Independent Software Vendors (DA)
- MDM Providers
- System Integrators
- VPN Providers
- Storage Providers
- API Reference
- Tools
- FAQs
- FAQ Index
- General
- What is the Samsung Knox SDK?
- Where can I obtain a white paper for Samsung Knox?
- What versions of Android support the Knox SDK?
- How can I check if my device firmware is an engineering or commercial build?
- How can I access the binaries before they are released?
- What is a deprecated API method?
- What kind of support is offered after an API is deprecated?
- Why were the API classes deprecated?
- What are the features by default set to hidden/disabled in ProKiosk mode?
- What are credentials?
- What is Knox TIMA CCM?
- Is Knox supported on other platforms, such as windows?
- Which hardware control features can be managed inside Knox Workspace, using the Knox SDK?
- Why do a few Knox SDK APIs not work on some devices?
- Can Google Play used to deploy Knox apps?
- Can I use managed configurations for Samsung Knox features?
- Can a third-party app use the Knox SDK to get LDAP information?
- How do I enable users to select a 3rd party keyboard?
- How does my device's serial number change with Knox 3.2.1?
- If I don’t use the UCM APIs of the Knox SDK, what are my options for credential storage?
- What are the changes in Samsung Calendar data sharing in Knox SDK 3.8?
- What are the alternative Google APIs for Samsung Knox Wi-fi deprecation?
- Installation
- How do I use an SDK packaged as an Eclipse IDE add-on with the Android Studio IDE?
- Is it possible to install an app silently on a device using Knox SDK?
- Why am I still able to download an app even though I have added it to blacklist with the method addAppPackageNameToBlackList(), from the Knox SDK?
- How can an app find out which apps are installed in and outside a container, using the Knox SDK?
- How can an app block the installation of a non-trusted app, using the Knox SDK?
- What does "Security policy prevents installation of this application" mean?
- Can I prevent an end user from installing certificates, with the Knox SDK?
- Does API method installApplication(String packageName) download apps from the play store and install them silently?
- Does the API method setApplicationUninstallationDisabled disable the uninstallation of apps inside the container, when using the Knox SDK?
- Why is the installCertificate API method not successfully installing a certificate on my device?
- Licensing
- How do I use license keys?
- What is the KPE Premium license key and why should I use it?
- What is the backwards compatible key?
- When do I need to use the backwards compatible key?
- Do I need to associate my app with a backwards compatible key?
- How have license key names changed?
- Which keys can be used in combination with each other?
- What is automatic license seat release?
- What are license permissions?
- What is the difference between Standard and Premium permissions?
- How do I declare permissions?
- Deprecated licenses
- Operations
- Are the Knox SDK browser policies applicable to Chrome as well?
- How can an enterprise disable roaming access over an enterprise APN, using the Knox SDK?
- Can an app using the Knox SDK clear an email signature?
- Can I add system or pre-installed app packages, using the Knox SDK, to the notification blacklist?
- Can I use Google push notifications inside a Knox Workspace container?
- Can I use SDP for an app that is outside the Knox container?
- Can multi-window mode be disabled through blocklisting, using the Knox SDK?
- Does my launcher app need a special intent to work in Kiosk mode?
- Does the API method enforceMultifactorAuthentication(), in the Knox SDK, come into effect immediately?
- How can I disable GPS on the device using the Knox SDK?
- How can I move an app from the user's personal mode to the Knox container using an API in the Knox SDK?
- How does the Knox API method EmailPolicy.setAllowEmailForwarding work?
- How does the Knox SDK method, setAllowChangeDataSyncPolicy(), sync contacts with the container so they are visible on the personal side?
- How do I disable the USB port except for charging, using the Knox SDK?
- How do I use the Knox SDK to allow or block phone numbers?
- How do I use the SDK to prevent launching the screen saver when an app is running?
- Is an APN validated when I use the Knox SDK to add it to a device?
- Is it possible to block application access to data while roaming, using the Knox SDK?
- Is there a limit to the number of applications that can be blocked or allowed using the Knox SDK?
- Is there any way to create IMAP, POP, or Exchange accounts in the emulator?
- What does the RCPPolicy.NOTIFICATIONS argument do in the API method setAllowChangeDataSyncPolicy?
- What Keystores can I use?
- What kind of phone numbers are allowed after setting setEmergencyCallOnly(true) in the Knox SDK?
- What secure hardware can I use with the UCM APIs to store credentials?
