| java.lang.Object | |
| ↳ | com.samsung.android.knox.net.firewall.Firewall |
This class provides APIs to configure firewall rules on device, providing the ability to implement security policies. It provides means to allow administrators to:
1. Restrict internet access to IP addresses and/or domain names;
2. Configure above restrictions per application basis or device wide;
3. Get a log report with all denied URLs that user tried to access.
This firewall solution is based on iptables. Starting on MDM 5.6, most devices are expected to support IPv6. With this in mind, users (IT administrators) should consider also applying IPv6 rules when designing your firewall set of rules. Rules applied to IPv4 do not affect IPv6 data traffic and vice-versa. So, administrator must add rules for each version of IP protocol if managed device is expected to connect to either IPv4 or IPv6 network.
Warning: Other features based on iptables may cause conflicts and unexpected behaviour (e.g. Tethering, VPN clients, B2C Firewall).
NOTE: Since MDM 5.6, firewall has IPv6 support for ALLOW and DENY rules. For REDIRECT and
REDIRECT_EXCEPTION IPv6 support has been added since Knox 3.6.
This functionality is provided to address situations where IP addresses cannot be used - IT administrators might never be able to know all IPs associated with a given hostname or internet domain. In this case, domain names can be restricted, which will be achieved by disabling their respective DNS resolution.
NOTE: Users may add conflicting rules for IP addresses and domain names. In this case, the
more restrictive rule always takes precedence.
Example 1:
Domain Deny list = *
Domain Allow list = *ku.com
Iptables DENY list = 129.237.11.182
DNS resolution for www.ku.com = 129.237.11.182
In this case, any access to www.ku.com will be blocked.
Example 2:
Domain Black list = *ku.com
Iptables ALLOW list = 129.237.11.182
DNS resolution for www.ku.com = 129.237.11.182
In this case, any access to www.ku.com will be blocked.
| API level 17 |
| MDM 5.5 |
| Nested Classes | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Firewall.AddressType | This constant should be used to indicate the address type of a rule. | ||||||||||
| Firewall.Direction | This constant should be used to indicate whether a rule is related to input (when device receives data from the Internet) or output (when device sends data to the Internet). | ||||||||||
| Firewall.NetworkInterface | This constant should be used to indicate whether a rule is related to connection through WI-FI or mobile data. | ||||||||||
| Firewall.PortLocation | This constant should be used to indicate whether the port in the rule is related to the device port or the server port that the device is communicating. | ||||||||||
| Firewall.Protocol | This constant should be used to indicate whether a rule is related to TCP or UDP protocol. | ||||||||||
| Constants | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| String | ACTION_BLOCKED_DOMAIN | Intent action to notify the administrator(s) that a domain was blocked by
addDomainFilterRules(List). |
|||||||||
| String | EXTRA_BLOCKED_DOMAIN_ISFOREGROUND | Used as an intent extra field with ACTION_BLOCKED_DOMAIN. |
|||||||||
| String | EXTRA_BLOCKED_DOMAIN_PACKAGENAME | Used as an intent extra field with ACTION_BLOCKED_DOMAIN. |
|||||||||
| String | EXTRA_BLOCKED_DOMAIN_TIMESTAMP | Used as an intent extra field with ACTION_BLOCKED_DOMAIN. |
|||||||||
| String | EXTRA_BLOCKED_DOMAIN_UID | Used as an intent extra field with ACTION_BLOCKED_DOMAIN. |
|||||||||
| String | EXTRA_BLOCKED_DOMAIN_URL | Used as an intent extra field with ACTION_BLOCKED_DOMAIN. |
|||||||||
| int | FIREWALL_ALLOW_RULE | Value that indicates the bitmask value for an ALLOW |
|||||||||
| String | FIREWALL_ALL_PACKAGES | Value that indicates all applications package names. | |||||||||
| int | FIREWALL_ALL_RULES | Value that indicates the bitmask value for All Rule Types (All types combined by OR) | |||||||||
| int | FIREWALL_DENY_RULE | Value that indicates the bitmask value for a DENY |
|||||||||
| int | FIREWALL_REDIRECT_EXCEPTION_RULE | Value that indicates the bitmask value for a REDIRECT_EXCEPTION |
|||||||||
| int | FIREWALL_REDIRECT_RULE | Value that indicates the bitmask value for a REDIRECT |
|||||||||
| Public Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
API to add rules to allow/block domain names.
| |||||||||||
API to add rules to allow, block or redirect IP requests.
| |||||||||||
API to clear IP rules.
| |||||||||||
API to enable the association between domain and firewall rules.
| |||||||||||
API to enable report of URLs blocked by domain filter rules.
