Back to top

VPN Chaining

For more information on configuring and troubleshooting the Samsung Knox built-in client, see the KBA on Android VPN Management for Knox.

This section explains how to configure two VPN servers for dual chain encryption.

Dual Chain for Main User, Per-App VPN Connections

Requirements for this configuration:

  • Two VPN clients are needed and the Knox VPN framework.
  • The EMM agent must be installed in the Main user.
  • The VPN clients must be installed in the Main user.

Implement the EMM Agent’s Dual-Chain Configuration and Management Operations

See the GenericVpnPolicy class in the Knox SDK for calls used in the following examples.

  1. The EMM agent has to get the instance of the GenericVpnPolicy object in the KnoxManager class for each client by passing the VPN vendor’s package name as parameter.

    EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
    GenericVpnPolicy gm1 = ekm.getGenericVpnPolicy($vpn_client_1_packageName,$userId where VPN client 1 is installed);
    GenericVpnPolicy gm2 = ekm.getGenericVpnPolicy($vpn_client_2_packageName,$userId where VPN client 2 is installed); 
    

    Once the above code executes, the framework tries to bind to the VPN vendor’s application. When the binding succeeds, the framework sends a broadcast message to the EMM agent.

  2. The EMM agent has to listen for the intent action com.samsung.android.mdm.VPN_BIND_RESULT which has the following information:

    • vpn_bind_vendor provides the VPN vendor’s package name
    • vpn_bind_status returns true or false, specifying whether the bind to the VPN vendor’s application was successful or not.
    public class VPNBindReciever extends BroadcastReceiver {
        public static final String ACTION_BIND_RESULT = "com.samsung.android.mdm.VPN_BIND_RESULT";
        public static final String BIND_VENDOR = "vpn_bind_vendor";
        public static final String BIND_STATUS = "vpn_bind_status";
        public void onReceive(Context context, Intent intent) {
            if (intent.getAction().equalsIgnoreCase(ACTION_BIND_RESULT)) {
                String vendorName = intent.getExtra(BIND_VENDOR);
                boolean status = intent.getExtra(BIND_STATUS);
            }
        }
    }
    
  3. Once the received value of vpn_bind_status is true for VPN client 1, calls to GenericVpnPolicy object must reference GenericVpnPolicyObject(gm1). The same is true when vpn_bin_status is true for VPN client 2 GenericVpnPolicyObject(gm2).

The Dual-Chain VPN Profile for a Main User, Per-App Configuration

The instructions for using this dual-chain VPN configuration is based on the following device profile:

gm1.createVpnProfile(String profileInfo):
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"outer",
            "host":"66.8.250.85",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:0
        },
        "vendor":{
        }
    }

gm2.createVpnProfile(String profileInfo);
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"inner",
            "host":"66.8.250.86",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:1
        },
        "vendor":{
        }
    }

Manage Dual-Chain VPN for Main User Per-App Connections

The following instructions explain how to create, start, stop and remove the dual-chain VPN connection.

Create and Start a Dual-Chain VPN Connection

The EMM agent must make the following calls to start a VPN connection under the dual-chain configuration described above.

  1. gm1.addPackagesToVpn (String[] packageList, String profileName);
    The packageList must only contain the package name of VPN client 2.
  2. gm2.addPackagesToVpn (String[] packageList, String profileName):
  3. gm1.getState(string profileName); // The return value should be 1 or 5
  4. gm2.getState(string profileName); // The return value should be 1 or 5
  5. gm1.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  6. gm2.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  7. gm1.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  8. gm2.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  9. gm1.activateVpnProfile(String profileName, true);

Stop the Dual-Chain VPN Connection

The EMM agent must make the following call to stop a dual-chain VPN connection:

  1. gm1.activateVpnProfile(String profileName, false);

Remove the Dual-Chain VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor’s app.

