Back to top

The page contains critical information about how the Knox 3.x framework handles passwords.

Enforcing password overview

The Knox framework does not enforce a password requirement by default for new Workspaces created under Knox 3.x.

Certain items depend on password being created. For example, Android Key Store (AKS) cannot initialize unless a password is created. Thus, EMM agents cannot provision certificates unless user has set up a password. Similarly cert enrollment using SCEP or other mechanism also requires password to be setup.

EMMs must wait until a password is created before proceeding with items that require password. IT admin MUST specify password policy prior to container creation. Use the following Knox mechanisms to allow specifying password policy.

  1. KnoxConfigurationType
  2. PasswordPolicy

Workspace prompts users to set their password when it launches.

After the user changes the device or profile password, the onPasswordChanged() method is called as a result of receiving the ACTION_PASSWORD_CHANGEDstatus. EMMs can implement this method to know when password has been set. Use the following sample code to get the userId of the user that changed the password.

Public void onPasswordChanged(Context context, Intent intent, UserHandle user) {
 int containerId = intent.getExtras().getInt("android.intent.extra.USER_ID");

After receiving notification of password change and determining the user that changed the password EMMs can proceed to configure or provision items that require password. For example, after this notification EMMs can start provisioning certificates.

Password updates


Enforcing password in Workspace 3.2.1

Enforcing password in Workspace 3.0 - 3.2

Knox SDK v3.0 password rules have been modified to extend the functionality of upgrading from an Android PO to a Knox Workspace. As a result, the Workspace password flow has changed and passwords are not enabled by default. This also allows developers to customize their own authentication solution. To ensure a user sets a password on their container, insert the code below in the AdminReceiver class.

public void onProfileProvisioningComplete(Context context, Intent intent) { 
   EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
   PasswordPolicy pp = edm.getPasswordPolicy();

Now a user is prompted to create a password prior to entering the container when a PO is upgraded to a Knox container, with the license activation method.

The container can also be configured to set a password lock delay using setMaximumTimeToLock.


Set Password in Workspace 2.9 and below

If you are using Knox SDK v.2.9 or lower, password is enabled by default. For more information on setting the password in such cases, see the following section.

To set a password for a Knox Workspace, ensure that the container is configured properly prior to being created. This example clones a knox-b2b container.

KnoxConfigurationType predefinedConfiguration = KnoxContainerManager.getConfigurationTypeByName("knox-b2b");
KnoxConfigurationType newConfig = predefinedConfiguration.clone("custom"); //Clones and assigns a new name

Change Password on device side

The following configurations must be enforced by the IT admin:

  • Set password change timeout
  • Set password expired date
  • Enforce password change

Perform the following procedure:

  1. Create the EnterpriseDeviceManager object.

  2. Get the PasswordPolicy object.

  3. Use setPasswordChangeTimeout and pass in the amount in minutes.

  4. Get the enterpriseDeviceAdmin.

  5. Set the password expiration date with setPasswordExpires. Pass in the amount in days.

  6. Enforce a password change with enforcePwdChange.

    EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
    PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
    //EDMTestsAdmin extends DeviceAdminReceiver and is notified when password expires
    ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class); 
    passwordPolicy.setPasswordExpires(enterpriseDeviceAdmin, 10);

Is this page helpful?