| |||||||||||
API to turn on/off IP rules enforcement.
| |||||||||||
API to get domain filter reports.
| |||||||||||
API to get domain filter rules.
| |||||||||||
API to get IP rules.
| |||||||||||
API to check if association between domain and firewall rules is enabled.
| |||||||||||
API to check whether the domain filter report is enabled or disabled.
| |||||||||||
API to check if IP rules are enforced.
| |||||||||||
API to list rules on iptables.
| |||||||||||
API to remove domain filter rules.
| |||||||||||
API to remove IP rules.
| |||||||||||
|
[Expand]
Inherited Methods | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
From class
java.lang.Object
| |||||||||||
Intent action to notify the administrator(s) that a domain was blocked by
addDomainFilterRules(List). It will have EXTRA_BLOCKED_DOMAIN_PACKAGENAME,
EXTRA_BLOCKED_DOMAIN_TIMESTAMP, EXTRA_BLOCKED_DOMAIN_UID,
EXTRA_BLOCKED_DOMAIN_URL - these match the information returned from
getDomainFilterReport(List) - and EXTRA_BLOCKED_DOMAIN_ISFOREGROUND, a
boolean value that indicates whether the application whose domain was blocked is
in foreground or background. Receiver must hold
"com.samsung.android.knox.permission.KNOX_FIREWALL" to receive this broadcast.
NOTE: Since Android R (and some recent Android Q builds), Intent action only is sent when enableDomainFilterReport(boolean) is enabled.
| API level 20 |
| MDM 5.7 |
Used as an intent extra field with ACTION_BLOCKED_DOMAIN. Contains a boolean value
to inform if the block occurred in a foreground application or not.
| API level 20 |
| MDM 5.7 |
Used as an intent extra field with ACTION_BLOCKED_DOMAIN. Contains the package name
of the application that tried to access a blocked domain.
| API level 20 |
| MDM 5.7 |
Used as an intent extra field with ACTION_BLOCKED_DOMAIN. Contains the timestamp in
milliseconds related to the domain block.
| API level 20 |
| MDM 5.7 |
Used as an intent extra field with ACTION_BLOCKED_DOMAIN. Contains the UID of the
application that tried to access a blocked domain.
| API level 20 |
| MDM 5.7 |
Used as an intent extra field with ACTION_BLOCKED_DOMAIN. Contains the blocked URL.
| API level 20 |
| MDM 5.7 |
Value that indicates the bitmask value for an ALLOW
| API level 17 |
| MDM 5.5 |
Value that indicates all applications package names.
| API level 19 |
| MDM 5.6 |
Value that indicates the bitmask value for All Rule Types (All types combined by OR)
| API level 17 |
| MDM 5.5 |
Value that indicates the bitmask value for a DENY
| API level 17 |
| MDM 5.5 |
Value that indicates the bitmask value for a REDIRECT_EXCEPTION
| API level 17 |
| MDM 5.5 |
Value that indicates the bitmask value for a REDIRECT
| API level 17 |
| MDM 5.5 |
API to add rules to allow/block domain names.
| rules | List of DomainFilterRule to be added. |
|---|
FirewallResponse array for the specified rules or null in case
the parameter rules is null. The i-th element of the response array will be
related to the i-th element of the specified rules array.| SecurityException | If caller does not have required permissions |
|---|
| An administrator can use this API to add rules to allow/block applications from
accessing domains. By default, the system will not block any DNS resolution, so you don't
need to worry about adding domain filter rules except when you want to deny DNS resolution to
some (or all) domains. Once the rules are added, next time the application tries to access any denied domain it will be blocked. This API allows only one administrator to manage rules at a time, which means that if some administrator tries to add rules while another one has already added any, the operation will return FAILED and an error message describing
that. For additional information on how to properly create and use domain filter rules,
please refer to DomainFilterRule class.Administrator can apply a rule for a specific application or for all applications at once (using FIREWALL_ALL_PACKAGES). If a rule with FIREWALL_ALL_PACKAGES value
is already in database and a rule is added with a specific application, the general one will
not be considered to resolve the domain access enforcement for this specific application.Some applications may not resolve a domain through default DNS, instead they forward the request to a specific domain. In this case, the domain rule will not be enforced. NOTE: A domain can not be on the whitelist and blacklist simultaneously, adding it again but to a different list type will result in removal from previous list. If a new rule contains the same domain in the blacklist and whitelist, the whitelist rule will be considered. NOTE: Since MDM 5.7, DomainFilterRule can also be used to manage DNS servers
which will resolve domain names for a given application. Two DNS servers can be provided, one
is the primary(mandatory) and the second is a backup(optional) server. To change DNS servers
previously set just pass a rule object with the new DNS servers to this API, both DNS servers
will be overwritten. For more details refer to DomainFilterRule class.NOTE: Deny rules may also need to block:
|
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); Firewall firewall = edm.getFirewall(); |
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
.getKnoxContainerManager(containerID);
Firewall firewall = kcm.getFirewall();
|
| The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature. |
| API level 19 |
| MDM 5.6 |
| User Scope |
API to add rules to allow, block or redirect IP requests.
