Summary: Constants | Methods | Inherited Methods | [Expand All]

Since: API level 2

public class

PasswordPolicy

extends Object

java.lang.Object
↳	com.samsung.android.knox.devicesecurity.PasswordPolicy

Class Overview

This class provides APIs to control settings related to the device password. Most clients of this class must have published a DeviceAdminReceiver that the user has currently enabled, as it makes use of the DevicePolicyManager.

Since

API level 2

MDM 2.0

Summary

Constants
int	BIOMETRIC_AUTHENTICATION_FACE	Lockscreen FACE biometric authentication option
int	BIOMETRIC_AUTHENTICATION_FINGERPRINT	Lockscreen Fingerprint biometric authentication option
int	BIOMETRIC_AUTHENTICATION_IRIS	Deprecated in API level 33

Public Methods
boolean	deleteAllRestrictions() API to remove all patterns set by a specific administrator.
boolean	enforcePwdChange() API to enforce password change.
boolean	excludeExternalStorageForFailedPasswordsWipe(boolean enable) API to include or exclude external storage when device is wiped due to exceeding maximum number of failed password attempts.
AuthenticationConfig	getEnterpriseIdentityAuthentication() Deprecated in API level 30 NOTE: This API is not available since Android 10.
List<String>	getForbiddenStrings(boolean allAdmins) API to retrieve the forbidden strings that cannot be used in the device password.
int	getMaximumCharacterOccurences() API to get the maximum number of times a character can occur in the device password.
int	getMaximumCharacterSequenceLength() API to get the maximum alphabetic sequence length allowed in the device password.
int	getMaximumFailedPasswordsForDeviceDisable() API to get the maximum number of failed password attempts after which the device is disabled.
int	getMaximumNumericSequenceLength() API to get the maximum numeric sequence length allowed in the device password.
int	getMinPasswordComplexChars(ComponentName admin) Deprecated in API level 35
int	getMinimumCharacterChangeLength() API to get the minimum number of changed characters a password string may have compared to the previous one.
int	getPasswordChangeTimeout() API to get the time value after which password must be changed if the user cancels the first password change enforcement.
int	getPasswordExpires(ComponentName admin) Deprecated in API level 35
int	getPasswordHistory(ComponentName admin) Deprecated in API level 35
int	getPasswordLockDelay() API to get the idle time after which the key guard lock (lock screen) is enabled.
String	getRequiredPwdPatternRestrictions(boolean allAdmins) API to retrieve the restricted password string patterns.
Map<Integer, String>	getSupportedBiometricAuthentications() API to get the supported biometric authentication methods on the device.
boolean	isBiometricAuthenticationEnabled(int bioAuth) API to check whether the biometric authentication option on the list of lockscreen password options is enabled or not.
boolean	isExternalStorageForFailedPasswordsWipeExcluded() API to check whether the external storage is included when device is wiped due to exceeding maximum number of failed password attempts.
boolean	isMultifactorAuthenticationEnabled() API to check whether multi-factor authentication is enabled or not.
boolean	isPasswordVisibilityEnabled() API to check whether the make password visible setting is enabled.
boolean	isScreenLockPatternVisibilityEnabled() API to check whether screen lock pattern visibility is enabled.
boolean	lock() Deprecated in API level 33
void	reboot(String reason) Deprecated in API level 35
boolean	setBiometricAuthenticationEnabled(int bioAuth, boolean enable) API to enable or disable the biometric authentication option on the list of lockscreen password options.
int	setEnterpriseIdentityAuthentication(AuthenticationConfig config) Deprecated in API level 30 NOTE: This API is not available since Android 10.
boolean	setForbiddenStrings(List<String> forbiddenStrings) API to set strings that are forbidden in the device password.
boolean	setMaximumCharacterOccurrences(int count) API to set the maximum number of times a character can occur in the device password.
boolean	setMaximumCharacterSequenceLength(int length) API to set the maximum length of an alphabetic sequence that is allowed in the device password.
boolean	setMaximumFailedPasswordsForDeviceDisable(int num) API to set the maximum number of failed password attempts after which device is disabled
boolean	setMaximumNumericSequenceLength(int length) API to set the maximum length of the numeric sequence that is allowed in the device password.
void	setMinPasswordComplexChars(ComponentName admin, int size) Deprecated in API level 35
boolean	setMinimumCharacterChangeLength(int length) API to set the minimum number of changed characters a password string may have when compared to the previous one.
void	setMultifactorAuthenticationEnabled(boolean enable) API to enable or disable multi-factor authentication.
boolean	setPasswordChangeTimeout(int timeout) API to set time value after which the password must be changed after the user cancels the first password change enforcement.
void	setPasswordExpires(ComponentName admin, int value) Deprecated in API level 35
void	setPasswordHistory(ComponentName admin, int value) Deprecated in API level 35
boolean	setPasswordLockDelay(int time) API to set idle time after which key guard lock (lock screen) is enabled.
boolean	setPasswordVisibilityEnabled(boolean allow) API to enable or disable making the password visible while typing.
boolean	setRequiredPasswordPattern(String regex) API to set or override a pattern for password match.
boolean	setScreenLockPatternVisibilityEnabled(boolean enable) API to enable or disable screen lock pattern visibility.
boolean	unlock() Deprecated in API level 33

[Expand]

Inherited Methods

From class java.lang.Object

Constants

public static final int BIOMETRIC_AUTHENTICATION_FACE

Since: API level 28

Lockscreen FACE biometric authentication option

Since

API level 23

MDM 5.9

Constant Value: 4 (0x00000004)

public static final int BIOMETRIC_AUTHENTICATION_FINGERPRINT

Since: API level 12

Lockscreen Fingerprint biometric authentication option

Since

API level 12

MDM 5.1

Constant Value: 1 (0x00000001)

public static final int BIOMETRIC_AUTHENTICATION_IRIS

Since: API level 13

Deprecated in API level 33

Lockscreen IRIS biometric authentication option

Since

API level 13

MDM 5.2

Constant Value: 2 (0x00000002)

Public Methods

public boolean deleteAllRestrictions ()

Since: API level 2

API to remove all patterns set by a specific administrator.