  1. gm1.activateVpnProfile(String profileName, false);
  2. gm1.getState(String profileName); // The return value should be 1 or 5
  3. gm1.removeVpnProfile(String profileName);
  4. gm2.getState(String profileName): // The return value should be 1 or 5
  5. gm2.removeVpnProfile(String profileName);

Dual Chain for Main User-Wide, VPN Connections

Requirements for this configuration:

  • Two VPN clients are needed that support both chaining and the Knox VPN framework.
  • The EMM agent must be installed in the Main user.
  • The VPN clients must be installed in the Main user.

Implement the EMM Agent’s Dual-Chain Configuration and Management Operations

See the GenericVpnPolicy class in the Knox SDK for calls used in the following examples.

  1. The EMM agent has to get the instance of the GenericVpnPolicy object in the KnoxManager class for each client by passing the VPN vendor’s package name as parameter.

    EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
    GenericVpnPolicy gm1 = ekm.getGenericVpnPolicy($vpn_client_1_packageName,$userId where VPN client 1 is installed);
    GenericVpnPolicy gm2 = ekm.getGenericVpnPolicy($vpn_client_2_packageName,$userId where VPN client 2 is installed); 
    

    Once the above code executes, the framework tries to bind to the VPN vendor’s application. When the binding succeeds, the framework sends a broadcast message to the EMM agent.

  2. The EMM agent has to listen for the intent action “com.samsung.android.mdm.VPN_BIND_RESULT” which has the following information:

    • vpn_bind_vendor provides the VPN vendor’s package name
    • vpn_bind_status returns true or false, specifying whether the bind to the VPN vendor’s application was successful or not.
    public class VPNBindReceiver extends BroadcastReceiver {
        public static final String ACTION_BIND_RESULT = "com.samsung.android.mdm.VPN_BIND_RESULT";
        public static final String BIND_VENDOR = "vpn_bind_vendor";
        public static final String BIND_STATUS = "vpn_bind_status";
        public void onReceive(Context context, Intent intent) {
            if (intent.getAction().equalsIgnoreCase(ACTION_BIND_RESULT)) {
                String vendorName = intent.getExtra(BIND_VENDOR);
                boolean status = intent.getExtra(BIND_STATUS);
            }
        }
    }
    
  3. Once the received value of vpn_bind_status is true for VPN client 1, calls to GenericVpnPolicy object must reference GenericVpnPolicyObject(gm1). The same is true when vpn_bin_status is true for VPN client 2 GenericVpnPolicyObject(gm2).

The Dual-Chain VPN Profile for a Main-User Wide VPN Configuration

The instructions for using this dual-chain VPN configuration is based on the following device profile:

gm1.createVpnProfile(String profileInfo):
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"outer",
            "host":"66.8.250.85",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:0
        },
        "vendor":{
        }
    }

gm2.createVpnProfile(String profileInfo);
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"inner",
            "host":"66.8.250.86",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:1
        },
        "vendor":{
        }
    }

Manage Dual-Chain VPN for Main-User Wide Connections

The following instructions explain how to create, start, stop and remove the dual-chain VPN connection.

Create and Start a Dual-Chain VPN Connection

The EMM agent must make the following calls to start a VPN connection under the dual-chain configuration described above.

  1. gm1.addPackagesToVpn (String[] packageList, String profileName);
    The packageList must only contain the package name of VPN client 2.
  2. gm2.addAllPackagesToVpn (String profileName);
  3. gm1.getState(string profileName); // The return value should be 1 or 5
  4. gm2.getState(string profileName); // The return value should be 1 or 5
  5. gm1.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  6. gm2.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  7. gm1.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  8. gm2.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  9. gm1.activateVpnProfile(String profileName, true);

Stop the Dual-Chain VPN Connection

The EMM agent must make the following call to stop a dual-chain VPN connection:

  1. gm1.activateVpnProfile(String profileName, false);

Remove the Dual-Chain VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor’s app.