| rules | array of FirewallRule to be added. |
|---|
FirewallResponse list for the specified rules or null in case
the parameter rules is null. The i-th element of the list will be related to the
i-th element of the specified rules array.| SecurityException | If caller does not have required permissions |
|---|
| An administrator can use this API to add rules to allow, block or redirect IP
requests. By default, the system will not interfere on data traffic, so you don't need to
worry about adding IP rules except when you want to block or redirect some (all) access. Once the rules are added and enforced (please refer to enableFirewall(boolean)),
next time the application tries to send an IP request, the latest rule set will be analyzed
before deciding to allow, block or redirect the request. For additional information on how to
properly create and use IP rules, please refer to FirewallRule class.It is important to notice that the IP rules will have effect only if enableFirewall(boolean) has been called with true. Any administrator
can add IP rules, but only one administrator can activate IP rules enforcement at a time.
NOTE: It's recommended to disable the browser (e.g.Chrome) data saver feature in order to get the correct operation of this API, as the browser may bypass the firewall rules by using its own implementation for resolving the IP addresses. As administrator has no control over browser's built-in data saver feature and thus cannot turn it off, administrator can use domain filter rules addDomainFilterRules(List) to block the DNS requests for the
application and get the blocked domains with domain filter report enableDomainFilterReport(boolean).
This will help identify which domains are used specifically on data saver mode, and blocking
these specific domains will force browser to operate out of this mode.
|
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
Firewall firewall = edm.getFirewall();
// In order to validate the application's signature related to the rule, fill this
// variable with the desired signature.
String signature = null;
int numRules = 5;
FirewallRule[] rules = new FirewallRule[numRules];
// To Add a Deny Rule
rules[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
rules[0].setIpAddress("*");
rules[0].setPortNumber("80");
rules[0].setApplication(new AppIdentity("com.android.chrome", signature));
// To Add a Allow Rule
rules[1] = new FirewallRule(RuleType.ALLOW, AddressType.IPV4);
rules[1].setIpAddress("192.168.1.2");
rules[1].setPortNumber("80");
rules[1].setPortLocation(PortLocation.LOCAL);
rules[1].setApplication(new AppIdentity("com.android.chrome", signature));
rules[1].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
rules[1].setDirection(Direction.OUTPUT);
rules[1].setProtocol(Protocol.TCP);
// To Add a Redirect Rule
rules[2] = new FirewallRule(RuleType.REDIRECT, AddressType.IPV4);
rules[2].setIpAddress("*");
rules[2].setPortNumber("443");
rules[2].setPortLocation(PortLocation.REMOTE);
rules[2].setNetworkInterface(NetworkInterface.MOBILE_DATA_ONLY);
rules[2].setTargetIpAddress("192.168.2.1");
rules[2].setTargetPortNumber("60");
// To Add a Redirect Exception Rule
rules[3] = new FirewallRule(RuleType.REDIRECT_EXCEPTION, AddressType.IPV4);
rules[3].setIpAddress("192.168.1.1");
rules[3].setPortNumber("443");
rules[3].setProtocol(Protocol.TCP);
// To Add a Allow Rule (Using IPv6 Address)
rules[4] = new FirewallRule(RuleType.ALLOW, AddressType.IPV6);
rules[4].setIpAddress("2001:12C0:8000:AAAA:200:192:176:65");
rules[4].setPortNumber("80");
rules[4].setPortLocation(PortLocation.LOCAL);
rules[4].setPackageName("com.android.chrome");
rules[4].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
// Since Android Q, Direction.ALL will behave as Direction.OUTPUT
rules[4].setDirection(Direction.ALL);
rules[4].setProtocol(Protocol.TCP);
FirewallResponse[] response = firewall.addRules(rules);
// Add rule to use as a Proxy (http)
FirewallRule[] proxyRule = new FirewallRule[1];
// All output traffic going through the port 80 will be redirected to the proxy server configured
// on IP 192.168.100.10
proxyRule[0] = new FirewallRule(RuleType.REDIRECT, AddressType.IPV4);
proxyRule[0].setIpAddress("*");
proxyRule[0].setPortNumber("80");
proxyRule[0].setTargetIpAddress("192.168.100.10");
proxyRule[0].setTargetPortNumber("680");
FirewallResponse[] ProxyResponse = firewall.addRules(proxyRule);
// Add rule to restrict the network used for an application
// All output traffic from an application, in this case Chrome, will be blocked on Mobile
// Interface.
