Since: API level 17
public class

Firewall

extends Object
java.lang.Object
   ↳ com.samsung.android.knox.net.firewall.Firewall

Class Overview

This class provides APIs to configure firewall rules on device, providing the ability to implement security policies. It provides means to allow administrators to:

1. Restrict internet access to IP addresses and/or domain names;
2. Configure above restrictions per application basis or device wide;
3. Get a log report with all denied URLs that user tried to access.

IP Address rules

This firewall solution is based on iptables. Starting on MDM 5.6, most devices are expected to support IPv6. With this in mind, users (IT administrators) should consider also applying IPv6 rules when designing your firewall set of rules. Rules applied to IPv4 do not affect IPv6 data traffic and vice-versa. So, administrator must add rules for each version of IP protocol if managed device is expected to connect to either IPv4 or IPv6 network.

Warning: Other features based on iptables may cause conflicts and unexpected behaviour (e.g. Tethering, VPN clients, B2C Firewall).

NOTE: Since MDM 5.6, firewall has IPv6 support for ALLOW and DENY rules. For REDIRECT and REDIRECT_EXCEPTION IPv6 support has been added since Knox 3.6.

Domain name rules

This functionality is provided to address situations where IP addresses cannot be used - IT administrators might never be able to know all IPs associated with a given hostname or internet domain. In this case, domain names can be restricted, which will be achieved by disabling their respective DNS resolution.

NOTE: Users may add conflicting rules for IP addresses and domain names. In this case, the more restrictive rule always takes precedence.

Example 1:
Domain Deny list = *
Domain Allow list = *ku.com
Iptables DENY list = 129.237.11.182
DNS resolution for www.ku.com = 129.237.11.182
In this case, any access to www.ku.com will be blocked.

Example 2:
Domain Black list = *ku.com
Iptables ALLOW list = 129.237.11.182
DNS resolution for www.ku.com = 129.237.11.182
In this case, any access to www.ku.com will be blocked.

Since
API level 17
MDM 5.5

Summary

Nested Classes
enum Firewall.AddressType This constant should be used to indicate the address type of a rule. 
enum Firewall.Direction This constant should be used to indicate whether a rule is related to input (when device receives data from the Internet) or output (when device sends data to the Internet). 
enum Firewall.NetworkInterface This constant should be used to indicate whether a rule is related to connection through WI-FI or mobile data. 
enum Firewall.PortLocation This constant should be used to indicate whether the port in the rule is related to the device port or the server port that the device is communicating. 
enum Firewall.Protocol This constant should be used to indicate whether a rule is related to TCP or UDP protocol. 
Constants
String ACTION_BLOCKED_DOMAIN Intent action to notify the administrator(s) that a domain was blocked by addDomainFilterRules(List).
String EXTRA_BLOCKED_DOMAIN_ISFOREGROUND Used as an intent extra field with ACTION_BLOCKED_DOMAIN.
String EXTRA_BLOCKED_DOMAIN_PACKAGENAME Used as an intent extra field with ACTION_BLOCKED_DOMAIN.
String EXTRA_BLOCKED_DOMAIN_TIMESTAMP Used as an intent extra field with ACTION_BLOCKED_DOMAIN.
String EXTRA_BLOCKED_DOMAIN_UID Used as an intent extra field with ACTION_BLOCKED_DOMAIN.
String EXTRA_BLOCKED_DOMAIN_URL Used as an intent extra field with ACTION_BLOCKED_DOMAIN.
int FIREWALL_ALLOW_RULE Value that indicates the bitmask value for an ALLOW
String FIREWALL_ALL_PACKAGES Value that indicates all applications package names.
int FIREWALL_ALL_RULES Value that indicates the bitmask value for All Rule Types (All types combined by OR)
int FIREWALL_DENY_RULE Value that indicates the bitmask value for a DENY
int FIREWALL_REDIRECT_EXCEPTION_RULE Value that indicates the bitmask value for a REDIRECT_EXCEPTION
int FIREWALL_REDIRECT_RULE Value that indicates the bitmask value for a REDIRECT
Public Methods
FirewallResponse[] addDomainFilterRules(List<DomainFilterRule> rules)
API to add rules to allow/block domain names.
FirewallResponse[] addRules(FirewallRule[] rules)
API to add rules to allow, block or redirect IP requests.
FirewallResponse[] clearRules(int bitmask)
API to clear IP rules.
FirewallResponse enableDomainFilterOnIptables(boolean enabled)
API to enable the association between domain and firewall rules.
FirewallResponse enableDomainFilterReport(boolean enabled)
API to enable report of URLs blocked by domain filter rules.
FirewallResponse enableFirewall(boolean enabled)
API to turn on/off IP rules enforcement.
List<DomainFilterReport> getDomainFilterReport(List<String> packageNameList)
API to get domain filter reports.
List<DomainFilterRule> getDomainFilterRules(List<String> packageNameList)
API to get domain filter rules.
FirewallRule[] getRules(int bitmask, FirewallRule.Status status)
API to get IP rules.
boolean isDomainFilterOnIptablesEnabled()
API to check if association between domain and firewall rules is enabled.
boolean isDomainFilterReportEnabled()
API to check whether the domain filter report is enabled or disabled.
boolean isFirewallEnabled()
API to check if IP rules are enforced.
String[] listIptablesRules()
API to list rules on iptables.
FirewallResponse[] removeDomainFilterRules(List<DomainFilterRule> rules)
API to remove domain filter rules.
FirewallResponse[] removeRules(FirewallRule[] rules)
API to remove IP rules.
[Expand]
Inherited Methods
From class java.lang.Object

