An application that wants to read a installed private key will use the KeyChain . It will ask the user to allow the application to read a private key, showing a list of currently available private keys. By using this policy, the administrator will bypass the interaction with the user, selecting the correct private key automatically. This policy will verify if the application package name and the host:port (which is provided by the application) matches an entry made by an administrator, and then grant access to a installed private key. During the validation, the pair host:port is provided by the application, therefore, one must trust the application before using this policy.

Please note: this policy must be used carefully, since it will allow an application to read private keys without alerting the user.

 String pkgName = "com.example.app";
 String host = "myserver.com";
 int port = 80;
 String alias = "mykey";
 PermissionApplicationPrivateKey pkey = new PermissionApplicationPrivateKey(pkgName, host, port,
         alias);
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();

 try {
     boolean result = certificatePolicy.addPermissionApplicationPrivateKey(pkey);
     if (true == result) {
         // application will receive permission to access private key, when it
         // ask for it.
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();

 String pkgName = "com.example.app";
 String host = "myserver.com";
 int port = 80;
 String alias = "mykey";
 PermissionApplicationPrivateKey pkey = new PermissionApplicationPrivateKey(pkgName, host, port,
         alias);

 try {
     boolean result = certificatePolicy.addPermissionApplicationPrivateKey(pkey);
     if (true == result) {
         // application will receive permission to access private key, when it
         // ask for it.
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Use this API to add a list of trusted CA certificates. After a CA is added, this policy is activated, and only certificates that are signed by a trusted CA can be installed. Also, the certificates previously installed by user which are not trusted will be removed from the system. They will be quarantined, and if in the future they become trusted again (if administrator adds this certificate CA to the list or; disables the policy cleaning the trusted CA list), they will be re-installed. During this period, user cannot see or use any of them. Adding a certificate to the list of trusted CA does not install the certificate on the system. Preloaded CA certificates, named System Credentials in Settings Application are not modified. To disable preloaded CA certificates please use untrusted certificates policy addUntrustedCertificateList(List). Please note that a certificate with an unknown issuer is treated as not trusted, like the concept of a whitelist. And this happens even when a root CA is trusted, but an intermediate certificate is not present in the system. This policy interacts with untrusted certificates policy addUntrustedCertificateList(List). For security reasons, untrusted list will take precedence over trusted list. When a certificate is added to untrusted list, it will be removed from the system even if it is part of a trusted certificate chain. If administrator tries to add a list with at least one certificate that is not from a certificate authority, no certificate from the list will be added and it will return false.

NOTE 1: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

NOTE 2: Due to keystore changes on Android S (KNOX 3.8), if a user certificate (i.e. the one that corresponds to the private key) is declared as untrusted due to this policy, the whole key entry (private key and related certificates) will be removed, and it cannot be reverted even if certificate becomes trusted again. In this case, a manual re-installation of key entry will be required.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       List<X509Certificate> list = new ArrayList<X509Certificate>();
       // add the certificates to be inserted on the trusted list
       try {
           boolean result = certificatePolicy.addTrustedCaCertificateList(list);
           if (true == result) {
               // trusted certificates were successfully added
           } else {
               // fail to add trusted certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       List<X509Certificate> list = new ArrayList<X509Certificate>();
       // add the certificates to be inserted on the trusted list
       try {
           boolean result = certificatePolicy.addTrustedCaCertificateList(list);
           if (true == result) {
               // trusted certificates were successfully added
           } else {
               // fail to add trusted certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

Use this API to add a list of untrusted certificates. After a certificate is added, this policy is activated, and untrusted certificates won't be installed (nor certificates signed by an untrusted certificate). Also, untrusted certificates previously installed will be removed from the system. They will be quarantined, and if in the future they become trusted again (when administrator removes this certificate from the untrusted list), they will be re-installed. During this period, user cannot see or use any of them. Certificates that were preloaded in the device cannot be removed, and are disabled (user is not able to re-enable them). Please note that a certificate with an unknown issuer is treated as trusted, like the concept of a blacklist. And this happens even when a root CA is untrusted, but an intermediate certificate is not present in the system. This policy interacts with trusted CAs policy addTrustedCaCertificateList(List) . For security reasons, untrusted list will take precedence over trusted list. When a certificate is added to untrusted list, it will be removed from the system even if it is part of a trusted certificate chain.