FirewallRule[] appRule = new FirewallRule[1];
appRule[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
appRule[0].setIpAddress("*");
appRule[0].setPortNumber("*");
appRule[0].setApplication(new AppIdentity("com.android.chrome", signature));
appRule[0].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
FirewallResponse[] appResponse = firewall.addRules(appRule);
// Add rule to restrict data traffic on tethered interfaces
// All data traffic from tethered interfaces will be blocked by the rule below
FirewallRule[] tetherRule = new FirewallRule[1];
tetherRule[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
tetherRule[0].setIpAddress("*");
tetherRule[0].setPortNumber("*");
tetherRule[0].setDirection(Direction.FORWARD);
FirewallResponse[] response = firewall.addRules(tetherRule);
|
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
.getKnoxContainerManager(containerID);
Firewall Firewall = kcm.getFirewall();
// In order to validate the application's signature related to the rule, fill this
// variable with the desired signature.
String signature = null;
int numRules = 5;
FirewallRule[] rules = new FirewallRule[numRules];
// To Add a Deny Rule
rules[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
rules[0].setIpAddress("*");
rules[0].setPortNumber("80");
// INPUT rules will affect all users of the device
rules[0].setDirection(Direction.INPUT);
// To Add a Allow Rule
rules[1] = new FirewallRule(RuleType.ALLOW, AddressType.IPV4);
rules[1].setIpAddress("192.168.1.2");
rules[1].setPortNumber("80");
rules[1].setPortLocation(PortLocation.LOCAL);
rules[1].setApplication(new AppIdentity("com.android.chrome", signature));
rules[1].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
rules[1].setDirection(Direction.OUTPUT);
rules[1].setProtocol(Protocol.TCP);
// To Add a Redirect Rule
rules[2] = new FirewallRule(RuleType.REDIRECT, AddressType.IPV4);
rules[2].setIpAddress("*");
rules[2].setPortNumber("443");
rules[2].setPortLocation(PortLocation.REMOTE);
rules[2].setNetworkInterface(NetworkInterface.MOBILE_DATA_ONLY);
rules[2].setTargetIpAddress("192.168.2.1");
rules[2].setTargetPortNumber("60");
// To Add a Redirect Exception Rule
rules[3] = new FirewallRule(RuleType.REDIRECT_EXCEPTION, AddressType.IPV4);
rules[3].setIpAddress("192.168.1.1");
rules[3].setPortNumber("443");
rules[3].setProtocol(Protocol.TCP);
// To Add a Allow Rule (Using IPv6 Address)
rules[4] = new FirewallRule(RuleType.ALLOW, AddressType.IPV6);
rules[4].setIpAddress("2001:12C0:8000:AAAA:200:192:176:65");
rules[4].setPortNumber("80");
rules[4].setPortLocation(PortLocation.LOCAL);
rules[4].setPackageName("com.android.chrome");
rules[4].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
rules[4].setDirection(Direction.OUTPUT);
rules[4].setProtocol(Protocol.TCP);
FirewallResponse[] response = firewall.addRules(rules);
// Add rule to use as a Proxy (http)
// All output traffic going through the port 80 will be redirected to the proxy server configured
// on IP
// 192.168.100.10
FirewallRule[] proxyRule = new FirewallRule[1];
proxyRule[0] = new FirewallRule(RuleType.REDIRECT, AddressType.IPV4);
proxyRule[0].setIpAddress("*");
proxyRule[0].setPortNumber("80");
proxyRule[0].setTargetIpAddress("192.168.100.10");
proxyRule[0].setTargetPortNumber("80");
FirewallResponse[] proxyResponse = firewall.addRules(proxyRule);
// Add rule to restrict the network used for an application
// All output traffic used by the application, in this case chrome, will be blocked on Mobile
// Interface.
