Knox SDK frequently asked questions — Installation
If you have migrated from the Eclipse IDE to Google’s Android Studio IDE, you can use an SDK packaged as an Eclipse add-on as follows:
- Download the SDK.
- Extract the SDK’s add-on.ZIP package into the folder: <android-sdk>\add-ons.
In Android Studio:
- Create a new Android Application project.
- Select the target platform, for example, Phone and Tablet.
- For the Minimum SDK, select the add-on, for example, Knox Customization 2.5 Add-on.
If the add-on is not available in the Minimum SDK list:
- Select any other SDK (for example, API 19) and create the project.
- Open the
build.gradlefile for the app and change the compileSdkVersion to the add-on, for example,
Samsung Electronics Co., Ltd.:Knox Customization 2.5 Addon:21
You can now access the APIs from this add-on.
Yes, use the ApplicationPolicy class to install apps without user interaction.
//sample test package name
String testpackageName = "com.sample.packagename";
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
ApplicationPolicy appPolicy = edm.getApplicationPolicy();
try {
boolean result = appPolicy.installApplication(testpackageName);
if (true == result) {
Log.d(TAG, "Installing an application package has been successful!");
} else {
Log.w(TAG, "Installing an application package has failed.");
}
} catch (SecurityException e) {
Log.w(TAG, "SecurityException: " + e);
}
This can also be done inside a container.
//sample test package name
String testpackageName = "com.sample.packagename";
// When you create container successfully, containerID will be returned via intent.
// Use this containerID in below API.
EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
ApplicationPolicy appPolicy = kcm.getApplicationPolicy();
try {
boolean result = appPolicy.installApplication(testpackageName);
if (true == result) {
Log.d(TAG, "Installing an application package has been successful!");
} else {
Log.w(TAG, "Installing an application package has failed.");
}
} catch (SecurityException e) {
Log.w(TAG, "SecurityException: " + e);
}
The addAppPackageNameToBlackList(packageName) API method blocks the app from installation. You can still be able to download the app from android app stores (for example: Google Play). The policy is enforced when trying to install the app, where the end user is presented with a message stating that the security policy prevents installation of this application.
Call the API method getInstalledApplicationsIDList() for list of app package names in the current user space where the calling app is installed.
You can use these API calls to identify the trusted or untrusted Certificate Authorities (CAs), and block apps from untrusted CAs:
- To add a certificate to the trusted list, call the addTrustedCaCertificateList(list) API method. All certificates that are not in this trusted list are considered untrusted.
- To add a certificate to the untrusted list, call the addUntrustedCertificateList(list) API method.
- To block the installation of apps signed by untrusted certificates, call the setNonTrustedAppInstallBlock(enable) API method.
You might see this message in these scenarios:
Device user installs an app blocked by corporate policy
An enterprise can use an MDM system to define the apps that employees are or are not allowed to install on mobile devices. This is for security purposes, to prevent unauthorized apps from potentially interfering with devices and apps used to manage private company assets.
If you see this message, this means there is an app blocking policy applied on your device. Only an enterprise IT admin with access to the MDM system can modify the policy. You should consult with the IT admin to determine if the app you want to install can be allowed, by either adding it to an app allow list or removing it from an app block list.
How IT admins unblock an app depends on the MDM system and whether the Knox Service Plugin is being used.
MDM developer re-installs an MDM app
MDM developers might also see the message if you do the following:
- Install an MDM app onto a device, for example, using Android Studio ADB.
- Create a work profile.
- Change the MDM app code and install it on the device again.
The Android Multiple User Framework attempts to install the MDM app into all user spaces, including the work profile. For security reasons, you cannot use ADB to install apps into the work profile.
You must remove the work profile before you can re-install your MDM app. To do this, disable the Device Administrator from Settings Security Device Administrators. If you need to re-install your MDM app regularly, for debugging purposes, you should programmatically do this as an active admin by calling:
ComponentName devAdminReceiver = new ComponentName(getBaseContext(), TestAdmin.class);
// Context and class name of your device admin
DevicePolicyManager dpm = (DevicePolicyManager)getBaseContext().getSystemService(Context.DEVICE_POLICY_SERVICE);
dpm.removeActiveAdmin(devAdminReceiver);
There is no API method to prevent end users from manually installing certificates.
However, you can use the API method CertificatePolicy.addTrustedCaCertificateList to create an allowlist of certificates that are allowed to be installed.
No, this API will install a package given to specific user space, provided given package is already present in one of the user space.
Yes, the API method setApplicationUninstallationDisabled (String packageName) is User Scope’s API, so it can work inside a container as well.
The SecurityPolicy.installCertificate API method has been deprecated since Knox Standard SDK version 5.0. In newer SDK versions, using this API can cause unfavorable results. It is recommended to use the com.samsung.android.knox.keystore.ClientCertificateManager.installCertificateToKeystore API method instead.
Is this page helpful?