  1. gm1.activateVpnProfile(String profileName, false);
  2. gm1.getState(String profileName); // The return value should be 1 or 5
  3. gm1.removeVpnProfile(String profileName);
  4. gm2.getState(String profileName): // The return value should be 1 or 5
  5. gm2.removeVpnProfile(String profileName);

Dual Chain for CL Container User, Per-App, VPN Connections

Requirements for this configuration:

  • The EMM agent must be installed in the Main user.
  • VPN client 1 and VPN client 2 must both be installed in the container user.

Implement the EMM Agent’s Dual-Chain Configuration and Management Operations

See the GenericVpnPolicy class in the Knox SDK for calls used in the following examples.

  1. The EMM agent has to get the instance of the GenericVpnPolicy object in the KnoxManager class for each client by passing the VPN vendor’s package name as parameter.

    EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
    GenericVpnPolicy gm1 = ekm.getGenericVpnPolicy($vpn_client_1_packageName,$userId where VPN client 1 is installed);
    GenericVpnPolicy gm2 = ekm.getGenericVpnPolicy($vpn_client_2_packageName,$userId where VPN client 2 is installed); 
    

    Once the above code executes, the framework tries to bind to the VPN vendor’s application. When the binding succeeds, the framework sends a broadcast message to the EMM agent.

  2. The EMM agent has to listen for the intent action com.samsung.android.mdm.VPN_BIND_RESULT which has the following information:

    • vpn_bind_vendor provides the VPN vendor’s package name
    • vpn_bind_status returns true or false, specifying whether the bind to the VPN vendor’s application was successful or not.
    public class VPNBindReciever extends BroadcastReceiver {
        public static final String ACTION_BIND_RESULT = "com.samsung.android.mdm.VPN_BIND_RESULT";
        public static final String BIND_VENDOR = "vpn_bind_vendor";
        public static final String BIND_STATUS = "vpn_bind_status";
        public void onReceive(Context context, Intent intent) {
            if (intent.getAction().equalsIgnoreCase(ACTION_BIND_RESULT)) {
                String vendorName = intent.getExtra(BIND_VENDOR);
                boolean status = intent.getExtra(BIND_STATUS);
            }
        }
    }
    
  3. Once the received value of vpn_bind_status is true for VPN client 1, calls to GenericVpnPolicy object must reference GenericVpnPolicyObject(gm1). The same is true when vpn_bin_status is true for VPN client 2 GenericVpnPolicyObject(gm2).

The Dual-Chain VPN Profile for a CL Container User, Per-App VPN Configuration

The instructions for using this dual-chain VPN configuration is based on the following device profile:

gm1.createVpnProfile(String profileInfo):
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"outer",
            "host":"66.8.250.85",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:0
        },
        "vendor":{
        }
    }

gm2.createVpnProfile(String profileInfo);
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"inner",
            "host":"66.8.250.86",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:1
        },
        "vendor":{
        }
    }

Manage Dual-Chain VPN for CL Container User, Per-App Connections

The following instructions explain how to create, start, stop and remove the dual-chain VPN connection.

Create and Start a Dual-Chain VPN Connection

The EMM agent must make the following calls to start a VPN connection under the dual-chain configuration described above.

  1. gm1.addPackagesToVpn (String[] packageList, String profileName);
    The packageList must only contain the package name of VPN client 2.
  2. gm2.addPackagesToVpn (String profileName);
  3. gm1.getState(string profileName); // The return value should be 1 or 5
  4. gm2.getState(string profileName); // The return value should be 1 or 5
  5. gm1.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  6. gm2.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  7. gm1.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  8. gm2.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  9. gm1.activateVpnProfile(String profileName, true);

Stop the Dual-Chain VPN Connection

The EMM agent must make the following call to stop a dual-chain VPN connection:

  1. gm1.activateVpnProfile(String profileName, false);

Remove the Dual-Chain VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor’s app.

  1. gm1.activateVpnProfile(String profileName, false);
  2. gm1.getState(String profileName); // The return value should be 1 or 5
  3. gm1.removeVpnProfile(String profileName);
  4. gm2.getState(String profileName): // The return value should be 1 or 5
  5. gm2.removeVpnProfile(String profileName);

Dual Chain for CL Container-Wide VPN Connections

Requirements for this configuration:

  • The EMM agent must be installed in the Main user
  • VPN client 1 and VPN client 2 must both be installed in the container user.