FirewallRule[] appRule = new FirewallRule[1];
appRule[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
appRule[0].setIpAddress("*");
appRule[0].setPortNumber("*");
appRule[0].setApplication(new AppIdentity("com.android.chrome", signature));
appRule[0].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
FirewallResponse[] appResponse = firewall.addRules(appRule);
|
| The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature. |
| API level 17 |
| MDM 5.5 |
enableFirewall(boolean) |
| User Scope |
API to clear IP rules.
| bitmask | Rule type(s) which values must be cleared. Possible values are
FIREWALL_ALLOW_RULE, FIREWALL_DENY_RULE, FIREWALL_REDIRECT_RULE,
FIREWALL_REDIRECT_EXCEPTION_RULE , FIREWALL_ALL_RULES. These values are
bitwise and can be combined with logical OR. |
|---|
FirewallResponse array with the result of the clear operations in the
RuleTypes. If an RuleType was not passed in the bitmask the FirewallResponse.Result
will be NO_CHANGES state. The order of the RuleTypes are:
FIREWALL_ALLOW_RULE, FIREWALL_DENY_RULE,
FIREWALL_REDIRECT_RULE, FIREWALL_REDIRECT_EXCEPTION_RULE,| SecurityException | If caller does not have required permissions |
|---|
| An administrator can use this API to clear the IP rules previously added. The rules
added by other administrators are not affected. Domain filter rules are not cleared by this API. To clear domain filter rules, please refer to removeDomainFilterRules(List). |
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); Firewall firewall = edm.getFirewall(); // Clear only Allow Rules int bitmask = Firewall.FIREWALL_ALLOW_RULE; FirewallResponse[] response = firewall.clearRules(bitmask); // Clear only Deny Rules bitmask = Firewall.FIREWALL_DENY_RULE; response = firewall.clearRules(bitmask); // Clear only Allow and Deny Rules bitmask = Firewall.FIREWALL_ALLOW_RULE | Firewall.FIREWALL_DENY_RULE; response = firewall.clearRules(bitmask); // Clear All Rules bitmask = Firewall.FIREWALL_ALL_RULES; response = firewall.clearRules(bitmask); |
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
.getKnoxContainerManager(containerID);
Firewall Firewall = kcm.getFirewall();
// Clear only Allow Rules
int bitmask = Firewall.FIREWALL_ALLOW_RULE;
FirewallResponse[] response = firewall.clearRules(bitmask);
// Clear only Deny Rules
bitmask = Firewall.FIREWALL_DENY_RULE;
response = firewall.clearRules(bitmask);
// Clear only Allow and Deny Rules
bitmask = Firewall.FIREWALL_ALLOW_RULE | Firewall.FIREWALL_DENY_RULE;
response = firewall.clearRules(bitmask);
// Clear All Rules
bitmask = Firewall.FIREWALL_ALL_RULES;
response = firewall.clearRules(bitmask);
|
| The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature. |
| API level 17 |
| MDM 5.5 |
| User Scope |
API to enable the association between domain and firewall rules.
| enabled | true to enable and false to disable association between domain and firewall rules. |
|---|
FirewallResponse describing if the operation was successful or not.| SecurityException | If caller does not have required permissions |
|---|
An administrator can use this API to enable/disable association between
addDomainFilterRules(List) and addRules(FirewallRule[]) APIs.Once enabled, next time an application tries to send a domain name resolution request, the Domain rules ( DomainFilterRule) will be analyzed before Firewall rules
(FirewallRule), deciding to allow or block the request.This module will try to match each domain request against a list of DomainFilterRule
configured by the admin.With this solution, an administrator will be able to access whitelisted domains even when Firewall policy dictates that all IPs should be blocked. If the administrator disables it passing false, domain rules may end up being
overridden by Firewall rules.This API doesn't support multiple administrators, so only the administrator who is currently managing domain filter rules in database can enable/disable it. NOTE: This API will not take effect on tethered connections. In other words, it will not associate domains with Firewall rules set to direction FORWARD. |
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
Firewall firewall = edm.getFirewall();
try {
FirewallResponse responseForEnable = firewall.enableDomainFilterOnIptables( |
KnoxContainerManager kcm =
EnterpriseKnoxManager.getInstance(context).getKnoxContainerManager(containerID);
Firewall firewall = kcm.getFirewall();
try {
FirewallResponse responseForEnable = firewall.enableDomainFilterOnIptables( |
| The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature. |
| API level 28 |
| KNOX 3.3 |
| User Scope |
API to enable report of URLs blocked by domain filter rules.
| enabled | true to enable and false to disable report. |
|---|
true if succeeded, false otherwise.| SecurityException | If caller does not have required permissions |
|---|
Administrator can use this API to enable/disable the recording of user attempts to
access blocked URLs by the domain filter rules. The report is disabled by default. The limit
of reports that will be stored is 10000. When this limit is exceeded, the oldest
report will be replaced by the newest and so on, as in a circular buffer.This API supports multiple administrators, so, if one administrator enables it, the blocked URLs will be reported regardless of whom is managing domain rules at that time. When all administrators disable report, the blocked URLs will no longer be reported. Please note IP logs are collected by Audit Log policy from KNOX Premium SDK. NOTE: In MDM 5.6 and previous versions, the limit of reports was 1000. |
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
Firewall firewall = edm.getFirewall(); // enabling report try { boolean result =
firewall.enableDomainFilterReport(true); if (result) { // success } else { // failed } }
catch (SecurityException ex) { //missing required permission } |
KnoxContainerManager kcm =
EnterpriseKnoxManager.getInstance(context).getKnoxContainerManager(containerID);
Firewall firewall = kcm.getFirewall(); // enabling report try { boolean result =
firewall.enableDomainFilterReport(true); if (result) { // success } else { // failed } }
catch (SecurityException ex) { //missing required permission } |
| The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature. |
| API level 19 |
| MDM 5.6 |
| User Scope |
API to turn on/off IP rules enforcement.