NOTE 1: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

NOTE 2: Due to keystore changes on Android S (KNOX 3.8), if a user certificate (i.e. the one that corresponds to the private key) is declared as untrusted due to this policy, the whole key entry (private key and related certificates) will be removed, and it cannot be reverted even if certificate becomes trusted again. In this case, a manual re-installation of key entry will be required.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       List<X509Certificate> list = new ArrayList<X509Certificate>();
       // add the certificates to be inserted on the untrusted list
       try {
           boolean result = certificatePolicy.addUntrustedCertificateList(list);
           if (true == result) {
               // untrusted certificates were successfully added
           } else {
               // fail to add untrusted certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       List<X509Certificate> list = new ArrayList<X509Certificate>();
       // add the certificates to be inserted on the untrusted list
       try {
           boolean result = certificatePolicy.addUntrustedCertificateList(list);
           if (true == result) {
               // untrusted certificates were successfully added
           } else {
               // fail to add untrusted certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

Use this API to block the user of removing any certificate. It will also block the user of resetting the keystores (that clears all installed credentials, certificates and private keys).

The APIs to remove certificates and reset the keystores will take priority over this API, and it will work regardless of its state.

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       try {
           boolean result = certificatePolicy.allowUserRemoveCertificates(true);
           if (true == result) {
               // user can't remove certificates or reset the keystores.
           } else {
               // failure to set policy
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       try {
           boolean result = certificatePolicy.allowUserRemoveCertificates(true);
           if (true == result) {
               // user can't remove certificates or reset the keystores.
           } else {
               // failure to set policy
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

After allowing some applications to read the installed private keys bypassing the interaction with the user, administrator may revoke all permissions. After revoking the permissions, the user may be prompted again to select a private key and give permission to each application.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();

 try {
     boolean result = certificatePolicy.clearPermissionApplicationPrivateKey();
     if (true == result) {
         // applications will not receive automatic permission
         // to access private key, when they ask for it.
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();

 try {
     boolean result = certificatePolicy.clearPermissionApplicationPrivateKey();
     if (true == result) {
         // applications will not receive automatic permission
         // to access private key, when they ask for it.
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Use this API to clear the list of trusted CA certificates. Certificates that were not signed by a trusted CA and had been quarantined will be reviewed, and if they became trusted, they will be re-installed.

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       try {
           boolean status = certificatePolicy.clearTrustedCaCertificateList();
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       try {
           boolean status = certificatePolicy.clearTrustedCaCertificateList();
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

Use this API to clear the list of untrusted certificates. Certificates that were untrusted and had been quarantined will be reviewed, and if they became trusted, they will be re-installed.

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       try {
           boolean status = certificatePolicy.clearUntrustedCertificateList();
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       try {
           boolean status = certificatePolicy.clearUntrustedCertificateList();
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

Use this API to notify the user whenever a certificate digital signature failure occurs. User will be notified with a toast containing the message "Digital signature failure occurred in: " and the name of the module that found the failure. This policy does not apply to third party or Google applications since we can not change their implementation.

NOTE 1: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

NOTE 2: Since KNOX 2.6, this policy is no longer supported by Chrome.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       try {
           boolean result = certificatePolicy.enableCertificateFailureNotification(true);
           if (true == result) {
               // user will be notified whenever occurs a certificate related fail
           } else {
               // user will not be notified whenever occurs a certificate related fail
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       try {
           boolean result = certificatePolicy.enableCertificateFailureNotification(true);
           if (true == result) {
               // user will be notified whenever occurs a certificate related fail
           } else {
               // user will not be notified whenever occurs a certificate related fail
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

Use this API to block the installation of invalid certificates. This will enable a multiple-step check of certificates before installing them. Some of the criteria used to validate a certificate are: certification path, expiration date, revocation status, etc.

The Certification Path, also called certificate chain, is an important part of validation process. A certificate with a issuer CA (Certificate Authority) that is not present in the device's certificate store is deemed unknown, and its installation is blocked. All certificates in a chain (Root CA and intermediate CAs) must be previously stored in the certificate store. Self-signed CAs are also validated, although they don't need any chain.

Please note that the validation process needs Internet access to check the revocation status of the certificate. If the certificate does not contain revocation information, or the revocation server could not be reached, the validation fails.

When the validation process fails, user may be warned of its cause using the policy enableCertificateFailureNotification(boolean). If this API is not enabled, user will NOT receive detailed information of the certificate validation error. The validation failures are also sent to administrator through the intent ACTION_CERTIFICATE_FAILURE.