Implement the EMM Agent’s Dual-Chain Configuration and Management Operations

See the GenericVpnPolicy class in the Knox SDK for calls used in the following examples.

  1. The EMM agent has to get the instance of the GenericVpnPolicy object in the KnoxManager class for each client by passing the VPN vendor’s package name as parameter.

    EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
    GenericVpnPolicy gm1 = ekm.getGenericVpnPolicy($vpn_client_1_packageName,$userId where VPN client 1 is installed);
    GenericVpnPolicy gm2 = ekm.getGenericVpnPolicy($vpn_client_2_packageName,$userId where VPN client 2 is installed); 
    

    Once the above code executes, the framework tries to bind to the VPN vendor’s application. When the binding succeeds, the framework sends a broadcast message to the EMM agent.

  2. The EMM agent has to listen for the intent action “com.samsung.android.mdm.VPN_BIND_RESULT” which has the following information:

    • vpn_bind_vendor provides the VPN vendor’s package name
    • vpn_bind_status returns true or false, specifying whether the bind to the VPN vendor’s application was successful or not.
    public class VPNBindReciever extends BroadcastReceiver {
        public static final String ACTION_BIND_RESULT = "com.samsung.android.mdm.VPN_BIND_RESULT";
        public static final String BIND_VENDOR = "vpn_bind_vendor";
        public static final String BIND_STATUS = "vpn_bind_status";
        public void onReceive(Context context, Intent intent) {
            if (intent.getAction().equalsIgnoreCase(ACTION_BIND_RESULT)) {
                String vendorName = intent.getExtra(BIND_VENDOR);
                boolean status = intent.getExtra(BIND_STATUS);
            }
        }
    }
    
  3. Once the received value of vpn_bind_status is true for VPN client 1, calls to GenericVpnPolicy object must reference GenericVpnPolicyObject(gm1). The same is true when vpn_bin_status is true for VPN client 2 GenericVpnPolicyObject(gm2).

The Dual-Chain VPN Profile for a CL Container-Wide Configuration

The instructions for using this dual-chain VPN configuration is based on the following device profile:

gm1.createVpnProfile(String profileInfo):
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"outer",
            "host":"66.8.250.85",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:0
        },
        "vendor":{
        }
    }

gm2.createVpnProfile(String profileInfo);
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"inner",
            "host":"66.8.250.86",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:1
        },
        "vendor":{
        }
    }

Manage Dual-Chain VPN for CL Container-Wide Connections

The following instructions explain how to create, start, stop and remove the dual-chain VPN connection.

Create and Start a Dual-Chain VPN Connection

The EMM agent must make the following calls to start a VPN connection under the dual-chain configuration described above.

  1. gm1.addPackagesToVpn (String[] packageList, String profileName);
    The packageList must only contain the package name of VPN client 2.
  2. gm2.addAllPackagesToVpn (String profileName);
  3. gm1.getState(string profileName); // The return value should be 1 or 5
  4. gm2.getState(string profileName); // The return value should be 1 or 5
  5. gm1.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  6. gm2.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  7. gm1.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  8. gm2.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  9. gm1.activateVpnProfile(String profileName, true);

Stop the Dual-Chain VPN Connection

The EMM agent must make the following call to stop a dual-chain VPN connection:

  1. gm1.activateVpnProfile(String profileName, false);

Remove the Dual-Chain VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor’s app.

  1. gm1.activateVpnProfile(String profileName, false);
  2. gm1.getState(String profileName); // The return value should be 1 or 5
  3. gm1.removeVpnProfile(String profileName);
  4. gm2.getState(String profileName): // The return value should be 1 or 5
  5. gm2.removeVpnProfile(String profileName);

Dual Chain for BYOD User, Per-App VPN Connection

Requirements for this configuration:

  • The EMM agent, VPN client 1, and VPN client 2, must all be installed in the container user.