| enabled | true to enable and false to disable IP rules
enforcement. |
|---|
FirewallResponse describing if the operation was successful or not.| SecurityException | If caller does not have required permissions |
|---|
An administrator can use this API to turn on/off the enforcement of IP rules. Upon
enabling it, all IP rules previously added by this administrator will be activated. If the
administrator disables it passing false, IP rules will not be enforced anymore.
Multiple Administrator Scenarios When a device is managed by multiple administrators, IP rules behave as follows: - All administrators can add IP rules. - Only one administrator can enforce IP rules at time. Example: Administrator 1 enforces IP rules. Administrator 2 will be able to configure rules but it will not able to enforce IP rules. Administrator 3 will be able to configure rules but it will not able to enforce IP rules. As soon as administrator 1 turns off IP rules enforcement, the other administrators will be able to enable it. |
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); Firewall firewall = edm.getFirewall(); FirewallResponse responseForEnable = firewall.enableFirewall( |
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context).getKnoxContainerManager(containerID); Firewall Firewall = kcm.getFirewall(); FirewallResponse responseForEnable = firewall.enableFirewall( |
| The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature. |
| API level 17 |
| MDM 5.5 |
| User Scope |
API to get domain filter reports.
| packageNameList | List of package names the reports must be retrieved for. Pass
NULL to indicate all reports from all packages must be retrieved. |
|---|
DomainFilterReport matching the provided package names or all reports
if NULL was provided as parameter.| SecurityException | If caller does not have required permissions |
|---|
An administrator can use this API to retrieve a list of domain filter reports.
Administrator can retrieve list of reports for a specific application (package name) or for
all applications at once (passing NULL to parameter). For additional information
about the reports, please refer to DomainFilterReport.This API supports multiple administrators, so any administrator is allowed to retrieve the list of stored reports any time. |
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); Firewall firewall = edm.getFirewall(); // retrieve rules added for chrome application |
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context).getKnoxContainerManager(containerID); Firewall firewall = kcm.getFirewall(); // retrieve rules added for chrome application |
| The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature. |
| API level 19 |
| MDM 5.6 |
| User Scope |
API to get domain filter rules.
| packageNameList | List of package names the rules must be retrieved for. Pass
NULL to indicate all rules from all packages must be retrieved. |
|---|
DomainFilterRule matching the provided package names or all rules if
NULL was provided as parameter.| SecurityException | If caller does not have required permissions |
|---|
An administrator can use this API to retrieve the list of domain filter rules
previously added in firewall database. Administrator can retrieve list of rules for a
specific application (package name) or for all application at once (passing NULL
to parameter).This API doesn't support multiple administrators, so only the administrator who is currently managing domain filter rules in database can retrieve the applied rules. |
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); Firewall firewall = edm.getFirewall(); // retrieve rules added for chrome application |
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context).getKnoxContainerManager(containerID); Firewall firewall = kcm.getFirewall(); // retrieve rules added for chrome application |
| The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature. |
| API level 19 |
| MDM 5.6 |
| User Scope |
API to get IP rules.