Returns

true if successful, else false.

Throws

SecurityException	If caller does not have required permissions

Usage

When the current password pattern owner deletes his patterns, a new owner is elected, normally the one who set the pattern before the current owner. If the new owner is not available then the next is chosen from the stack.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean result = passwordPolicy.deleteAllRestrictions();
     if (true == result) {
         // all password restriction has been deleted
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     boolean result = passwordPolicy.deleteAllRestrictions();
     if (true == result) {
         // all password restriction has been deleted
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public boolean enforcePwdChange ()

Since: API level 2

API to enforce password change.

Returns

true if password change enforcement has started, false if password change enforcement has not started.

Throws

SecurityException	If caller does not have required permissions

Usage

This API is called by an application that is managing the device. The API enforces changing an existing password (or enforces creating a password if the device has none). An administrator can use this API to present to the user a password dialog to change a password or set up a new password. If a password is already set in the device, and the administrator wants to allow the user to cancel the password dialog for a period of time, he can use setPasswordChangeTimeout(int) to set the period (in minutes) that the user can keep using the device before changing the existing password (default value is 0 - no option to cancel). If device has no password set, the user is required to change the password and is given no option to cancel. In this case, the password change timeout is ignored. This API will always enforce a PIN or Password, even if user has a pattern set.

Note: In order to confirm that password was succesfully changed, listen to ACTION_PASSWORD_CHANGE.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     // if Device has no password and password change timeout is 0.
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user required to create a password with no
         // option to cancel dialog.
     }

     // if device already has a password and password change timeout is 0 .
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user is required to change existing password with no option
         // to cancel dialog.
     }

     // if device has no password and we set password change timeout to some
     // positive value.
     passwordPolicy.setPasswordChangeTimeout(10);
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user is required to create a password with no
         // option to cancel dialog because password change timeout is only used
         // for password changes, not new passwords.
     }

     // if device already has password and we set password change timeout to some
     // positive value.
     passwordPolicy.setPasswordChangeTimeout(10);
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user is required to change existing password with the
         // option to cancel it for the first time. After 10 minutes the user is prompted again with no option to cancel.
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

Besides PIN and Password, Container also has support for pattern change enforcement.

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     // if Device has no password and password change timeout is 0.
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user required to create a password with no
         // option to cancel dialog.
     }

     // if device already has a password and password change timeout is 0 .
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user is required to change existing password with no option
         // to cancel dialog.
     }

     // if device has no password and we set password change timeout to some
     // positive value.
     passwordPolicy.setPasswordChangeTimeout(10);
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user is required to create a password with no
         // option to cancel dialog because password change timeout is only used
         // for password changes, not new passwords.
     }

     // if device already has password and we set password change timeout to some
     // positive value.
     passwordPolicy.setPasswordChangeTimeout(10);
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user is required to change existing password with the
         // option to cancel it for the first time. After 10 minutes the user is prompted again with no option to cancel.
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public boolean excludeExternalStorageForFailedPasswordsWipe (boolean enable)

Since: API level 6

API to include or exclude external storage when device is wiped due to exceeding maximum number of failed password attempts.

Parameters

enable	`true` to exclude external storage during device wipe, `false` to include external storage during device wipe

Returns

true if successful, else false

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can include or exclude external storage when the device is wiped due to exceeding the maximum number of failed password attempts without user interaction.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean excludeExternalStorageWipe = true;
     // disable expernal storage wipe
     passwordPolicy.excludeExternalStorageForFailedPasswordsWipe(excludeExternalStorageWipe);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.

Since

API level 6

MDM 4.0

Multiuser Environment

Global Scope

public AuthenticationConfig getEnterpriseIdentityAuthentication ()

Since: API level 15

Deprecated in API level 30
NOTE: This API is not available since Android 10.

API to get current Enterprise Identity authentication configuration.
Note: Due to Android security limitations, the enterprise identity authentication feature will not work when Device Owner is enabled on the device.

Returns

Enterprise Identity config object

Usage

Admin can use this api to get current Enterprise Identity authentication configurations.

Note: Currently Enterprise Identity is supported only on Container.

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy mPasswordPolicy = kcm.getPasswordPolicy();
 try {
     AuthenticationConfig authConfig = mPasswordPolicy.getEnterpriseIdentityAuthentication();
     if(authConfig != null ) {
         //successfully retrieved authentication config 
     } else {
        //unable to get authentication config
     }
 }catch (SecurityException e) {
     Log.e(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to add the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.

Since

API level 15

MDM 5.4

Multiuser Environment

User Scope

public List<String> getForbiddenStrings (boolean allAdmins)

Since: API level 4

API to retrieve the forbidden strings that cannot be used in the device password.

Parameters

allAdmins	If set to `true`, returns the concatenated list of forbidden strings of all administrators. If set to `false`, returns the forbidden string list for the calling administrator only.

Returns

All forbidden strings or null if there are no forbidden strings

Throws

SecurityException	If caller does not have required permissions

API to get the minimum number of complex characters required in the password.

Returns

The number of complex characters in the password if successful, else 0.

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can use this API to get the minimum number of complex characters required in the password and take appropriate action. According to protocol, complex characters can be digit or symbol that contribute to making stricter passwords. If MinPasswordComplexChars = 1, then at least one digit is required. If MinPasswordComplexChars > 1, then at least one digit and at least one symbol are required, and the count of complex characters >= MinPasswordComplexChars

Note: Since MDM 5.2 if MinPasswordComplexChars >= 4, then at least one lowercase character and one uppercase character are required.