- What should I do if I find API errors?
- Why are app shortcuts not showing up in Kiosk mode for the Knox SDK?
- Why are Knox Customization policies still active on my device even after my app is uninstalled?
- Why can't you enable the camera inside a container when it is blocked in the personal space?
- Why does the allowOTAUpgrade API method, in the Knox SDK, have no effect when allowFirmwareRecovery() is set to false?
- Why does the API method call setEnableApplication(), using the Knox SDK, disable the app?
- Why does the createVpnProfile method, in the Knox SDK, fail when a Profile name has whitespace?
- Why does the SDK return a NullPointerException when I access the SMS/MMS content URI?
- Why is video recording also blocked when I use the Knox SDK to block audio recording?
- Standard features
- Can I force a device to update to the latest firmware?
- Can multi-window mode be disabled through blacklisting, using the Knox SDK?
- Does the API method setApplicationUninstallationDisabled disable the uninstallation of apps inside the container, when using the Knox SDK?
- What is the difference between hideStatusBar() and hideSystemBar() in the Knox SDK?
- What Knox SDK API methods are available to manage device firmware?
- Why do a few Knox SDK APIs not work on some devices?
- Will the legacy ELM and KLM keys still work with the Knox Platform for Enterprise (KPE) key?
- Premium features
- Customization
- Security
- As a developer, how can I access the device root key?
- Can an app prevent access to specific networks, using the Knox SDK?
- Can fingerprint be used as a substitute for other forms of screen unlock methods, when using the Knox SDK?
- Can I use the Knox SDK to disable the "Unlock Via Google" password unlock option?
- Can I use the Knox SDK to encrypt the SD card?
- Can I use the Knox SDK to modify the fingerprint passcode requirements?
- Does a Knox container enforce authentication by default?
- Do the SDP APIs support a security standard?
- How can I ensure that certificates are stored in the TIMA KeyStore, using the Knox SDK?
- How does SDP secure the cryptographic keys used for data encryption?
- How do you programmatically unlock the container after the maximum amount of failed attempts, using the Knox SDK?
- What does "Security policy prevents installation of this application" mean?
- What is the maximum length allowed for a Wi-Fi SSID, when using the Knox SDK?
- What is the scope of the setPasswordVisibilityEnabled() API method, in the Knox SDK?
- When I call the Knox SDK API method setExternalStorageEncryption, why doesn't the device prompt the user to encrypt?
- Why are HTTPS requests bypassing global proxy settings in the Knox SDK?
- Why doesn't the Knox method "isActivePasswordSufficient" check for forbidden strings?
- Why do I see "Cannot safely connect to server" when I create an email account using SSL??
- Why is my timeout of 15 minutes not working for the resetContainerPassword() method, using the Knox SDK?
- Why is the Knox API method setMaximumTimeToLock() not showing the time I configured?
- SDP
- UCM
- VPN
- VPN Provider
- Does the Knox framework store any type of data passed during profile creation?
- Do I need a license to use the Knox VPN SDK?
- How can I verify if the VPN connection that is starting belongs to the Knox profile or the default Android VPN profile?
- How do I add all apps inside AND outside the container to a VPN profile?
- How is the Knox container affected by VPN On-Premise Bypass?
- How should the network state change be handled by the VPN Client Integration?
- If the framework takes the responsibility of starting the VPN connection, and since it is MDM-controlled, how will the user be able to connect to the VPN if a time-out or networking error occurs?
- Under what circumstances does the framework trigger the start connection?
- What API do I use to create a On-Premise Bypass VPN profile?
- What is VPN On-Premise Bypass?
- When should the various Android VPN service APIs be called?
- Workspace
- Samsung DeX
- Containers
- How does an app detect if a container was created using the Knox SDK?
- How do I install the MDM agent inside the Knox container?
- I have created a "container only mode" container and I am locked inside, using the Knox SDK. How do I exit?
- Why do I get error KnoxContainerManager.ERROR_INTERNAL_ERROR(-1014) while creating a container?
- KBAs
- Knox POS SDK
- Knox Tizen SDK
- Overview
- About the SDK
- What's new
- Get started
- Tutorials
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- How is Tizen related to Knox?
- Which devices support the Knox Tizen SDK for Wearables?
- What version of the Tizen SDK should I install before installing the Samsung Knox Tizen SDK for Wearables?
- Should I install any extension SDK before installing the Samsung Knox Tizen SDK for Wearables?