Implement the EMM Agent’s Dual-Chain Configuration and Management Operations

See the GenericVpnPolicy class in the Knox SDK for calls used in the following examples.

  1. The EMM agent has to get the instance of the GenericVpnPolicy object in the KnoxManager class for each client by passing the VPN vendor’s package name as parameter.

    EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
    GenericVpnPolicy gm1 = ekm.getGenericVpnPolicy($vpn_client_1_packageName,$userId where VPN client 1 is installed);
    GenericVpnPolicy gm2 = ekm.getGenericVpnPolicy($vpn_client_2_packageName,$userId where VPN client 2 is installed); 
    

    Once the above code executes, the framework tries to bind to the VPN vendor’s application. When the binding succeeds, the framework sends a broadcast message to the EMM agent.

  2. The EMM agent has to listen for the intent action “com.samsung.android.mdm.VPN_BIND_RESULT” which has the following information:

    • vpn_bind_vendor provides the VPN vendor’s package name
    • vpn_bind_status returns true or false, specifying whether the bind to the VPN vendor’s application was successful or not.
    public class VPNBindReciever extends BroadcastReceiver {
        public static final String ACTION_BIND_RESULT = "com.samsung.android.mdm.VPN_BIND_RESULT";
        public static final String BIND_VENDOR = "vpn_bind_vendor";
        public static final String BIND_STATUS = "vpn_bind_status";
        public void onReceive(Context context, Intent intent) {
            if (intent.getAction().equalsIgnoreCase(ACTION_BIND_RESULT)) {
                String vendorName = intent.getExtra(BIND_VENDOR);
                boolean status = intent.getExtra(BIND_STATUS);
            }
        }
    }
    
  3. Once the received value of vpn_bind_status is true for VPN client 1, calls to GenericVpnPolicy object must reference GenericVpnPolicyObject(gm1). The same is true when vpn_bin_status is true for VPN client 2 GenericVpnPolicyObject(gm2).

The Dual-Chain VPN Profile for a BYOD, Per-App Configuration

The instructions for using this dual-chain VPN configuration is based on the following device profile:

gm1.createVpnProfile(String profileInfo):
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"outer",
            "host":"66.8.250.85",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:0
        },
        "vendor":{
        }
    }

gm2.createVpnProfile(String profileInfo);
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"inner",
            "host":"66.8.250.86",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:1
        },
        "vendor":{
        }
    }

Manage Dual-Chain VPN for BYOD, Per-App Connections

The following instructions explain how to create, start, stop and remove the dual-chain VPN connection.

Create and Start a Dual-Chain VPN Connection

The EMM agent must make the following calls to start a VPN connection under the dual-chain configuration described above.

  1. gm1.addPackagesToVpn (String[] packageList, String profileName);
    The packageList must only contain the package name of VPN client 2.
  2. gm2.addPackagesToVpn (String[] packageList, String profileName):
  3. gm1.getState(string profileName); // The return value should be 1 or 5
  4. gm2.getState(string profileName); // The return value should be 1 or 5
  5. gm1.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  6. gm2.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  7. gm1.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  8. gm2.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  9. gm1.activateVpnProfile(String profileName, true);

Stop the Dual-Chain VPN Connection

The EMM agent must make the following call to stop a dual-chain VPN connection:

  1. gm1.activateVpnProfile(String profileName, false);

Remove the Dual-Chain VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor’s app.

  1. gm1.activateVpnProfile(String profileName, false);
  2. gm1.getState(String profileName); // The return value should be 1 or 5
  3. gm1.removeVpnProfile(String profileName);
  4. gm2.getState(String profileName): // The return value should be 1 or 5
  5. gm2.removeVpnProfile(String profileName);

Dual Chain for BYOD User-Wide VPN Connections

Requirements for this configuration:

  • The EMM agent, VPN client 1, and VPN client 2, must all be installed in the container user.

Implement the EMM Agent’s Dual-Chain Configuration and Management Operations

See the GenericVpnPolicy class in the Knox SDK for calls used in the following examples.