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public int getMinimumCharacterChangeLength ()

Since: API level 6

API to get the minimum number of changed characters a password string may have compared to the previous one.

Returns

Minimum number of changed characters (i.e., string distance) that the new password string contains compared to the previous one. A value of '0' specifies that no restrictions are applied.

Usage

An administrator can use this API to retrieve the minimum number of changed characters that a password string can have compared to the previous one. If more than one administrator has set this value, the maximum value takes priority.

Since

API level 6

MDM 4.0

Multiuser Environment

User Scope

public int getPasswordChangeTimeout ()

Since: API level 2

API to get the time value after which password must be changed if the user cancels the first password change enforcement.

Returns

The password timeout value in minutes if successful, else 0.

Usage

This API is called by an application that is managing the device. The API gets the timeout in minutes after which the password must be changed after the administrator uses enforcePwdChange() and the user cancels the first password change enforcement. If a password is already set in the device and the administrator calls enforcePwdChange(), the user can cancel the password change dialog; the password change is then definitely enforced again after the timeout set (default value is 0 - no option to cancel). If no password is set in the device and the administrator calls enforcePwdChange(), the user cannot cancel the change, so, in this case, the password change timeout is ignored.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public int getPasswordExpires (ComponentName admin)

Since: API level 2

Deprecated in API level 35

API to get the password age (number of days after which the password expires) in days for the current password.

Parameters

admin	Which DeviceAdminReceiver this request is associated with.

Returns

The number of days after which the password expires starting from when it was first set if successful, else 0.

Throws

SecurityException	If caller does not have required permissions

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public int getPasswordHistory (ComponentName admin)

Since: API level 2

Deprecated in API level 35

API to get the number of previous passwords that are stored in history.

Returns

The number of previous passwords that cannot be used when setting a new password if successful, else 0.

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can use this API to get the password history value in days and take appropriate action. An administrator can compel a device to store the specified number of previous passwords. The history supports the device in verifying that the user is not entering a previous password when prompted for a new one.

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public int getPasswordLockDelay ()

Since: API level 2

API to get the idle time after which the key guard lock (lock screen) is enabled.

Returns

Time between screen time out and device is locked, -1 if none is set or administrator does not care.

Usage

Specifies how soon the device can be unlocked again after use without re-prompting for the passcode.

Since

API level 2

MDM 2.0

Multiuser Environment

Global Scope

public String getRequiredPwdPatternRestrictions (boolean allAdmins)

Since: API level 2

API to retrieve the restricted password string patterns.

Parameters

allAdmins	If set to `true`, the restricted password string pattern for all administrators is retrieved. If set to `false`, only the restricted password string pattern for the calling administrator is retrieved.

Returns

All concatenated pattern string if success, else null.

Throws

SecurityException	If caller does not have required permissions

Usage

If more than one pattern is restricted, this API concatenates all patterns and returns the concatenated list. The API can be used to apply complexity to a new password value.

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public Map<Integer, String> getSupportedBiometricAuthentications ()

Since: API level 13

API to get the supported biometric authentication methods on the device.

Returns

Map object containing the unique integer key and the name of the supported biometric authentication methods.

Usage

Admin can get the unique integer key and the name of the supported biometric authentication methods on the device, and enable or disable it by using setBiometricAuthenticationEnabled(int, boolean).

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     // get the unique integer key and the name of the supported biometric authentication methods on the device (1, "Fingerprint")
     Map<Integer,String> map = passwordPolicy.getSupportedBiometricAuthentications();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     // get the unique integer key and the name of the supported biometric authentication methods on the device (1, "Fingerprint")
     Map<Integer,String> map = passwordPolicy.getSupportedBiometricAuthentications();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Since

API level 13

MDM 5.2

Multiuser Environment

User Scope

public boolean isBiometricAuthenticationEnabled (int bioAuth)

Since: API level 12

API to check whether the biometric authentication option on the list of lockscreen password options is enabled or not.

Parameters

bioAuth	lockscreen biometric authentication option

Returns

true if the biometric authentication option is enabled and false if it is disabled.

Usage

Admin can check whether the biometric authentication option on the list of lockscreen password options is enabled or not, and take appropriate action based on enterprise policy.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     // check whether the fingerprint option is enabled
     passwordPolicy.isBiometricAuthenticationEnabled(BIOMETRIC_AUTHENTICATION_FINGERPRINT);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

When CC Mode (setCCMode(boolean)) is enabled on device, Administrator cannot enable Fingerprint option in lock screen. If Multi factor authentication (enforceMultifactorAuthentication(boolean)) is enforced, user can use Fingerprint as one of Multi factor authentication even if Administrator disables Fingerprint.

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     // check whether the fingerprint option is enabled
     passwordPolicy.isBiometricAuthenticationEnabled(BIOMETRIC_AUTHENTICATION_FINGERPRINT);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Since

API level 12

MDM 5.1

Multiuser Environment

User Scope

public boolean isExternalStorageForFailedPasswordsWipeExcluded ()

Since: API level 6

API to check whether the external storage is included when device is wiped due to exceeding maximum number of failed password attempts.

Returns

true if external storage is excluded and false if it is included in device wipe.

Usage

An administrator can check whether the external storage is included when device is wiped due to exceeding maximum number of failed password attempts. The administrator can then take appropriate action based on enterprise policy.

Since

API level 6

MDM 4.0

Multiuser Environment

Global Scope

public boolean isMultifactorAuthenticationEnabled ()

Since: API level 24

API to check whether multi-factor authentication is enabled or not.

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can use this API to check whether multi-factor authentication is enabled for specific user space.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean status = passwordPolicy.isMultifactorAuthenticationEnabled();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     boolean status = passwordPolicy.isMultifactorAuthenticationEnabled();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Since

API level 24

KNOX 3.0

Multiuser Environment

User Scope

public boolean isPasswordVisibilityEnabled ()

Since: API level 6

API to check whether the make password visible setting is enabled.

Returns

True if make password visible is enabled, else false

Usage

An administrator can use this API to check whether the password visible setting is enabled and take appropriate action based on enterprise policy.

Since

API level 6

MDM 4.0

Multiuser Environment

User Scope

public boolean isScreenLockPatternVisibilityEnabled ()

Since: API level 5

API to check whether screen lock pattern visibility is enabled.

Returns

true if screen lock pattern visibility is enabled, else false

Usage

An administrator can use this API to check whether screen lock pattern visibility is enabled and take appropriate action based on enterprise policy.

Since

API level 5

MDM 3.0

Multiuser Environment

User Scope

public boolean lock ()

Since: API level 24

Deprecated in API level 33

API to lock the user.

Throws

SecurityException	If caller does not have required permissions

Usage

Use this API to lock the user. It will return true if the user is successfully locked.

Note: This API can be called only by Device owner or Profile owner.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean status = passwordPolicy.lock();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     boolean status = passwordPolicy.lock();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_SECURITY" permission which has a protection level of signature.

Since

API level 24

KNOX 3.0

Multiuser Environment

User Scope

public void reboot (String reason)

Since: API level 2

Deprecated in API level 35

API to reboot the device immediately,

Parameters

reason	Reason for rebooting (any string; may be `null`)

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can use this API to silently reboot the device. The administrator can call this functionality after updating system level data. The operation passes 'reason' (may be null) to the underlying __reboot system call. The API call should not return a reply.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     passwordPolicy.reboot("admin");
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     passwordPolicy.reboot("admin");
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public boolean setBiometricAuthenticationEnabled (int bioAuth, boolean enable)

Since: API level 12

API to enable or disable the biometric authentication option on the list of lockscreen password options.
For specific biometric authentication options see,
BIOMETRIC_AUTHENTICATION_FINGERPRINT
BIOMETRIC_AUTHENTICATION_IRIS
BIOMETRIC_AUTHENTICATION_FACE

Parameters

bioAuth	lockscreen biometric authentication option
enable	`true` to enable the biometric authentication option, `false` to disable it.

Returns

true if successful, else false

Throws

SecurityException	If caller does not have required permissions

Usage

Admin can enable or disable the biometric authentication option without user interaction. The user and 3rd party applications cannot enable the biometric authentication option setting once it is disabled.
Since Knox 3.0, in case if Biometric is used by Device Lock Screen and that Biometric got disabled then user will not be able to authenticate Lock Screen using it. Also user is free to add/delete biometric data , so third party apps can use biometric provided Keyguard is secure.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     // enable the fingerprint option
     passwordPolicy.setBiometricAuthenticationEnabled(BIOMETRIC_AUTHENTICATION_FINGERPRINT |
             BIOMETRIC_AUTHENTICATION_IRIS | BIOMETRIC_AUTHENTICATION_FACE, true);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

When CC Mode (setCCMode(boolean)) is enabled on device, Administrator cannot enable Fingerprint option in lock screen. If Multi factor authentication (enforceMultifactorAuthentication(boolean)) is enforced, user can use Fingerprint as one of Multi factor authentication even if Administrator disables Fingerprint.

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     // enable the fingerprint option
     passwordPolicy.setBiometricAuthenticationEnabled(BIOMETRIC_AUTHENTICATION_FINGERPRINT |
             BIOMETRIC_AUTHENTICATION_IRIS | BIOMETRIC_AUTHENTICATION_FACE, true);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

NOTE: From MDM 5.2, in case of MDFPP(Mobile Device Fundamentals Protection Profile) SDP enabled container, fingerprint will be disabled.

Permission

The use of this API requires the caller to add the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.

Since

API level 12

MDM 5.1

Multiuser Environment

User Scope

public int setEnterpriseIdentityAuthentication (AuthenticationConfig config)

Since: API level 15

Deprecated in API level 30
NOTE: This API is not available since Android 10.

API to configure and enforce Enterprise Identity authentication. The Enterprise Identity authentication is another type of lock type (similar to PIN/Password/Pattern)which allows user to use their enterprise credential as device unlock method.
Note: Due to Android security limitations, the enterprise identity authentication feature will not work when Device Owner is enabled on the device.

Returns

status of set Enterprise Identity authentication config
SUCCESS - operation success
ERROR_INTERNAL_FAIL - unable to configure due to some internal error
ERROR_USER_NOT_AUTHORIZED - not authorized to do this operation
ERROR_INVALID_INPUT - Invalid input
ERROR_AUTHENTICATOR_PACKAGE_NOT_INSTALLED - authenticator package not installed
ERROR_AUTHENTICATOR_SIGNATURE_MISMATCH - authenticator signature not matching

Usage

An administrator can use this api to change user's current lock type (PIN/Password/Fingerprint/etc) to Enterprise Identity. The admin can either configure Enterprise Identity and let user to choose lock type or the admin can enforce user to choose Enterprise Identity. Enterprise Identity lock will enforce password quality and all password complexity rules set on the device. So the admin is responsible for setting up proper password quality and complexity rules which matches the Enterprise Identity server(e.g Active Directory). If device password complexity rules do not match with Enterprise Identity rules, the user will not be able to successfully set up enterprise identity as an unlock type even if the user uses valid credentials. Also it is the adminstrator's responsiblity to install authenticator application before calling this api. It is also recommended to disable uninstallation and clearing data of the authenticator package in the case where user tries to uninstall the application or clear its data. Administrator must understand the various fields on the configuration object and their significance before using this api.

Note: Currently Enterprise Identity is supported only for container. ERROR_USER_NOT_AUTHORIZED will be return when it called from device level.

For Container:

Note: Currently Enterprise Identity is not supported for MDFPP SDP enabled container.