| bitmask | Rule type(s) which values must be retrieved. Possible values are
FIREWALL_ALLOW_RULE, FIREWALL_DENY_RULE, FIREWALL_REDIRECT_RULE,
FIREWALL_REDIRECT_EXCEPTION_RULE, FIREWALL_ALL_RULES. These values are
bitwise and can be combined with logical OR. |
|---|---|
| status | Status of the rules which values must be retrieved. Possible values are
ENABLED, DISABLED,
PENDING or null if we want all the rules regardless
the status. |
FirewallRule array containing the rules with the informed description.| SecurityException | If caller does not have required permissions |
|---|
An administrator can use this API to get IP rules previously added, specifying the
FirewallRule.RuleType and the FirewallRule.Status of the required rules. IP rules added by other
administrators will not be retrieved. |
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
Firewall firewall = edm.getFirewall();
// Administrator wants all the allow Rules regardless the status
FirewallRule[] allowRules = firewall.getRules(Firewall.FIREWALL_ALLOW_RULE,
null);
// Administrator wants all the allow and deny rules that are enabled
int bitmask = (Firewall.FIREWALL_ALLOW_RULE | Firewall.FIREWALL_DENY_RULE);
FirewallRule[] allowAndDenyRules = firewall.getRules(bitmask,
FirewallRule.Status.ENABLED);
// Administrator wants rules of all types that are disabled
FirewallRule[] disabledRules = firewall.getRules(Firewall.FIREWALL_ALL_RULES,
FirewallRule.Status.DISABLED);
|
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
.getKnoxContainerManager(containerID);
Firewall Firewall = kcm.getFirewall();
// Administrator wants all the allow Rules regardless the status
FirewallRule[] allowRules = firewall.getRules(Firewall.FIREWALL_ALLOW_RULE,
null);
// Administrator wants all the allow and deny rules that are enabled
int bitmask = (Firewall.FIREWALL_ALLOW_RULE | Firewall.FIREWALL_DENY_RULE);
FirewallRule[] allowAndDenyRules = firewall.getRules(bitmask,
FirewallRule.Status.ENABLED);
// Administrator wants rules of all types that are disabled
FirewallRule[] disabledRules = firewall.getRules(Firewall.FIREWALL_ALL_RULES,
FirewallRule.Status.DISABLED);
|
| The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature. |
| API level 17 |
| MDM 5.5 |
| User Scope |
API to check if association between domain and firewall rules is enabled.
true if IP association between domain and firewall rules is enabled, false otherwise.| An administrator can use this API to check whether the association between domain and firewall rules is enabled or not. |
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
Firewall firewall = edm.getFirewall();
try {
boolean isDomainFilterOnIptablesEnabled = firewall.isDomainFilterOnIptablesEnabled();
if (isDomainFilterOnIptablesEnabled) {
// domain filter on iptables enabled
} else {
// domain filter on iptables disabled
}
} catch (SecurityException ex) {
// missing required permission
}
|
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
.getKnoxContainerManager(containerID);
Firewall Firewall = kcm.getFirewall();
try {
boolean isDomainFilterOnIptablesEnabled = firewall.isDomainFilterOnIptablesEnabled();
if (isDomainFilterOnIptablesEnabled) {
// domain filter on iptables enabled
} else {
// domain filter on iptables disabled
}
} catch (SecurityException ex) {
// missing required permission
}
|
| API level 28 |
| KNOX 3.3 |
| User Scope |
API to check whether the domain filter report is enabled or disabled.
true if the report is enabled, false otherwise.An administrator can use this API to check whether the domain filter report is enabled
or disabled. If at least one administrator has enabled report, the return will be
true. |
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
Firewall firewall = edm.getFirewall();
try {
boolean isReportEnabled = firewall.isDomainFilterReportEnabled();
if (isReportEnabled) {
// report enabled
} else {
// report disabled
}
} catch (SecurityException ex) {
// missing required permission
}
|
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
.getKnoxContainerManager(containerID);
Firewall Firewall = kcm.getFirewall();
try {
boolean isReportEnabled = firewall.isDomainFilterReportEnabled();
if (isReportEnabled) {
// report enabled
} else {
// report disabled
}
} catch (SecurityException ex) {
// missing required permission
}
|
| API level 19 |
| MDM 5.6 |
| User Scope |
API to check if IP rules are enforced.
true if IP rules are enforced, false otherwise.| An administrator can use this API to check whether the enforcement of IP filter rules is enabled or not. |
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); Firewall firewall = edm.getFirewall(); boolean isFirewallEnabled = firewall.isFirewallEnabled(); |
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
.getKnoxContainerManager(containerID);
Firewall Firewall = kcm.getFirewall();
boolean isFirewallEnabled = firewall.isFirewallEnabled();
|
| API level 17 |
| MDM 5.5 |
| User Scope |
API to list rules on iptables.
null on failure.| SecurityException | If caller does not have required permissions |
|---|
| An administrator can use this API to list the rules from iptables. This method
concatenates the output of the following iptables commands and returns the result: "iptables -t filter -L -n --line-numbers -v" "iptables -t nat -L -n --line-numbers -v" "iptables -t mangle -L -n --line-numbers -v" "iptables -t raw -L -n --line-numbers -v"
// Sample Output |
| The use of this API requires the caller to add the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission with a protection level of signature. |
| API level 17 |
| MDM 5.5 |
| User Scope |
API to remove domain filter rules.
| rules | List of DomainFilterRule to be removed. |
|---|
FirewallResponse array for the specified rules. The i-th element of the
response array will be related to the i-th element of the specified rules array.| SecurityException | If caller does not have required permissions |
|---|
An administrator can use this API to remove rules previously added through
addDomainFilterRules(List) API. Once removed, the rules will no longer take effect,
meaning that a rule, used to block some domain name, after removed will no longer block it.
