Knox SDK frequently asked questions — Operation

No. There is no limit to the number of applications that can be blocked or allowed using the Knox SDK APIs.

If you come across any API errors, please test your API on the latest binary version. We fix many issues when a new binary is released. You can update to the latest version by using Samsung Smart Switch or FOTA.

Yes. You can use SDP for apps that are either inside or outside the Knox container.

On Android devices, you can store your credentials in these types of Keystores: AndroidCAStore, AndroidKeyStore, BCPKCS12, BKS, BouncyCastle, PKCS12.

On Knox devices, you can also use the more secure TIMA Keystore and TIMA Client Certificate Manager (CCM) Keystore. TIMA CCM currently supports a maximum certificate length of 8192 bytes.

Android apps select a Keystore using the API method: java.security.KeyStore.getInstance(type).

There is no one API method that disables the USB port for everything else besides charging. Instead, you can use the following API methods to disable most of the USB functions:

• setUsbMediaPlayerAvailability()

• setUsbDebuggingEnabled()

• setUsbTethering()

• allowUsbHostStorage()

To disallow MTP (media transfer protocol), you can call the API method setUsbMediaPlayerAvailability(false). Setting this to false blocks MTP, and therefore is no file transfer between a device and computer via USB.

Yes.

No. After setting the API method enforceMultifactorAuthentication() to true, the policy is enforced only after next password change. That is, when the customer opts to change the container password, the only option available is to choose the two-step verification.

The API method enforceMultifactorAuthentication() does not influence the currently set password in any way. If one wants to ensure that the customer will use multifactor authentication as one’s container password, then call the API method passwordPolicy.enforcePwdChange() to force the password change.

IT Admins can configure (allow or disallow) roaming over enterprise APNs using the EnterpriseBillingPolicy.allowRoaming() API method.

By default, roaming over enterprise APN is OFF.

You can call installApplication(String packageName) to install an existing application from the personal side into the Knox Workspace container.

To allow phone numbers or block the incoming and outgoing calls, use the Knox SDK class com.samsung.android.knox.restriction.PhoneRestrictionPolicy.

In order to set a list of phone numbers that would be able to call your device, you must first block all phone numbers (using .* pattern) and then add desired pattern to whitelist which will allow only specific numbers to call your device. Whitelist has a higher priority than blacklist, that is, if you add a specific phone number to the whitelist, it will not be affected by the blacklist pattern.

To allow numbers based on last 3 digits (for example, numbers ending with “111”), use the following API methods:

• setIncomingCallRestriction — use the “.*” pattern. This will block all calls to the device.
• setIncomingCallExceptionPattern — use the “.*111” pattern. This will allow calls (allow) from numbers ending with “111”.

To allow phone numbers based on first 3 digits, you must add appropriate prefixes depending on the country when applying the pattern. For example, “+” (plus) symbol is a special character that must be taken into consideration when creating regular expression pattern.

The correct pattern to block or allow all US numbers should be “\+1[0-9]*”, where “\+” (plus will be interpreted as character), 1 (number one), [0-9]* (can match 0-9) occurring none or more than one time. For example, enter “XXX.* | 1XXX.* | \+1XXX (where XXX are first 3 digits of any phone number and 1 or +1 is the prefix number, for example: “972.*”).

All the regular expressions available in Java can be used in this API method.

To prevent the screen saver from launching when an app is running, add the following line to the Android manifest file:

Also, call the following Android activity class method:

getWindow().addFlags(LayoutParams.FLAG_KEEP_SCREEN_ON);

You can also use the Knox SDK or Knox Customization SDK to change the screen timeout:

setScreenTimeout(int timeout)

The API method in the Knox SDK, setAllowChangeDataSyncPolicy(RCPPolicy.CONTACTS, RCPPolicy.EXPORT_DATA, Boolean), set to true or false enables or disables the option to sync the contacts of the container with the personal side. You can view the function of this feature in the container through Knox Settings > Share data > Contacts (from Knox). So if you set it to false, then the Contacts (from Knox) check box is greyed out and the user cannot sync the contacts. If you set it to true, the user is able to select the Contacts (from Knox) check box, and then the contacts of the container is synced with the personal contacts. You can verify this by going to your contacts app on the personal side, and see if container contacts are listed there.

If you are looking to enable the ability to move contacts off the container to the personal side, you have to enable the API method rcpPolicy.allowMoveFilesToOwner(true). This enables the option in the container to press on a contact and move it to the personal side.

Yes. The RoamingPolicy.setRoamingData(boolean) API method can enable or disable cellular data usage during roaming.

The emulator does not support email policies. You need to use a real device for testing.

The API methods RCPPolicy.setAllowChangeDataSyncPolicy(RCPPolicy.NOTIFICATIONS, RCPPolicy.EXPORT_DATA, true/false) and RCPPolicy.setAllowChangeDataSyncPolicy(RCPPolicy.NOTIFICATIONS, RCPPolicy.IMPORT_DATA, true/false) do not have any function.

The only argument that RCPPolicy.NOTIFICATIONS is used is in:

• RCPPolicy.setAllowChangeDataSyncPolicy(RCPPolicy.NOTIFICATIONS, RCPPolicy.SANITIZE_DATA, true/false)

After setting the setEmergencyCallOnly API method to true, the only allowed calls are of emergency numbers available in your country.

For example, the emergency number in USA is 911 and in most European countries, it is 112.

Any other calls are disallowed.

The Knox SDK method addHomeShortcut() is used to add shortcut icons to the Kiosk mode default home screen while Kiosk mode is enabled (com.samsung.android.knox.application.ApplicationPolicy). When adding two icons to the home screen, they could be stacked (one on top of the other), making that the first icon inaccessible. The Kiosk mode home screen does not allow the user to reposition the icons, the launcher home screen will choose where to position the icons.

Adding some delay (a few seconds) between the addition of shortcut icons is the best solution for the icons to be installed next to each other rather than on top of each other. There is no callback or intent to know the result of the addHomeShortcut() API method.

The following code snippet demonstrates how to add time delay while adding shortcut icons:

 // administrator wants to add a browser shortcut on the home screen
 String packageName = "com.android.browser";
 String homePkgName = null;
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 ApplicationPolicy appPolicy = edm.getApplicationPolicy();

 try {
     boolean result = applicationPolicy.addHomeShortcut(packageName, homePkgName);

     if (result == true) {
         Log.d(TAG, "addHomeShortcut has succeeded!");
     } else {
         Log.d(TAG, "addHomeShortcut has failed.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Knox Customization policies do not automatically reset to default if you remove the app from your device. You need to remove the Knox Customization policies before you remove the app.

Adding some delay (a few seconds) between the addition of shortcut icons is the best solution for the icons to be installed next to each other rather than on top of each other. There is no callback or intent to know the result of the addHomeShortcut() API method.

For example, the APIs setSettingsHiddenState and setQuickPanelItems are used to hide the Wi-Fi toggle in the notification panel and settings menu. Upon removal of the app, these settings are still hidden and cannot be accessed. Restarting the device does not fix the issue.

To return the device to its default settings:

1. Reinstall the app on the device. You may need to re-enroll the device with your organizations credentials.
2. Remove the policies with the Knox SDK.
3. Remove the app from the device.
4. Restart the device.

The Knox SDK policies should no longer be applied to the device. If you are still having issues with persistent policies after following the steps above, contact Knox Support.

Before, disabling camera in the personal space would not affect the camera in the Knox container. For security reasons, this concept has now changed. Disabling camera in personal space using Knox Standard API would also disable the camera in the Knox container as well.

This new behavior will affect all devices using Android KitKat and newer.

The allowFirmwareRecovery API method is the stricter of the two policies. Having allowFirmwareRecovery set to false disallows all the methods of updating the device firmware, be it flashing via download mode, updating over the air (OTA)(From Knox Standard SDK v2.9, allowFirmwareRecovery does not affect OTA) or via computer using Samsung smart switch.

When the container is in the locked state (locked by the MDM admin):

• Calls to getApplicationStateEnabled() for every package installed in the container return ‘false’,
• Calls to setEnableApplication() for any package in the container return ’true'.

However, upon unlocking the container, every package for which setEnableApplication() had been called, becomes disabled, and disappears from the container’s Apps page and home.

This is a normal, application security behavior. In Android 4.4.2, ‘Lock container’ policy is designed for lost/stolen devices. After locking the container, all of the applications are disabled. Normally, after unlocking the container, container’s applications are re-enabled.

However, when someone tries to enable an application, while the container is locked, it is possible, that it is an attempt to scam/steal confidential data. Due to security reasons, the application is removed from the container, and to be able to use it, it needs to be installed again after unlocking the container.

Because of the security context, it is going to be kept in the current state. Currently, we expect that the only policy that should be allowed to be performed on a locked container is unlock(), which actually unlocks the container.

When a VPN profile name contains whitespaces, createVpnProfile(String profileInfo) call will fail with a return of -1.

Whitespace is not allowed in the profile name of the Knox VPN Parameters JSON.

The standard Android content URI used to access the SMS and MMS is not supported on Samsung devices and leads to NullPointerException. The URI works fine on other Android devices.

Uri uri = Uri.parse(“content://mms-sms/conversations/”); Cursor query = null; query = this.context.getContentResolver().query(uri, null, null, null, null);

To access SMS or MMS on Samsung devices, use either of the below content URIs.

Note that these Samsung-specific content URIs are not part of the Android SDK and so should not be accessed by android applications on non-Samsung devices.

1. content://mms-sms/conversations/?simple=true

   The column projections are:

   • _id

   • date

   • message_count

   • recipient_ids

   • snippet

   • snippet_cs

   • read

   • type

   • error

   • has_attachment

   • unread_count

   • alert_expired

   • reply_all

   • group_snippet

   • message_type

   • display_recipient_ids

   • translate_mode

   • secret_mode

2. content://sms/inbox/

   The column projections are:

   • _id

   • thread_id

   • address

   • person

   • date

   • date_sent

   • protocol

   • read

   • status

   • type

   • reply_path_present

   • subject

   • body

   • service_center

   • locked

   • error_code

   • seen

   • deletable

   • sim_slot

   • sim_imsi

   • hidden

   • group_id

   • group_type

   • delivery_date

   • app_id

   • msg_id

   • callback_number

   • reserved

   • pri

   • teleservice_id

   • link_url

   • svc_cmd

   • svc_cmd_content

   • roam_pending

No, the BrowserPolicy class in Knox SDK applies to native Samsung browser application.

System apps such as Phone, Messaging, and Email can be blacklisted from showing notifications by adding the app package name to addPackagesToNotificationBlackList().

You can use the Knox SDK to add an Access Point Name (APN) to a device. You must provide the following parameters:

• Name
• APN
• MNC
• MCC

There is no validation done when you add an APN. The MNC and MCC values must match the carrier of the device SIM card before the APN is retrieved.

In order to disable location on your device, you can use the setLocationProviderState API method.

This method was part of Knox Standard SDK since MDM 2.0 and is now part of the Knox SDK.

In Android, there are three types of location providers: gps, network, and passive.

If you want to block finding location using gps, call setLocationProviderState(“gps”,false).

If you want to completely block location feature, then you must block all three location providers.

Yes. You can use this API method to set an email signature:

setSignature (String signature)

To clear the signature, you can pass an empty string.

You cannot block multi-window mode through blocklisting. The reason being it is an application that is already preinstalled on the device firmware, and the blocked APIs have no effect on application packages that are already installed.

You must use the API method allowMultiWindowMode(false) to disable multi-window mode.

If the native email app is configured with more than one email account, the email app provides the user with an option to choose an account to use for forwarding emails. For instance, a user has configured two email accounts, E1 and E2, and receives an email on account E1. The native email app provides the user with an option to forward from either E1 (which originally received/owns the email) or E2 (not the owner of that email).

An admin can use the Knox API method setAllowEmailForwarding to turn off the email forwarding option from a specific non-owner email account. By default, the owner email account is always allowed to forward emails. This policy works only with the native Android email app.

Note that Microsoft Exchange ActiveSync email forwarding through a non-owner account may be restricted on Verizon devices.

Also, there is no API available to block the whole forwarding function even from the owner email account because the user can use the “reply” option including the email content to share the email.

The built-in video recording app records both video and audio, so when you set the API method allowAudioRecord to false, both audio and video are blocked.

To record a video when allowAudioRecord is set to false, you must use a custom video recording app that does not record audio or has a separate option to disable audio.

A launcher is an app that provides an alternate desktop for an Android device. It is possible in Android to write custom launcher apps that replace the default launcher that comes with a device.

The Knox SDK and Knox Standard SDK provide a Kiosk mode that lets System Integrators restrict user access to Android features, settings, and apps. You can enable Kiosk mode and specify a launcher app to provide a more controlled environment, for example, so that devices in public kiosks provide access to only one app.

To use a launcher app with Kiosk mode, however, you need to add the following line to the Android manifest file:

<category android:name="android.intent.category.HOME" />

This intent-filter allows you to set the home screen app on a device. Android looks for this particular intent filter. When you install your app with this intent-filter set, your app will appear in the list of installed launchers when users tap the home button.

You can see a more detailed example within the Android SDK, which also comes with a sample launcher. For details about the Kiosk mode provided with the Knox SDK, see the Knox SDK developer guide.

Currently, you can use these hardware with the UCM framework:

• Samsung eSE (embedded Secure Element)
• baiMobile Smart Card Reader

You need to download a hardware-specific APK, which plugs into the UCM framework to handle requests to manage credentials on the hardware.