 // Assume container already created and lock type set as PIN/Password and Admin wants to migrate to Enterprise Identity lock. 
 // The Following steps MUST followed for successful Enterprise Identity migration.
 
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy mPasswordPolicy = kcm.getPasswordPolicy();
 BasePasswordPolicy mBasePasswordPolicy = kcm.getBasePasswordPolicy();
 String AUTHENTICATOR_PKGNAME = AuthenticationConfig.SAMSUNG_KERBEROS_AUTHENTICATOR;
 String AUTHENTICATOR_PKGPATH = "/mnt/sdcard/authenticator.apk";
 
 //Step 1: Install authenticator application inside the container
 ApplicationPolicy appPolicy = kcm.getApplicationPolicy();
 boolean result = appPolicy.installApplication(AUTHENTICATOR_PKGPATH, false);
 //make sure user should not able to uninstall this authenticator apk
 appPolicy.setApplicationUninstallationDisabled (AUTHENTICATOR_PKGNAME);
 //make sure user should not able to clear data of this authenticator apk
 List list = new ArrayList();
 list.add(AUTHENTICATOR_PKGNAME);
 appPolicy.addPackagesToClearDataBlackList(list);
 
 //Step 2: Set up proper password quality and complexity rules. It should reflect current password quality and complexity rules 
 //set on Enterprise Identity server(e.g Active directory) otherwise error will be reported.
 mBasePasswordPolicy.setPasswordQuality( DevicePolicManager.PASSWORD_QUALITY_ALPHABETIC);
 mBasePasswordPolicy.setPasswordMinimumLength(8);
 mBasePasswordPolicy.setPasswordMinimumUpperCase(1);
 mBasePasswordPolicy.setPasswordMinimumLowerCase(1);
 mBasePasswordPolicy.setPasswordMinimumSymbols(0);
 mBasePasswordPolicy.setPasswordMinimumNumeric (1);    
  
 //Step 3: Set Enterprise Identity config 
 AuthenticationConfig  authConfig = new AuthenticationConfig();

 //Set the authenticator package name .Make sure given package already installed on the device
 authConfig.setAuthenticatorPkgName (AUTHENTICATOR_PKGNAME);

 //Set authenticator signature (optional);
 authConfig.setAuthenticatorPkgSignature(null);
 
 //Show Enterprise Identity option on available lock types.
 authConfig.setHideEnterpriseIdentityLock(true);

 //Enforce Enterprise Identity
 authConfig.setForceEnterpriseIdentityLock(true);

 //configure authenticator params
 Bundle authBundle  = new Bundle();
 authBundle.putString ("LIBDEFAULTS_DEFAULT_REALM", "SISOIDP.IN");
 authBundle.putString ("FEDERATION_SERVER_URL", "idpsrv.sisoidp.in");
 authConfig.setAuthenticatorConfig(authBundle);
 int ret = mPasswordPolicy.setEnterpriseIdentityAuthentication(authConfig);
 //success 
 // Step 4: Trigger password change flow 
 if ( ret == 0 ){
     mPasswordPolicy.enforcePwdChange();
 } else {
     // fail cases
     switch (ret) {
        case AuthenticationConfig.ERROR_INTERNAL_FAIL:
            Log.d ( TAG, " Error:unable to configure due to some internal error");
            break;
        case AuthenticationConfig.ERROR_USER_NOT_AUTHORIZED:
            Log.d ( TAG, " Error:Not authorized to do this operation");
            break;
        case AuthenticationConfig.ERROR_INVALID_INPUT:
            Log.d ( TAG, " Error:Invalid input");
            break;
        case AuthenticationConfig.ERROR_AUTHENTICATOR_PACKAGE_NOT_INSTALLED:
            Log.d ( TAG, " Authenticator package not installed");
            break;
        case AuthenticationConfig.ERROR_AUTHENTICATOR_SIGNATURE_MISMATCH:
            Log.d ( TAG, " Authenticator signature not matching");
            break;
     }     
 }

Permission

The use of this API requires the caller to add the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.

Since

API level 15

MDM 5.4

Multiuser Environment

User Scope

public boolean setForbiddenStrings (List<String> forbiddenStrings)

Since: API level 4

API to set strings that are forbidden in the device password.

Parameters

forbiddenStrings	List of strings forbidden in the device password. Pass `null` or a empty entry in list to remove all strings.

Returns

true - on success
false - on failure

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can use this API to set strings that are forbidden in the device password. Forbidden strings may include personal data (variations on the user's name, email address, or X400 address) or any other strings.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     List<String> forbiddenStrings = new ArrayList<String>();
     forbiddenStrings.add("user123");
     forbiddenStrings.add("12345");
     forbiddenStrings.add("user123@company.com");
     boolean result = passwordPolicy.setForbiddenStrings(forbiddenStrings);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

 // Reset forbidden strings
 // Option 1:
 try {
     List<String> forbiddenStrings = null;
     boolean result = passwordPolicy.setForbiddenStrings(forbiddenStrings)
 } catch (SecurityException e) {
     Log.w(TAG, SecurityException: + e);
 }

 // Option 2:
 try {
     List<String> forbiddenStrings = new ArrayList<String>();
     forbiddenStrings.add("");
     boolean result = passwordPolicy.setForbiddenStrings(forbiddenStrings)
 } catch (SecurityException e) {
     Log.w(TAG, SecurityException: + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     List<String> forbiddenStrings = new ArrayList<String>();
     forbiddenStrings.add("user123");
     forbiddenStrings.add("12345");
     forbiddenStrings.add("user123@company.com");
     boolean result = passwordPolicy.setForbiddenStrings(forbiddenStrings);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

 // Reset forbidden strings
 // Option 1:
 try {
     List<String> forbiddenStrings = null;
     boolean result = passwordPolicy.setForbiddenStrings(forbiddenStrings)
 } catch (SecurityException e) {
     Log.w(TAG, SecurityException: + e);
 }

 // Option 2:
 try {
     List<String> forbiddenStrings = new ArrayList<String>();
     forbiddenStrings.add("");
     boolean result = passwordPolicy.setForbiddenStrings(forbiddenStrings)
 } catch (SecurityException e) {
     Log.w(TAG, SecurityException: + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 4

MDM 2.2

Multiuser Environment

User Scope

public boolean setMaximumCharacterOccurrences (int count)

Since: API level 4

API to set the maximum number of times a character can occur in the device password.

Parameters

count	Maximum number of times a character can occur in the device password. A value of '0' specifies that no restrictions are applied.

Returns

true - on successful setting of this restriction
false - on failure to set this restriction

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can use this API to specify the maximum number of occurrences of a character in the device password. Characters can be numeric, alphabetic, or symbolic. For example, "aaabcde" has three occurrences of an 'a', "1b1c1de" has three occurrences of a '1', and "a@b@c@" has three occurrences of a '@'. A value of '0' specifies that no restrictions are applied.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     int maxCharOccur = 3;
     boolean result = passwordPolicy.setMaximumCharacterOccurrences(maxCharOccur);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     int maxCharOccur = 3;
     boolean result = passwordPolicy.setMaximumCharacterOccurrences(maxCharOccur);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 4

MDM 2.2

Multiuser Environment

User Scope

public boolean setMaximumCharacterSequenceLength (int length)

Since: API level 6

API to set the maximum length of an alphabetic sequence that is allowed in the device password.

Parameters

length	Maximum allowed length of alphabetic sequences. A value of '0' specifies that no alphabetic sequence restrictions are applied.

Returns

true - on successful setting of this restriction
false - on failure to set this restriction

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can use this API to set the maximum alphabetic sequence length. This setting specifies that the device password must not contain alphabetic sequences greater than the given length. For example, if the alphabetic sequence length is set to 5, the alphabetic sequence "abcde" is allowed but the sequence "abcdef" is prohibited. A value of '0' specifies that no alphabetic sequence restrictions are applied.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     int maxAlphabeticSequenceLength = 3;
     boolean result = passwordPolicy.setMaximumCharacterSequenceLength(maxAlphabeticSequenceLength);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     int maxAlphabeticSequenceLength = 3;
     boolean result = passwordPolicy.setMaximumCharacterSequenceLength(maxAlphabeticSequenceLength);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 6

MDM 4.0

Multiuser Environment

User Scope

public boolean setMaximumFailedPasswordsForDeviceDisable (int num)

Since: API level 2

API to set the maximum number of failed password attempts after which device is disabled

Parameters

num	Number of failed password attempts after which device is disabled. A value of zero (0) specifies that no such restrictions are applied.

Returns

true if successful, else false.

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator who is managing the device can call this API to set the maximum number of failed password attempts after which the device is disabled. When the device is disabled, the user cannot enter a password. The only way to re-enable the device is for the administrator to set the value to "0" again.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     // setting 10 as max number of attempts.
     int numberofFailedAttempts = 10;
     boolean result = passwordPolicy
             .setMaximumFailedPasswordsForDeviceDisable(numberofFailedAttempts);
     if (true == result) {
         // device will be disabled after 10 wrong attempts of
         // password
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     // setting 10 as max number of attempts.
     int numberofFailedAttempts = 10;
     boolean result = passwordPolicy
             .setMaximumFailedPasswordsForDeviceDisable(numberofFailedAttempts);
     if (true == result) {
         // device will be disabled after 10 wrong attempts of
         // password
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public boolean setMaximumNumericSequenceLength (int length)

Since: API level 4

API to set the maximum length of the numeric sequence that is allowed in the device password.

Parameters

length	Maximum allowed length of numeric sequences. A value of '0' specifies that no numeric sequence restrictions are applied.

Returns

true - on successful setting of this restriction
false - on failure to set this restriction

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can call this API to set the maximum numeric sequence length allowed in the device password. This API specifies that the device password must not contain a numeric sequences greater than the given length. For example, if the maximum numeric sequence length is set to 5, the numeric sequence "12345" is allowed but "123456" is prohibited. A value of '0' specifies that no numeric sequence restrictions are applied.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     int maxNumericSequenceLength = 3;
     boolean result = passwordPolicy.setMaximumNumericSequenceLength(maxNumericSequenceLength);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     int maxNumericSequenceLength = 3;
     boolean result = passwordPolicy.setMaximumNumericSequenceLength(maxNumericSequenceLength);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 4

MDM 2.2

Multiuser Environment

User Scope

public void setMinPasswordComplexChars (ComponentName admin, int size)

Since: API level 2

Deprecated in API level 35

API to set the password character length required when setting a new password. According to protocol, complex characters are digits or symbols that contribute to making stricter passwords. If MinPasswordComplexChars = 1, then at least one digit is required. If MinPasswordComplexChars > 1, then at least one digit and at least one symbol are required, and the count of complex characters >= MinPasswordComplexChars.

Note: Since MDM 5.2 if MinPasswordComplexChars >= 4, then at least one lowercase character and one uppercase character are required.

Parameters

size	Number of complex characters that must be present in the password.