To clear all rules in database pass CLEAR_ALL as parameter to this
API. In order to clear just one of the lists (allow/deny) pass null to the
corresponding list parameter on the class DomainFilterRule constructor or call
corresponding set method from the same class. For additional information on how to properly
create and use domain filter rules, please refer to DomainFilterRule class.This API will allow only one administrator to manage rules at a time, if some administrator tries to remove rules added by another administrator the operation will return ( FAILED) and an error message describing that. NOTE: Since MDM 5.7, DomainFilterRule can also be used to manage DNS servers
which will resolve domain names for a given application. To remove DNS servers pass a object
with the same values to this API. For more details refer to DomainFilterRule class.
|
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); Firewall firewall = edm.getFirewall(); |
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
.getKnoxContainerManager(containerID);
Firewall firewall = kcm.getFirewall();
|
| The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature. |
| API level 19 |
| MDM 5.6 |
| User Scope |
API to remove IP rules.
| rules | array of FirewallRule to be removed from the firewall |
|---|
FirewallResponse list for the specified rules or null in case
the parameter rules is null. The i-th element of the list will be related to the
i-th element of the specified rules array.| SecurityException | If caller does not have required permissions |
|---|
An administrator can use this API to remove rules previously added through
addRules(FirewallRule[]) API. Once removed, the rules will no longer take effect,
meaning that a rule, used to allow, block or redirect some IP address, after removal will no
longer apply. The rules added by other administrators are not affected.To clear all rules at once, please refer to clearRules(int) API. |
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
Firewall firewall = edm.getFirewall();
// In order to validate the application's signature related to the rule, fill this
// variable with the desired signature.
String signature = null;
int numRules = 3;
FirewallRule[] rules = new FirewallRule[numRules];
rules[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
rules[0].setIpAddress("*");
rules[0].setPortNumber("80");
rules[0].setApplication(new AppIdentity("com.android.chrome", signature));
rules[1] = new FirewallRule(RuleType.ALLOW, AddressType.IPV4);
rules[1].setIpAddress("192.168.1.2");
rules[1].setPortNumber("80");
rules[1].setPortLocation(PortLocation.LOCAL);
rules[1].setApplication(new AppIdentity("com.android.chrome", signature));
rules[1].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
rules[1].setDirection(Direction.OUTPUT);
rules[1].setProtocol(Protocol.TCP);
rules[2] = new FirewallRule(RuleType.ALLOW, AddressType.IPV4);
rules[2].setIpAddress("192.168.1.3");
rules[2].setPortNumber("80");
rules[2].setPortLocation(PortLocation.REMOTE);
rules[2].setApplication(new AppIdentity("com.android.chrome", signature));
rules[2].setNetworkInterface(NetworkInterface.MOBILE_DATA_ONLY);
rules[2].setProtocol(Protocol.UDP);
FirewallResponse[] response = firewall.removeRules(rules);
|
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
.getKnoxContainerManager(containerID);
Firewall Firewall = kcm.getFirewall();
// In order to validate the application's signature related to the rule, fill this
// variable with the desired signature.
String signature = null;
int numRules = 3;
FirewallRule[] rules = new FirewallRule[numRules];
rules[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
rules[0].setIpAddress("*");
rules[0].setPortNumber("80");
rules[0].setApplication(new AppIdentity("com.android.chrome", signature));
rules[1] = new FirewallRule(RuleType.ALLOW, AddressType.IPV4);
rules[1].setIpAddress("192.168.1.2");
rules[1].setPortNumber("80");
rules[1].setPortLocation(PortLocation.LOCAL);
rules[1].setApplication(new AppIdentity("com.android.chrome", signature));
rules[1].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
rules[1].setDirection(Direction.OUTPUT);
rules[1].setProtocol(Protocol.TCP);
rules[2] = new FirewallRule(RuleType.ALLOW, AddressType.IPV4);
rules[2].setIpAddress("192.168.1.3");
rules[2].setPortNumber("80");
rules[2].setPortLocation(PortLocation.REMOTE);
rules[2].setApplication(new AppIdentity("com.android.chrome", signature));
rules[2].setNetworkInterface(NetworkInterface.MOBILE_DATA_ONLY);
rules[2].setProtocol(Protocol.UDP);
FirewallResponse[] response = firewall.removeRules(rules);
|
| The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature. |
| API level 17 |
| MDM 5.5 |
| User Scope |