Back to top

Knox SDK frequently asked questions — VPN

The KeyStore needs to be unlocked before you can set up VPN.

To unlock the KeyStore, call the boolean unlockCredentialStorage(String password) method. In Android versions after 4.0, the system ignores the password argument.

To check if the credential storage has been unlocked:

  1. Instruct the user to enter the device unlock passcode, see code below.

  2. Call getCredentialStorageStatus(). If this returns ERROR_KEYSTORE_NONE, the KeyStore is open.

    EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
    CertificateProvisioning certProvisioning = edm.getCertificateProvisioning();
    try {
        boolean result = certProvisioning.unlockCredentialStorage("abc34567");
        if(true == result) {
            // dialog to set a screen lock was prompted correctly.
    } catch(SecurityException e) {
        Log.w(TAG,"SecurityException: "+e);

This is the expected behavior when you create a VPN profile using the API method call createVpnProfile, then clear certificates using resetCredentialStorage. This happens because createVpnProfile saves the profile to the VPN credential storage, while resetCredentialStorage resets all credential storages including VPN storage. This results in the deletion of the VPN profiles.

Is this page helpful?