Throws

SecurityException	If caller does not have required permissions

Usage

This API is called by an application that manages the device to set the minimum complex characters in the password.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(Context.DEVICE_POLICY_SERVICE);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);
     // enforcing complex character as 2, i.e., user needs to enter
     // at least one digit and one symbol in new password.
     int complexChar = 2;

     dpm.setPasswordQuality(enterpriseDeviceAdmin, DevicePolicyManager.PASSWORD_QUALITY_COMPLEX);// For HC

     passwordPolicy.setMinPasswordComplexChars(enterpriseDeviceAdmin, complexChar);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(Context.DEVICE_POLICY_SERVICE);
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);
     // enforcing complex character as 2, i.e., user needs to enter
     // at least one digit and one symbol in new password.
     int complexChar = 2;

     dpm.setPasswordQuality(enterpriseDeviceAdmin, DevicePolicyManager.PASSWORD_QUALITY_COMPLEX);// For HC

     passwordPolicy.setMinPasswordComplexChars(enterpriseDeviceAdmin, complexChar);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The calling device administrator must have a "limit-password" tag for Android version 3.0 onward in the "uses-policies" section of its metadata so as to call this method; if the tag does not exist, a security exception is thrown.
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Dependency

Password quality should be PASSWORD_QUALITY_COMPLEX.

Multiuser Environment

User Scope

public boolean setMinimumCharacterChangeLength (int length)

Since: API level 6

API to set the minimum number of changed characters a password string may have when compared to the previous one.

Returns

true - on successful setting of this restriction
false - on failure to set this restriction

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can use this API to specify that a new password must have a minimum number of changed characters. The difference between both strings shall be calculated using the Levenshtein algorithm. Characters can be numeric, alphabetic, or symbolic. According to the Levenshtein method, strings like "test" and "best" differ from each other by 1 unit. "test" and "toad" differ from each other by 3 units. "test" and "est" differ from each other by 1 unit. A value of '0' specifies that no restrictions are applied.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     int minChangedChars = 3;
     boolean result = passwordPolicy.setMinimumCharacterChangeLength(minChangedChars);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     int minChangedChars = 3;
     boolean result = passwordPolicy.setMinimumCharacterChangeLength(minChangedChars);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 6

MDM 4.0

Multiuser Environment

User Scope

public void setMultifactorAuthenticationEnabled (boolean enable)

Since: API level 24

API to enable or disable multi-factor authentication.

Throws

SecurityException	If caller does not have required permissions

Usage

When this policy is enforced more than one form of authentication is required to unlock keyguard for specific user space. As an example, user is required to authenticate finger print and also required to authenticate one of the device unlock methods chosen among pattern/pin/password. By default this policy is disabled, unless administrator chooses to enable it.

If administrator disables biometric authentication then multi-factor cannot be enforced, unless user already has multi-factor setup prior to biometric being disabled.

Note: This API can be called only by Device owner or Profile owner.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     passwordPolicy.setMultifactorAuthenticationEnabled(true);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     passwordPolicy.setMultifactorAuthenticationEnabled(true);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_SECURITY" permission which has a protection level of signature.

Since

API level 24

KNOX 3.0

Multiuser Environment

User Scope

public boolean setPasswordChangeTimeout (int timeout)

Since: API level 2

API to set time value after which the password must be changed after the user cancels the first password change enforcement.

Parameters

timeout	The password change timeout value in minutes.

Returns

true if the value was set successfully, else false

Throws

SecurityException	If caller does not have required permissions

Usage

This API is called by an application that is managing the device. The API sets the timeout in minutes after which the password must be changed after the administrator uses enforcePwdChange() and the user cancels the first password change enforcement. If a password is already set in the device and the administrator calls enforcePwdChange(), the user can cancel the password change dialog; the password change is definitely enforced again after the timeout set (default value is 0 - no option to cancel). If no password is set in the device and the administrator calls enforcePwdChange(), the user cannot cancel it, so, in this case, the password change timeout is ignored.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 int timeout = 10;
 try {
     boolean result = passwordPolicy.setPasswordChangeTimeout(timeout);
     if (true == result) {
         // password change timeout value set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 int timeout = 10;
 try {
     boolean result = passwordPolicy.setPasswordChangeTimeout(timeout);
     if (true == result) {
         // password change timeout value set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public void setPasswordExpires (ComponentName admin, int value)

Since: API level 2

Deprecated in API level 35

API to set password expiry days for a particular administrator.

Parameters

admin	Which DeviceAdminReceiver this request is associated with.
value	Number of days after which the password expires.

Throws

SecurityException	If caller does not have required permissions

Usage

This API is called by an application that is managing the device to set the maximum password age in days after which the password has to be changed. Value 0 will reset this policy and no expiry will be applied.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);
     int passwordExpiryDays = 10;
     passwordPolicy.setPasswordExpires(enterpriseDeviceAdmin, passwordExpiryDays);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);
     int passwordExpiryDays = 10;
     passwordPolicy.setPasswordExpires(enterpriseDeviceAdmin, passwordExpiryDays);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The device administrator must have a 'expire-password' tag in the 'uses-policies' section of its metadata so as to call this method; if the tag does not exist, a SecurityException is thrown.
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public void setPasswordHistory (ComponentName admin, int value)

Since: API level 2

Deprecated in API level 35

API to set the number of previous passwords that the user cannot use when prompted to change the password.

Parameters

value	Number of previous passwords that cannot be used when setting a new password.

Throws

SecurityException	If caller does not have required permissions

Usage

This API is called by an application that is managing the device to set the maximum password history (the number of previous passwords that cannot be used when setting a new password). Value 0 will reset this policy and no history will be checked.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);

     passwordPolicy.setPasswordHistory(enterpriseDeviceAdmin, 5);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);

     passwordPolicy.setPasswordHistory(enterpriseDeviceAdmin, 5);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The calling device administrator must have a "limit-password" tag for Android version 3.0 onward in the "uses-policies" section of its metadata so as to call this method;if the tag does not exist, a SecurityException is thrown.
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public boolean setPasswordLockDelay (int time)

Since: API level 2

API to set idle time after which key guard lock (lock screen) is enabled.

Parameters

time	Time to wait in seconds for passcode prompt after lock screen.

Returns

true if successful, else false.

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can use this API to set the duration of idle time before the key guard lock (lock screen) is enabled. Device settings provide to the user a way to set time values to lock the device automatically or instantly by pressing power key. Considering the conflict between these functionalities and this API, the strictest value (shorter time) is the one that will be applied, no matter if it was defined by administrator or by user via device settings. When the functionality of 'lock instantly with power key' is enabled and the power key is pressed, the screen will be locked instantly regardless of the time set by either the administrator or the user. If the device is managed by multiple administrators, the lowest value is used as the lock time. If the password is set, the user is prompted for the password while unlocking the device. If administrator does not care about the idle time he can set -1. If set to 0 then device is locked immediately after screen time out.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     // enforcing 10 second timeout
     int time = 10;
     boolean result = passwordPolicy.setPasswordLockDelay(time);
     if (true == result) {
         // screen gets locked after 10 seconds of idle time
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

Global Scope

public boolean setPasswordVisibilityEnabled (boolean allow)

Since: API level 6

API to enable or disable making the password visible while typing.

Parameters

allow	`true` to enable, `false` to disable

Returns

true if successful, else false

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can enable or disable making the password visible without user interaction. The user and third-party applications cannot enable the visibility setting once it is disabled.

Note: Since Knox 3.0, this API will also disable the eye icon during password configuration and lockscreen.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean enableMakePwdVisible = true;
     // disable visible pattern
     passwordPolicy.setPasswordVisibilityEnabled(enableMakePwdVisible);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

Note : This API is not applicable for container. Container will follow owner's behavior.

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.

Since

API level 6

MDM 4.0

Multiuser Environment

User Scope for multi-user scenario only

public boolean setRequiredPasswordPattern (String regex)

Since: API level 2

API to set or override a pattern for password match.

Parameters

regex	The required pattern to be matched.

Returns

true if successful, else false.

Throws

SecurityException	If caller does not have required permissions

Usage

The administrator that last set the password pattern becomes the password pattern owner, meaning that only the owner's patterns are used to match new passwords. An administrator can force the user to enter a password based on a regular expression. For example, if the regular expression is [a-zA-Z]{4}[0-9]{4}, the administrator forces the user to enter an 8-character password with first 4 characters alphabetic and next 4 characters numeric. The administrator must be careful when setting this pattern. Android requires a minimum password length of 4 characters and a maximum length of 16 characters. The pattern set must always allow passwords following these constraints.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 String regex = "[a-zA-Z]{4}[0-9]{4}";
 try {
     // forced to enter 8 characters containing 4 alphabetic characters and 4 digits.
     boolean result = passwordPolicy.setRequiredPasswordPattern(regex);
     if (true == result) {
         // password pattern set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 String regex = "[a-zA-Z]{4}[0-9]{4}";
 try {
     // forced to enter 8 characters containing 4 alphabetic characters and 4 digits.
     boolean result = passwordPolicy.setRequiredPasswordPattern(regex);
     if (true == result) {
         // password pattern set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since

API level 2

MDM 2.0

Multiuser Environment

User Scope

public boolean setScreenLockPatternVisibilityEnabled (boolean enable)

Since: API level 5

API to enable or disable screen lock pattern visibility.

Parameters

enable	`true` to enable screen lock pattern visibility, `false` to disable it

Returns

true if successful, else false.

Throws

SecurityException	If caller does not have required permissions

Usage

An administrator can use this API to enable or disable the screen lock pattern visibility without user interaction. The user or third-party applications cannot enable the visibility if it has been disabled.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean disableVisiblePattern = true;
     // disable visible pattern
     passwordPolicy.setScreenLockPatternVisibilityEnabled(disableVisiblePattern);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     boolean disableVisiblePattern = true;
     // disable visible pattern
     passwordPolicy.setScreenLockPatternVisibilityEnabled(disableVisiblePattern);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.

Since

API level 5

MDM 3.0

Multiuser Environment

User Scope

public boolean unlock ()

Since: API level 24

Deprecated in API level 33

API to unlock the user.

Throws

SecurityException	If caller does not have required permissions

Usage

Calling this API will unlock the user. It will return true if user is successfully unlocked.

Note: This API can be called only by Device owner or Profile owner.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean status = passwordPolicy.unlock();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

For Container:

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     boolean status = passwordPolicy.unlock();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

Permission

The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_SECURITY" permission which has a protection level of signature.

Since

API level 24

KNOX 3.0

Multiuser Environment

User Scope

Knox SDK API reference

Classes

PasswordPolicy

Class Overview

Since

Summary

Constants

public static final int BIOMETRIC_AUTHENTICATION_FACE

Since

public static final int BIOMETRIC_AUTHENTICATION_FINGERPRINT

Since

public static final int BIOMETRIC_AUTHENTICATION_IRIS

Since

Public Methods

public boolean deleteAllRestrictions ()

Returns

Throws

Usage

For Container:

Permission

Since

Multiuser Environment

See Also

public boolean enforcePwdChange ()

Returns

Throws

Usage

For Container:

Permission

Since

Multiuser Environment

See Also

public boolean excludeExternalStorageForFailedPasswordsWipe (boolean enable)

Parameters

Returns

Throws

Usage

Permission

Since

Multiuser Environment

See Also

public AuthenticationConfig getEnterpriseIdentityAuthentication ()

Returns

Usage

For Container:

Permission

Since

Multiuser Environment

See Also

public List<String> getForbiddenStrings (boolean allAdmins)

Parameters

Returns

Throws

Usage

Permission

Since

Multiuser Environment

See Also

public int getMaximumCharacterOccurences ()

Returns

Usage

Since

Multiuser Environment

See Also

public int getMaximumCharacterSequenceLength ()

Returns

Usage

Since

Multiuser Environment

See Also

public int getMaximumFailedPasswordsForDeviceDisable ()

Returns

Usage

Since

Multiuser Environment

See Also

public int getMaximumNumericSequenceLength ()

Returns

Usage

Since