  1. The EMM agent has to get the instance of the GenericVpnPolicy object in the KnoxManager class for each client by passing the VPN vendor’s package name as parameter.

    EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
    GenericVpnPolicy gm1 = ekm.getGenericVpnPolicy($vpn_client_1_packageName,$userId where VPN client 1 is installed);
    GenericVpnPolicy gm2 = ekm.getGenericVpnPolicy($vpn_client_2_packageName,$userId where VPN client 2 is installed); 
    

    Once the above code executes, the framework tries to bind to the VPN vendor’s application. When the binding succeeds, the framework sends a broadcast message to the EMM agent.

  2. The EMM agent has to listen for the intent action “com.samsung.android.mdm.VPN_BIND_RESULT” which has the following information:

    • vpn_bind_vendor provides the VPN vendor’s package name
    • vpn_bind_status returns true or false, specifying whether the bind to the VPN vendor’s application was successful or not.
    public class VPNBindReciever extends BroadcastReceiver {
        public static final String ACTION_BIND_RESULT = "com.samsung.android.mdm.VPN_BIND_RESULT";
        public static final String BIND_VENDOR = "vpn_bind_vendor";
        public static final String BIND_STATUS = "vpn_bind_status";
        public void onReceive(Context context, Intent intent) {
            if (intent.getAction().equalsIgnoreCase(ACTION_BIND_RESULT)) {
                String vendorName = intent.getExtra(BIND_VENDOR);
                boolean status = intent.getExtra(BIND_STATUS);
            }
        }
    }
    
  3. Once the received value of vpn_bind_status is true for VPN client 1, calls to GenericVpnPolicy object must reference GenericVpnPolicyObject(gm1). The same is true when vpn_bin_status is true for VPN client 2 GenericVpnPolicyObject(gm2).

The Dual-Chain VPN Profile for a BYOD User-Wide Configuration

The instructions for using this dual-chain VPN configuration is based on the following device profile:

gm1.createVpnProfile(String profileInfo):
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"outer",
            "host":"66.8.250.85",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:0
        },
        "vendor":{
        }
    }

gm2.createVpnProfile(String profileInfo);
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"inner",
            "host":"66.8.250.86",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:1
        },
        "vendor":{
        }
    }

Manage Dual-Chain VPN for BYOD User-Wide Connections

The following instructions explain how to create, start, stop and remove the dual-chain VPN connection.

Create and Start a Dual-Chain VPN Connection

The EMM agent must make the following calls to start a VPN connection under the dual-chain configuration described above.

  1. gm1.addPackagesToVpn (String[] packageList, String profileName); The packageList must only contain the package name of VPN client 2.
  2. gm2.addAllPackagesToVpn (String[] packageList, String profileName):
  3. gm1.getState(string profileName); // The return value should be 1 or 5
  4. gm2.getState(string profileName); // The return value should be 1 or 5
  5. gm1.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  6. gm2.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  7. gm1.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  8. gm2.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  9. gm1.activateVpnProfile(String profileName, true);

Stop the Dual-Chain VPN Connection

The EMM agent must make the following call to stop a dual-chain VPN connection:

  1. gm1.activateVpnProfile(String profileName, false);

Remove the Dual-Chain VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor’s app.

  1. gm1.activateVpnProfile(String profileName, false);
  2. gm1.getState(String profileName); // The return value should be 1 or 5
  3. gm1.removeVpnProfile(String profileName);
  4. gm2.getState(String profileName): // The return value should be 1 or 5
  5. gm2.removeVpnProfile(String profileName);

Dual Chain for Cross User, Per-App, VPN Connection

Requirements for this configuration:

  • The EMM agent, VPN client 1, and VPN client 2, must all be installed in the main user.

Implement the EMM Agent’s Dual-Chain Configuration and Management Operations

See the GenericVpnPolicy class in the Knox SDK for calls used in the following examples.