The device's certificate store may not be the only place containing certificates in the device. Many applications that use network connection may use their own store (e.g.: Email, Social Network, etc). The certificates installed to these stores are not validated by this policy.

Certificates previously installed to device's certificate store will not be validated after enabling this policy.

When this policy is enabled, the policy to install certificates also verifies for validation of its certificates during installation.

For information regarding the certificate validation process please check the following standard documents:

Certification Path Validation: RFC 3280
OCSP (Revocation): RFC 2560

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       try {
           boolean result = certificatePolicy.enableCertificateValidationAtInstall(true);
           if (true == result) {
               // certificates will be validate before installing
           } else {
               // failure to set policy
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       try {
           boolean result = certificatePolicy.enableCertificateValidationAtInstall(true);
           if (true == result) {
               // certificates will be validate before installing
           } else {
               // failure to set policy
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

Use this API to enable OCSP when checking for certificate revocation for the applications using SSL connections or SMIME encryption/signing. This has no effect if revocation policy enableRevocationCheck(String, boolean) is not enabled. This will enable the use of OCSP during revocation check. OCSP check is used prior to CRL. If OCSP could not get a decisive response about a certificate, it will try to use CRL. The OCSP response server must be listed in the certificate information under Authority Info Access.

For information regarding certificate revocation please check the following standards documents:

CRL: RFC 3280
OCSP: RFC 2560

NOTE 1: Since KNOX 2.6, this policy is no longer supported by Chrome.

NOTE 2: Administrators must be cautious when enabling this policy for all packages in device. When OCSP or CRL revocation check is enabled, a cleartext HTTP connection may be used to retrieve revocation status/lists. Starting with Android 9 (API level 28), cleartext support is disabled by default and, if application does not explicitly opt in for cleartext support in its manifest, the revocation status/lists may not be retrieved, possibly causing problems in application.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
 try {
     String packageName = "com.android.browser";
     boolean result = certificatePolicy.enableRevocationCheck(packageName, true);
     if (true == result) {
         // revocation will be checked for this app
         boolean resultOcsp = certificatePolicy.enableOcspCheck(packageName, true);
         if (true == resultOcsp) {
             // revocation will be checked for this app using OCSP
         } else {
             // failure to set policy OCSP
         }
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
 try {
     String packageName = "com.android.browser";
     boolean result = certificatePolicy.enableRevocationCheck(packageName, true);
     if (true == result) {
         // revocation will be checked for this app
         boolean resultOcsp = certificatePolicy.enableOcspCheck(packageName, true);
         if (true == resultOcsp) {
             // revocation will be checked for this app using OCSP
         } else {
             // failure to set policy OCSP
         }
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Use this API to check for certificate revocation for the applications using SSL connections or SMIME encryption/signing. This will enable the check for revocation of the server certificate chain during SSL mutual authentication process.This policy only applies to the application if it uses standard TrustManager implementation, this includes most of the native applications, but it does not include third party browsers. Revocation check is primarily done using certificate revocation lists (CRL) that can be downloaded using a CRL distribution point listed in the certificate. If the policy enableOcspCheck(String, boolean) is active then the check will first be done through OCSP method and if it fails a standard check using CRLs will be performed.

The CRL check basically downloads a file from the specified server that contains a list of revoked IDs that is maintained by the CA of the certificate being checked. If the certificate ID is in the list then it is revoked and the SSL/SMIME verification will fail, otherwise it will proceed.

For information regarding certificate revocation please check the following standards documents:

CRL: RFC 3280
OCSP: RFC 2560

NOTE: Administrators must be cautious when enabling this policy for all packages in device. When OCSP or CRL revocation check is enabled, a cleartext HTTP connection may be used to retrieve revocation status/lists. Starting with Android 9 (API level 28), cleartext support is disabled by default and, if application does not explicitly opt in for cleartext support in its manifest, the revocation status/lists may not be retrieved, possibly causing problems in application.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
 try {
     String packageName = "com.android.browser";
     boolean result = certificatePolicy.enableRevocationCheck(packageName, true);
     if (true == result) {
         // revocation will be checked for this app
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
 try {
     String packageName = "com.android.browser";
     boolean result = certificatePolicy.enableRevocationCheck(packageName, true);
     if (true == result) {
         // revocation will be checked for this app
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

