SecurityException on Android 15 and higher

Environment

• Knox SDK
• Devices running Android 15 (Knox 3.11) and higher
• Android Enterprise
• Device administrator mode

Overview

For devices running Android 15 OS (Knox 3.11) and higher, you may encounter a SecurityException when an app running in device administrator mode calls a restricted Knox SDK method:

10-07 16:03:24.931 10322 19931 19931 W MainActivity: SecurityException: java.lang.SecurityException: Caller is not DO or PO or KPU: 10322

Additionally, if an app isn’t running in an Android Enterprise device management mode, you might encounter the following SecurityException when calling Knox remote control methods:

10-11 10:59:48.331 10356 13963 13963 W MainActivity: Exception: java.lang.SecurityException: Caller is not authorized to call RC APIs

Cause

To access the full range of Knox SDK features, apps must run as either an Android Enterprise device owner (DO) of a fully managed device, or a profile owner (PO) of a work profile. Apps running in device administrator mode don’t meet these requirements and lose access to restricted Knox SDK methods.

Remote control features are only accessible to the following:

• Apps running as an Android Enterprise DO or PO
• Apps running in an Android Enterprise managed environment with authorization from a DO or PO

Resolution

To access Knox SDK restricted methods, run the app as a DO of a fully managed device or the PO of a work profile, instead of device administrator mode.

To access Knox SDK remote control features, your app must be running in an Android Enterprise managed environment. You can grant the app permission to access the remote control methods by calling the setAuthorizedScopes() method from the DO or PO app.

Refer to the sample code below:

 AppIdentity appInfo = new AppIdentity("com.test.app", appSignature);
 List scopes = new ArrayList<>();
 scopes.add(ApplicationPolicy.AUTHORIZE_REMOTE_CONTROL);
 try {
     int result = appPolicy.setAuthorizedScopes(appInfo, scopes);
 }