  1. The EMM agent has to get the instance of the GenericVpnPolicy object in the KnoxManager class for each client by passing the VPN vendor’s package name as parameter.

    EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
    GenericVpnPolicy gm1 = ekm.getGenericVpnPolicy($vpn_client_1_packageName,$userId where VPN client 1 is installed);
    GenericVpnPolicy gm2 = ekm.getGenericVpnPolicy($vpn_client_2_packageName,$userId where VPN client 2 is installed); 
    

    Once the above code executes, the framework tries to bind to the VPN vendor’s application. When the binding succeeds, the framework sends a broadcast message to the EMM agent.

  2. The EMM agent has to listen for the intent action “com.samsung.android.mdm.VPN_BIND_RESULT” which has the following information:

    • vpn_bind_vendor provides the VPN vendor’s package name
    • vpn_bind_status returns true or false, specifying whether the bind to the VPN vendor’s application was successful or not.
    public class VPNBindReciever extends BroadcastReceiver {
        public static final String ACTION_BIND_RESULT = "com.samsung.android.mdm.VPN_BIND_RESULT";
        public static final String BIND_VENDOR = "vpn_bind_vendor";
        public static final String BIND_STATUS = "vpn_bind_status";
        public void onReceive(Context context, Intent intent) {
            if (intent.getAction().equalsIgnoreCase(ACTION_BIND_RESULT)) {
                String vendorName = intent.getExtra(BIND_VENDOR);
                boolean status = intent.getExtra(BIND_STATUS);
            }
        }
    }
    
  3. Once the received value of vpn_bind_status is true for VPN client 1, calls to GenericVpnPolicy object must reference GenericVpnPolicyObject(gm1). The same is true when vpn_bin_status is true for VPN client 2 GenericVpnPolicyObject(gm2).

The Dual-Chain VPN Profile for a Cross-User, Per-App Configuration

The instructions for using this dual-chain VPN configuration is based on the following device profile:

gm1.createVpnProfile(String profileInfo):
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"outer",
            "host":"66.8.250.85",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:0
        },
        "vendor":{
        }
    }

gm2.createVpnProfile(String profileInfo);
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"inner",
            "host":"66.8.250.86",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:1
        },
        "vendor":{
        }
    }

Manage Dual-Chain VPN for Cross-User Per-App Connections

The following instructions explain how to create, start, stop and remove the dual-chain VPN connection.

Create and Start a Dual-Chain VPN Connection

The EMM agent must make the following calls to start a VPN connection under the dual-chain configuration described above.

  1. gm1.addPackagesToVpn (String[] packageList, String profileName);
    The packageList must only contain the package name of VPN client 2.
  2. gm2.addPackagesToVpn (String[] packageList, String profileName);
  3. gm2.addContainerPackagesToVpn ($container-id, String[] packageList, String profileName);
    where $container-id is owned by the EMM agent.
  4. gm1.getState(string profileName); // The return value should be 1 or 5
  5. gm2.getState(string profileName); // The return value should be 1 or 5
  6. gm1.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  7. gm2.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  8. gm1.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  9. gm2.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  10. gm1.activateVpnProfile(String profileName, true);

Stop the Dual-Chain VPN Connection

The EMM agent must make the following call to stop a dual-chain VPN connection:

  1. gm1.activateVpnProfile(String profileName, false);

Remove the Dual-Chain VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor’s app.

  1. gm1.activateVpnProfile(String profileName, false);
  2. gm1.getState(String profileName); // The return value should be 1 or 5
  3. gm1.removeVpnProfile(String profileName);
  4. gm2.getState(String profileName): // The return value should be 1 or 5
  5. gm2.removeVpnProfile(String profileName);

Dual Chain for Cross User-Wide or Device-Wide Connections

Requirements for this configuration:

  • The EMM agent, VPN client 1, and VPN client 2, must all be installed in the main user.

Implement the EMM Agent’s Dual-Chain Configuration and Management Operations

See the GenericVpnPolicy class in the Knox SDK for calls used in the following examples.

  1. The EMM agent has to get the instance of the GenericVpnPolicy object in the KnoxManager class for each client by passing the VPN vendor’s package name as parameter.

    EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
    GenericVpnPolicy gm1 = ekm.getGenericVpnPolicy($vpn_client_1_packageName,$userId where VPN client 1 is installed);
    GenericVpnPolicy gm2 = ekm.getGenericVpnPolicy($vpn_client_2_packageName,$userId where VPN client 2 is installed);
    

    Once the above code executes, the framework tries to bind to the VPN vendor’s application. When the binding succeeds, the framework sends a broadcast message to the EMM agent.

  2. The EMM agent has to listen for the intent action com.samsung.android.mdm.VPN_BIND_RESULT which has the following information:

    • vpn_bind_vendor provides the VPN vendor’s package name
    • vpn_bind_status returns true or false, specifying whether the bind to the VPN vendor’s application was successful or not.
    public class VPNBindReciever extends BroadcastReceiver {
        public static final String ACTION_BIND_RESULT = "com.samsung.android.mdm.VPN_BIND_RESULT";
        public static final String BIND_VENDOR = "vpn_bind_vendor";
        public static final String BIND_STATUS = "vpn_bind_status";
        public void onReceive(Context context, Intent intent) {
            if (intent.getAction().equalsIgnoreCase(ACTION_BIND_RESULT)) {
                String vendorName = intent.getExtra(BIND_VENDOR);
                boolean status = intent.getExtra(BIND_STATUS);
            }
        }
    }
    
  3. Once the received value of vpn_bind_status is true for VPN client 1, calls to GenericVpnPolicy object must reference GenericVpnPolicyObject(gm1). The same is true when vpn_bin_status is true for VPN client 2 GenericVpnPolicyObject(gm2).

The Dual-Chain VPN Profile for a Cross User-Wide or Device Wide Configuration

The instructions for using this dual-chain VPN configuration is based on the following device profile:

gm1.createVpnProfile(String profileInfo):
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"outer",
            "host":"66.8.250.85",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:0
        },
        "vendor":{
        }
    }

gm2.createVpnProfile(String profileInfo);
    "KNOX_VPN_PARAMETERS":{
        "profile_attribute":{
            "profileName":"inner",
            "host":"66.8.250.86",
            "vpn_type":"ipsec",
            "vpn_route_type":1
        },
        "knox":{
             chaining_enabled:1
        },
        "vendor":{
        }
    }

Manage Dual-Chain VPN for Cross User-Wide or Device-Wide Connections

The following instructions explain how to create, start, stop and remove the dual-chain VPN connection.

Create and Start a Dual-Chain VPN Connection

The EMM agent must make the following calls to start a VPN connection under the dual-chain configuration described above.

  1. gm1.addPackagesToVpn (String[] packageList, String profileName); The packageList must only contain the package name of VPN client 2.
  2. gm2.addAllPackagesToVpn (String profileName);
  3. gm2.addAllContainerPackagesToVpn ($container-id, String profileName); where $container-id is owned by the EMM agent.
  4. gm1.getState(string profileName); // The return value should be 1 or 5
  5. gm2.getState(string profileName); // The return value should be 1 or 5
  6. gm1.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  7. gm2.setAutoRetryOnConnectionError(String profileName, boolean enable); //optional
  8. gm1.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  9. gm2.setVpnModeOfOperation(String profileName, int vpnMode); //optional
  10. gm1.activateVpnProfile(String profileName, true);

Stop the Dual-Chain VPN Connection

The EMM agent must make the following call to stop a dual-chain VPN connection:

  1. gm1.activateVpnProfile(String profileName, false);

Remove the Dual-Chain VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor’s app.

  1. gm1.activateVpnProfile(String profileName, false);
  2. gm1.getState(String profileName); // The return value should be 1 or 5
  3. gm1.removeVpnProfile(String profileName);
  4. gm2.getState(String profileName): // The return value should be 1 or 5
  5. gm2.removeVpnProfile(String profileName);

On this page

Is this page helpful?