After allowing some applications to read the installed private keys bypassing the interaction with the user, administrator may list all permissions.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();

 try {
     List<PermissionApplicationPrivateKey> list = certificatePolicy
             .getListPermissionApplicationPrivateKey();
     Iterator it = list.iterator();
     while (it.hasNext()) {
         PermissionApplicationPrivateKey pkey = it.next();
         String adminPkgName = pkey.getAdminPkgName();
         String pkgName = pkey.getPackageName();
         String host = pkey.getHost();
         int port = pkey.getPort();
         String alias = pkey.getAlias();
         // do something with the values
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();

 try {
     List<PermissionApplicationPrivateKey> list = certificatePolicy
             .getListPermissionApplicationPrivateKey();
     Iterator it = list.iterator();
     while (it.hasNext()) {
         PermissionApplicationPrivateKey pkey = it.next();
         String adminPkgName = pkey.getAdminPkgName();
         String pkgName = pkey.getPackageName();
         String host = pkey.getHost();
         int port = pkey.getPort();
         String alias = pkey.getAlias();
         // do something with the values
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Administrator can use this API to get the list of trusted CA certificates from all administrators.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       try {
           List<CertificateControlInfo> certList = certificatePolicy.getTrustedCaCertificateList();
           Iterator it = certList.iterator();
           while (it.hasNext()) {
               CertificateControlInfo certCtrInfo = it.next();
               String adminPkgName = certCtrInfo.adminPackageName;
               List<X509Certificate> x509certList = certCtrInfo.entries;
               // do something with the certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       try {
           List<CertificateControlInfo> certList = certificatePolicy.getTrustedCaCertificateList();
           Iterator it = certList.iterator();
           while (it.hasNext()) {
               CertificateControlInfo certCtrInfo = it.next();
               String adminPkgName = certCtrInfo.adminPackageName;
               List<X509Certificate> x509certList = certCtrInfo.entries;
               // do something with the certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

Administrator can use this API to get the list of untrusted certificates from all administrators.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       try {
           List<CertificateControlInfo> certList = certificatePolicy.getUntrustedCertificateList();
           Iterator it = certList.iterator();
           while (it.hasNext()) {
               CertificateControlInfo certCtrInfo = it.next();
               String adminPkgName = certCtrInfo.adminPackageName;
               List<X509Certificate> x509certList = certCtrInfo.entries;
               // do something with the certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       try {
           List<CertificateControlInfo> certList = certificatePolicy.getUntrustedCertificateList();
           Iterator it = certList.iterator();
           while (it.hasNext()) {
               CertificateControlInfo certCtrInfo = it.next();
               String adminPkgName = certCtrInfo.adminPackageName;
               List<X509Certificate> x509certList = certCtrInfo.entries;
               // do something with the certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

Administrator can check whether the user is being notified when certificate digital signature failure occurs. The default value will be false.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       try {
           boolean result = certificatePolicy.isCertificateFailureNotificationEnabled();
           if (true == result) {
               // user will be notified if the failure occur
           } else {
               // user will not be notified if the failure occur
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       try {
           boolean result = certificatePolicy.isCertificateFailureNotificationEnabled();
           if (true == result) {
               // user will be notified if the failure occur
           } else {
               // user will not be notified if the failure occur
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

Use this API to verify if certificates will be validated prior of installing them to the device's certificate store.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       boolean result = certificatePolicy.isCertificateValidationAtInstallEnabled();
       if (true == result) {
           // will validate certificates at install time
       } else {
           // won't validate certificates at install time
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       boolean result = certificatePolicy.isCertificateValidationAtInstallEnabled();
       if (true == result) {
           // will validate certificates at install time
       } else {
           // won't validate certificates at install time
       }
       

Use this API to verify if application's signature will be checked within the trusted/untrusted list upon its installation.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
 try {
     if (certificatePolicy.isNonTrustedAppInstallBlocked()) {
         Log.w(TAG, "only trusted apps can be installed");
     } else {
         Log.w(TAG, "any app can be installed regardless who have signed it.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
 try {
     if(certificatePolicy.isNonTrustedAppInstallBlocked()) {
        Log.w(TAG, "only trusted apps can be installed");
     } else {
        Log.w(TAG, "any app can be installed regardless who have signed it.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Use this API to verify if certificates will be checked for revocation using OCSP.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
 String packageName = "com.android.browser";
 boolean result = certificatePolicy.isOcspCheckEnabled(packageName);
 if (true == result) {
     // will use OCSP to check revocation for this app
 } else {
     // won't use OCSP to check revocation for this app
 }
 