- What are the modes in which you can use the Samsung wearable device?
- What are the supported Wi-Fi security types?
- How do I get the attestation blob?
- What is a nonce and why is it valid for a short time period?
- What is ProKiosk mode?
- Licensing
- Samsung India Identity SDK
- Overview
- About the SDK
- What's new
- Get started
- Features
- API Reference
- Sample Apps
- FAQs
- FAQ Index
- General
- Installation
- Licensing
- Usage
- How do I verify if my device supports Samsung India Identity SDK?
- Should I capture the IRIS image of one or both eyes?
- When do I use the UIDAI Staging server and UIDAI Production server?
- What are the URLs that need to be whitelisted for enterprise-managed devices using the Samsung India Identity SDK APIs?
- Who is impacted by the upgrade of the biometric public devices to registered devices?
- Is there any hardware change required to upgrade the public devices to registered devices?
- What are the application (APK) changes required to upgrade the public devices to registered devices?
- Web services
- Managed configurations
- Introduction
- Deploy managed configurations
- FAQs
- FAQ Index
- What are managed configurations?
- Why should I use managed configurations?
- How do managed configurations work?
- Can I use managed configurations for Samsung Knox features?
- What is a managed configurations XML schema file?
- Which Samsung apps support managed configurations?
- How do I deploy managed configurations on an MDM console?
- Where can I get the XML schemas for Samsung apps that support managed configurations?
- Is there sample code showing how an MDM web console can deploy an iframe that renders a managed configurations XML schema?
- What email app is preloaded on Samsung devices?
- Knox Service Plugin
- Samsung Email
Certificate Enrollment Protocol
This topic explains how you can add support to provision digital certificates for use by apps in the Knox Workspace using the Certificate Enrollment Protocol (CEP) service.
About CEP service
Mobile apps such as email, Wi-Fi, browser, and so on, use digital certificates for authentication, digital signatures, and encryption. CEP enables MDMs and third-parties to perform certificate enrollment without the need of any manual intervention.
You can enable certificate enrollment in the Knox platform using different protocols. Samsung Knox CEP service supports the following enrollment protocol standards:
- Simple Certificate Enrollment Protocol (SCEP)
- Certificate Management Protocol (CMP)
- Certificate Management over Cryptographic Message Syntax (CMC)
- Enrollment Over Secure Transport (EST)
SCEP, CMP, and CMC are widely used certificate enrollment protocols that enable provisioning of digital certificates. For more information on SCEP, CMP, and CMC, see Internet Engineering Task Force (IETF) Draft, RFC 4210, and RFC 7030.
CEP service acquires asymmetric keys
Apps use the CEP service to acquire the public part of an asymmetric key. Asymmetric keys have a public part and a private part. The private part never leaves the Keystore, but the public part is distributed freely. An app uses the Samsung Knox CEP service to acquire the public part of the key, encrypt a message, and send the encrypted message to whoever issued the public key. The owner of the key can then use the Keystore’s functionality to apply the private part of the asymmetric key to the encrypted message and decrypt it.
Certificate operations using CEP service
Using the Samsung Knox Certificate Enrollment Policy APIs, you can perform the following operations.
- Enroll certificates
- Renew certificates
- Delete certificates
- Check enrollment or renewal status
Install and access CEP service
The IT admin can download the required protocol-specific CEP service APK (SCEP, CMP and EST) from the Samsung Knox website and install the APK either inside the Knox Workspace or in the user space, depending on the requirement.
For example, if the requirement is to provision and manage certificates for apps inside the Knox Workspace only, then you must install the CEP service(s) only inside the Workspace. If the requirement is to provision and manage certificates for apps at user space level, then install the CEP service in the user space to provision and manage certificates.
CEP service only operates within the scope of the Knox Workspace or user space, depending on where it is installed.
MDM agents can call the CEP service(s) present in its own user space or its own Workspace. MDM agents do not have access to the service created outside its scope.
Note: Starting with Knox v2.1, three CEP service APKs are available in Knox Marketplace: SCEP service, CMP service, and the CMC service. You can download and install the service(s) based on your requirements.
Certificate Enrollment Policy (CEP) APIs
To use the Certificate Enrollment Policy (CEP) APIs to provisions digital certificates, follows these steps:
- Get instance of
EnterpriseCertEnrollPolicy - Listen to intents
- Perform certificate enrollment operations
Note: To use the CEP APIs, you must have the com.samsung.android.knox.permission.KNOX_CERTIFICATE_ENROLLMENT permission which has a protection level of signature.
Obtain an instance of EnterpriseCertEnrollmentPolicy
This call returns the instance of EnterpriseCertEnrollPolicy, which you can use to connect and perform certificate enrollment functionality with the CEP Service present in the same user space as the caller.
String cepProtocol = CEPConstants.CERT_PROFILE_TYPE_SCEP //for SCEP
EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
EnterpriseCertEnrollPolicy cep = ekm.getEnterpriseCertEnrollPolicy(Context, cepProtocol);
For CEP service installed in the Knox Workspace, obtain an instance of EnterpriseCertEnrollPolicy from KnoxContainerManager by providing the container ID explicitly. The caller (admin) must be the owner of that Workspace, otherwise the binding is not successful. If you specify an invalid container ID in the call, then it returns a null object.
String cepProtocol = CEPConstants.CERT_PROFILE_TYPE_SCEP //for SCEP EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(); KnoxContainerManager kcm = ekm.getKnoxContainerManager(Context, containerID); //When you create container successfully, containerID is returned using intent. EnterpriseCertEnrollPolicy cep = kcm.getEnterpriseCertEnrollPolicy(cepProtocol);
Note: The binding of the certificate enrollment service happens together with the initialization of EnterpriseCertEnrollPolicy object.
Listen to intents
The caller or agent must listen for the following intent to get the enrollment operation result or status.
CEP_ACTION_CERT_ENROLL_STATUS
The CEP_ACTION_SERVICE_DISCONNECTED intent received has the container ID value specified in the serviceuserid. If the serviceuserid value is 0, it indicates the UserID of the CEP Service in which binding or unbinding has happened to the CEP service present in the same user space as the caller.
Public class EnterpriseCEPpolicyReciever extends BroadcastReceiver {
public void onReceive(Context context, Intent intent) {
if(intent.getAction().equalsIgnoreCase(
CEPConstants.CEP_ACTION_SERVICE_DISCONNECTED)) {
String serviceUserId =
intent.getExtra(CEPConstants.EXTRA_SERVICE_USERID);// User Id of the
Certificate Enrollment Service.
String servicePkgName =
intent.getExtra(CEPConstants.EXTRA_SERVICE_PROTOCOL);// Protocol
supported by Certificate Enrollment Service.
}else if(
intent.getAction().equalsIgnoreCase(CEPConstants.CEP_ACTION_CERT_ENROLL_STATUS)){
int status = intent.getIntExtra(CEPConstants.EXTRA_ENROLL_STATUS, -1); // tells about the status of the request.
}
}
}Perform certificate enrollment operations
Using the certificate enrollment APIs, you can perform the following operations.
- Enroll certificate
- Renew certificate
- Delete certificate
- Check enrollment or renewal status
Enroll a certificate
To enroll a user certificate, use the enrollUserCertificate API. This API issues a public key X.509 certificate by sending a self-signed CSR to the CA server for enrolling in a PKI represented by the CA server.
The following sample code example illustrates enrolling a user certificate at user space level.
EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
try {
List allowedPackages = new ArrayList();
allowedPackages.add("com.android.email");
String cepProtocol = CEPConstants.CERT_PROFILE_TYPE_SCEP //for SCEP
String refNum = ekm.getEnterpriseCertEnrollPolicy(Context, cepProtocol).enrollUserCertificate(enrollmentProfile,allowedPackages, hashCACert);
} catch (SecurityException e) {
Log.w(TAG, "Exception" + e);
}Note: The refNum is unique for each transaction. The corresponding request result is broadcast through broadcast intent CEP_ACTION_CERT_ENROLL_STATUS. Agents can map the refNum and know the status of the corresponding request.
The following sample code example illustrates how to enroll a user certificate in the Knox Workspace.
// When you create a container successfully, containerID is returned using intent. // Use this containerID in the following API. String cepProtocol = CEPConstants.CERT_PROFILE_TYPE_SCEP EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(); KnoxContainerManager kcm = ekm.getKnoxContainerManager(Context, containerID); EnterpriseCertEnrollPolicy mEnterpriseCertEnrollPolicy = kcm.getEnterpriseCertEnrollPolicy(cepProtocol); try { List allowedPackages = new ArrayList(); allowedPackages.add("com.android.email"); String refNum = mEnterpriseCertEnrollPolicy.enrollUserCertificate(enrollmentProfile,allowedPackages, caCertHash); } catch (SecurityException e) { Log.w(TAG, "Exception" + e); }
If the certificate enrollment succeeds, it sends a broadcast with the hash or fingerprint of the received certificate. You must listen for the CEP_ACTION_CERT_ENROLL_STATUS broadcast intent to receive the hash value.
Renew a certificate
To renew an enrolled user certificate, use the renewUserCertificate API. This API renews an existing X.509 certificate and sends a new CSR to the CA server. The CSR is signed using the existing certificate.
If the certificate enrollment succeeds, it sends a broadcast with a hash or fingerprint of the received certificate. This API renews an existing X.509 certificate and sends a new CSR to the CA server. The CSR is signed using the existing certificate.
Note: If the Keystore type is CCM, then old keypair is used for generating the CSR.
String cepProtocol = CEPConstants.CERT_PROFILE_TYPE_SCEP //for SCEP EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(); try { List allowedPackages = new ArrayList(); allowedPackages.add("com.android.email"); String refNum = ekm.getEnterpriseCertEnrollPolicy(Context, cepProtocol).renewUserCertificate(certHash, allowedPackages); } catch (SecurityException e) { Log.w(TAG, "Exception" + e); }
Note: The CertHash of each alias is sent post-enrollment using the broadcast intent CEP_ACTION_CERT_ENROLL_STATUS. Alternatively, an agent can get the certificate directly from Android or CCM Keystore using the desired alias and then calculate the CertHash.
Delete a certificate
To delete a user certificate in the device, use the deleteUserCertificate API. This API deletes the local X.509 certificate specified by the certificate hash value.
Note: Deleting a certificate is not the same as certificate revocation. Certificate revocation in the CA server and MDM registry cleanup must be performed out-of-band.
String cepProtocol = CEPConstants.CERT_PROFILE_TYPE_SCEP //for SCEP EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(); try { int status = ekm.getEnterpriseCertEnrollPolicy(Context, cepProtocol).deleteUserCertificate(certHash); } catch (SecurityException e) { Log.w(TAG, "Exception" + e); }
Check enrollment or renewal status
To get the status of the certificate enrollment or renewal, use the getCertEnrollmentStatus API. This API returns the certificate enrollment status for the given request ID. The agent or caller needs to provide the TxId of the request for the expected status. The transactionId of each request is sent through broadcast intent CEP_ACTION_CERT_ENROLL_STATUS.
String cepProtocol = CEPConstants.CERT_PROFILE_TYPE_SCEP //for SCEP EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(); try { int status = ekm.getEnterpriseCertEnrollPolicy(Context, cepProtocol).getCertEnrollmentStatus(transactionId); } catch (SecurityException e) { Log.w(TAG, "Exception" + e); }
Enroll a certificate using SCEP
Following example illustrates how an enterprise IT admin provisions a certificate using Simple Certificate Enrollment Protocol (SCEP) on Samsung Knox devices.
About Simple Certificate Enrollment Protocol
SCEP has the following characteristics.
- Only supports RSA-based cryptography, or asymmetric keys
- Allows the secure issuance of certificates to large numbers of network devices using an automatic enrollment technique
- Specifies how a device communicates with a CA, how it retrieves the CA’s public key, and how to enroll a device with the CA
Prequisites for enrolling a certificate
The following are the requirements for enrolling a certificate.
- Knox Workspace is installed on a device.
- The MDM has the
com.samsung.android.knox.permission.KNOX_CERTIFICATE_ENROLLMENTpermission. - SCEP service is installed in the Knox Workspace.
- A CA server enabled with SCEP support is available. For example, a Windows server 2008 or later versions with NDES enabled, Symantec CA, and so on.
Tima Keystore(CCM) overview
Perform certificate enrollment
IT admins can trigger certificate enrollment from MDM/EMM/Admin console, passing SCEP profile to the SCEP service installed on the Knox device.
To trigger a certificate enrollment, perform the following steps.
- Get the challenge password from the SCEP server.
IT admins must get the challenge password from the enterprise SCEP/CA server, before triggering certificate enrollment request.
Note: Each SCEP/CA Server has a different means to retrieve this challenge password.
- Create the SCEP profile object.
Once the MDM agent receives the challenge password from the IT admin, the MDM agent must create the enrollment profile object.
EnrollmentProfile enrollmentProfile = new SCEPProfile();
enrollmentProfile.scepUrl = "http://host:port/uri";
enrollmentProfile.challengePassword = ""; // challenge password from CEP Server
enrollmentProfile.scepProfileName = "emailprofile"; //SCEP Profile name
enrollmentProfile.validitytimeForChallenge = 60;
//validaty time for the challenge in minutes.
enrollmentProfile.challengeLength = 16; // Challenge byte length
enrollmentProfile.setProfileType(CEPConstants.CERT_PROFILE_TYPE_SCEP);
// SCEP Protocol is used for Enrolment.
enrollmentProfile.subjectName = "CN=admin"; // Subject name for the client
certificate.
enrollmentProfile.subjectAlterNativeName="user.name@samsung.com";
// Client Account's email address.
enrollmentProfile.setKeystoreType(CEPConstants.CEP_KEYSTORETYPE_CCM);
// Keystore Type SCEP or CCM.
enrollmentProfile.setKeySize(2048);
enrollmentProfile.setKeyPairAlgorithm(CEPConstants.CEP_KEYALGO_TYPE_RSA);
//Only algorithm supported now.
enrollmentProfile.setCertificateAlias("cert"); - Instantiate the CEP for the Knox Workspace.
Agent or caller has to initialize the EnterpriseCertEnrollPolicy
String cepProtocol = CEPConstants.CERT_PROFILE_TYPE_SCEP EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(); KnoxContainerManager kcm = ekm.getKnoxContainerManager(Context, containerID); // When you create container successfully, containerID is returned using intent. EnterpriseCertEnrollPolicy cep = kcm.getEnterpriseCertEnrollPolicy(cepProtocol);
- Trigger the enrollment operation and store the reference ID:
- Trigger the enrollment request with the enrollment profile created in step 2
- Agent must store the
RefNumunique value returned for each transaction (with the alias)
EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
try {
List allowedPackages = new ArrayList();
allowedPackages.add("com.android.email");
String refNum = cep.enrollUserCertificate(enrollmentProfile,allowedPackages, hashCACert);
} catch (SecurityException e) {
Log.w(TAG, "Exception" + e);
} - Listen to the receiver and store the broadcast response:
- Send the broadcast for each such enrollment/renew request with the corresponding
refNum. - Store the values received in broadcast for the corresponding
refNum/alias.
- Send the broadcast for each such enrollment/renew request with the corresponding
public class CertEnrolBindReciever extends BroadcastReceiver {
public void onReceive(Context context, Intent intent) {
if (intent.getAction().equalsIgnoreCase(CEPConstants.CEP_ACTION_CERT_ENROLL_STATUS)) {
String certHash = intent.getStringExtra(CEPConstants.EXTRA_ENROLL_CERT_HASH);
String transactionId =
intent.getStringExtra(CEPConstants.EXTRA_ENROLL_TRANSACTION_ID);
String alias = intent.getStringExtra(CEPConstants.EXTRA_ENROLL_ALIAS);
int status = intent.getIntExtra(CEPConstants.EXTRA_ENROLL_STATUS, -1);
String refNum = intent.getStringExtra(CEPConstants.EXTRA_ENROLL_REFERENCE_NUMBER);
//Store the values in DB against the Alias and RefNum, received in step 3.4
}Certificate enrollment flow
The following diagram illustrates the certificate enrollment flow.
Storing a CEP service certificate in UCM storage
Apps that acquire a security certificate through Simple Certificate Enrollment Protocol (SCEP) can provide Universal Credential Management (UCM) storage as a valid option for SCEP. Previously, SCEP could only store security certificates in the Android Keystore or Tima Keystore. For more information regarding UCM, refer to the Samsung Knox UCM Developer Guide.
The following steps show, at a high level, the procedure that you need to follow in order to store a SCEP certificate in UCM storage:
- Find the valid credential storage on the device by calling
UniversalCredentialManager#getAvailableCredentialStorages(). - Manage the credential storage by calling
UniversalCredentialManager#manageCredentialStorage(). - Include your app's own packages in the UCM allowlist by calling
UniversalCredentialManager#addPackagesToWhitelist(). - Start certificate enrollment by calling
EnterpriseCertEnrollPolicy#enrollUserCertificate(EnrollmentProfile enrollmentProfile, List<String> allowedPackages, String caCertHash).The UCM storage information is passed from the client in the enrollmentProfile.storageName parameter. The storageName value is in the SCEPProfile/CMCProfile class. CMCProfile/SCEPProfile is a subclass of the EnrollmentProfile object.
