Password
The page contains critical information about how the Knox 3.x framework handles passwords.
Enforcing password overview
The Knox framework does not enforce a password requirement by default for new Workspaces created under Knox 3.x.
Certain items depend on password being created. For example, Android Key Store (AKS) cannot initialize unless a password is created. Thus, EMM agents cannot provision certificates unless user has set up a password. Similarly cert enrollment using SCEP or other mechanism also requires password to be setup.
EMMs must wait until a password is created before proceeding with items that require password. IT admin MUST specify password policy prior to container creation. Use the following Knox mechanisms to allow specifying password policy.
Workspace prompts users to set their password when it launches.
After the user changes the device or profile password, the onPasswordChanged()
method is called as a result of receiving the ACTION_PASSWORD_CHANGED
status. EMMs can implement this method to know when password has been set. Use the following sample code to get the userId of the user that changed the password.
Public void onPasswordChanged(Context context, Intent intent, UserHandle user) {
int containerId = intent.getExtras().getInt("android.intent.extra.USER_ID");
}
After receiving notification of password change and determining the user that changed the password EMMs can proceed to configure or provision items that require password. For example, after this notification EMMs can start provisioning certificates.
Password updates
Examples
Enforcing password in Workspace 3.2.1
Enforcing password in Workspace 3.0 - 3.2
Knox SDK v3.0 password rules have been modified to extend the functionality of upgrading from an Android PO to a Knox Workspace. As a result, the Workspace password flow has changed and passwords are not enabled by default. This also allows developers to customize their own authentication solution. To ensure a user sets a password on their container, insert the code below in the AdminReceiver class.
@Override
public void onProfileProvisioningComplete(Context context, Intent intent) {
...
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
PasswordPolicy pp = edm.getPasswordPolicy();
pp.enforcePwdChange();
}
Now a user is prompted to create a password prior to entering the container when a PO is upgraded to a Knox container, with the license activation method.
The container can also be configured to set a password lock delay using setMaximumTimeToLock
.
newConfig.setMaximumTimeToLock(10);
Set Password in Workspace 2.9 and below
If you are using Knox SDK v.2.9 or lower, password is enabled by default. For more information on setting the password in such cases, see the following section.
To set a password for a Knox Workspace, ensure that the container is configured properly prior to being created. This example clones a knox-b2b
container.
KnoxConfigurationType predefinedConfiguration = KnoxContainerManager.getConfigurationTypeByName("knox-b2b");
KnoxConfigurationType newConfig = predefinedConfiguration.clone("custom"); //Clones and assigns a new name
newConfig.setPasswordQuality(DevicePolicyManager.PASSWORD_QUALITY_SOMETHING);
KnoxContainerManager.addConfigurationType(this,newConfig);
KnoxContainerManager.createContainer("custom");
Change Password on device side
The following configurations must be enforced by the IT admin:
- Set password change timeout
- Set password expired date
- Enforce password change
Perform the following procedure:
-
Create the
EnterpriseDeviceManager
object. -
Get the
PasswordPolicy
object. -
Use
setPasswordChangeTimeout
and pass in the amount in minutes. -
Get the
enterpriseDeviceAdmin
. -
Set the password expiration date with
setPasswordExpires
. Pass in the amount in days. -
Enforce a password change with
enforcePwdChange
.EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); PasswordPolicy passwordPolicy = edm.getPasswordPolicy(); passwordPolicy.setPasswordChangeTimeout(60); //EDMTestsAdmin extends DeviceAdminReceiver and is notified when password expires ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class); passwordPolicy.setPasswordExpires(enterpriseDeviceAdmin, 10); passwordPolicy.enforcePwdChange();
On this page
Is this page helpful?