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
 String packageName = "com.android.browser";
 boolean result = certificatePolicy.isOcspCheckEnabled(packageName);
 if (true == result) {
     // will use OCSP to check revocation for this app
 } else {
     // won't use OCSP to check revocation for this app
 }
 

Use this API to verify if certificates will be checked for revocation.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
 String packageName = "com.android.browser";
 boolean result = certificatePolicy.isRevocationCheckEnabled(packageName);
 if (true == result) {
     // revocation will be checked for this app
 } else {
     // revocation won't be checked for this app
 }
 

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
 String packageName = "com.android.browser";
 boolean result = certificatePolicy.isRevocationCheckEnabled(packageName);
 if (true == result) {
     // revocation will be checked for this app
 } else {
     // revocation won't be checked for this app
 }
 

Use this API to verify if user is allowed to remove certificates and reset the keystores.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       boolean result = certificatePolicy.isUserRemoveCertificatesAllowed();
       if (true == result) {
           // user is allowed to remove certificates and reset the keystores.
       } else {
           // user is blocked of removing certificates and resetting the keystores.
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       boolean result = certificatePolicy.isUserRemoveCertificatesAllowed();
       if (true == result) {
           // user is allowed to remove certificates and reset the keystores.
       } else {
           // user is blocked of removing certificates and resetting the keystores.
       }
       

After allowing an application to read a installed private key bypassing the interaction with the user, administrator may revoke such permission. After revoking the permission, the user may be prompted again to select a private key and give permission to the application.

 String pkgName = "com.example.app";
 String host = "myserver.com";
 int port = 80;
 String alias = "mykey";
 PermissionApplicationPrivateKey pkey = new PermissionApplicationPrivateKey(pkgName, host, port,
         alias);
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();

 try {
     boolean result = certificatePolicy.removePermissionApplicationPrivateKey(pkey);
     if (true == result) {
         // application will not receive automatic permission
         // to access private key, when it ask for it.
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();

 String pkgName = "com.example.app";
 String host = "myserver.com";
 int port = 80;
 String alias = "mykey";
 PermissionApplicationPrivateKey pkey = new PermissionApplicationPrivateKey(pkgName, host, port,
         alias);

 try {
     boolean result = certificatePolicy.removePermissionApplicationPrivateKey(pkey);
     if (true == result) {
         // application will not receive automatic permission
         // to access private key, when it ask for it.
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Use this API to remove a list of CA certificates from the trusted list. After calling this API, all installed certificates will be verified, and the untrusted ones will be removed. All quarantined certificates will also be verified and any one that becomes trusted again will be re-installed.

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       try {
           List<X509Certificate> certList = new ArrayList<X509Certificate>();
           // add the certificates to be removed from the trusted list on the certList list
           boolean status = certificatePolicy.removeTrustedCaCertificateList(certList);
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       try {
           List<X509Certificate> certList = new ArrayList<X509Certificate>();
           // add the certificates to be removed from the trusted list on the certList list
           boolean status = certificatePolicy.removeTrustedCaCertificateList(certList);
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

Use this API to remove a list of certificates from the untrusted list. After calling this API, all installed certificates will be verified, and the untrusted ones will be removed. All quarantined certificates will also be verified and any one that becomes trusted again will be re-installed.

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
       try {
           List<X509Certificate> certList = new ArrayList<X509Certificate>();
           // add the certificates to be removed from the untrusted list on the certList list
           boolean status = certificatePolicy.removeUntrustedCertificateList(certList);
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
       try {
           List<X509Certificate> certList = new ArrayList<X509Certificate>();
           // add the certificates to be removed from the untrusted list on the certList list
           boolean status = certificatePolicy.removeUntrustedCertificateList(certList);
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

Please note: this policy must be used carefully, since it directly depends on modifying trusted/untrusted keystores, which impacts all users in the device.

Installing via ADB installs package to all users by default in multi user enabled devices. So if administrator has blocked non trusted application installation for any user, then ADB installation will not work for any user.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 CertificatePolicy certificatePolicy = ekm.getCertificatePolicy();
 try {
     if (certificatePolicy.setNonTrustedAppInstallBlock(true)) {
         Log.w(TAG, "only trusted apps can be installed");
     } else {
         Log.w(TAG, "Failed to enable the policy.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
 try {
     if(certificatePolicy.setNonTrustedAppInstallBlock(enable)) {
        Log.w(TAG, "only trusted apps can be installed");
     } else {
        Log.w(TAG, "Failed to enable the policy.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }