Home / Knox SDK / FAQ /

Knox SDK frequently asked questions — VPN

Last updated June 8th, 2026

The KeyStore needs to be unlocked before you can set up VPN.

To unlock the KeyStore, call the boolean unlockCredentialStorage(String password) method. In Android versions after 4.0, the system ignores the password argument.

To check if the credential storage has been unlocked:

  1. Instruct the user to enter the device unlock passcode, see code below.

  2. Call getCredentialStorageStatus(). If this returns ERROR_KEYSTORE_NONE, the KeyStore is open.

    EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
CertificateProvisioning certProvisioning = edm.getCertificateProvisioning();
try {
    boolean result = certProvisioning.unlockCredentialStorage("abc34567");
    if(true == result) {
        // dialog to set a screen lock was prompted correctly.
    }
} catch(SecurityException e) {
    Log.w(TAG,"SecurityException: "+e);
}

This is the expected behavior when you create a VPN profile using the API method call createVpnProfile, then clear certificates using resetCredentialStorage. This happens because createVpnProfile saves the profile to the VPN credential storage, while resetCredentialStorage resets all credential storages including VPN storage. This results in the deletion of the VPN profiles.

AlwaysOn

  • This feature is offered by Android when the VPN client uses the Android VPN framework.
  • On the device UI, the Android framework shows a non-dismissible key icon when the device is not connected to the VPN server.
  • The Always-on feature is optional and can be turned on or off by the VPN client.
  • Lockdown functionality is optional, and the default option applies to apps not added to the VPN as well.

KeepOn

  • This feature is offered by Knox when the VPN client uses the Samsung Knox VPN framework.
  • On the device UI, the Knox framework does not show the lock icon when the device is not connected to the VPN server.
  • The Keep-on feature is not optional and is turned on by default by the framework module.
  • Lockdown functionality is enabled by default and is applied only to apps added to the VPN configuration.

Is this page helpful?