Constants

public static final String ACTION_BLOCKED_DOMAIN

Since: API level 20

Intent action to notify the administrator(s) that a domain was blocked by addDomainFilterRules(List). It will have EXTRA_BLOCKED_DOMAIN_PACKAGENAME, EXTRA_BLOCKED_DOMAIN_TIMESTAMP, EXTRA_BLOCKED_DOMAIN_UID, EXTRA_BLOCKED_DOMAIN_URL - these match the information returned from getDomainFilterReport(List) - and EXTRA_BLOCKED_DOMAIN_ISFOREGROUND, a boolean value that indicates whether the application whose domain was blocked is in foreground or background. Receiver must hold "com.samsung.android.knox.permission.KNOX_FIREWALL" to receive this broadcast.

Since
API level 20
MDM 5.7
Constant Value: "com.samsung.android.knox.intent.action.BLOCKED_DOMAIN"

public static final String EXTRA_BLOCKED_DOMAIN_ISFOREGROUND

Since: API level 20

Used as an intent extra field with ACTION_BLOCKED_DOMAIN. Contains a boolean value to inform if the block occurred in a foreground application or not.

Since
API level 20
MDM 5.7
Constant Value: "com.samsung.android.knox.intent.extra.BLOCKED_DOMAIN_ISFOREGROUND"

public static final String EXTRA_BLOCKED_DOMAIN_PACKAGENAME

Since: API level 20

Used as an intent extra field with ACTION_BLOCKED_DOMAIN. Contains the package name of the application that tried to access a blocked domain.

Since
API level 20
MDM 5.7
Constant Value: "com.samsung.android.knox.intent.extra.BLOCKED_DOMAIN_PACKAGENAME"

public static final String EXTRA_BLOCKED_DOMAIN_TIMESTAMP

Since: API level 20

Used as an intent extra field with ACTION_BLOCKED_DOMAIN. Contains the timestamp in milliseconds related to the domain block.

Since
API level 20
MDM 5.7
Constant Value: "com.samsung.android.knox.intent.extra.BLOCKED_DOMAIN_TIMESTAMP"

public static final String EXTRA_BLOCKED_DOMAIN_UID

Since: API level 20

Used as an intent extra field with ACTION_BLOCKED_DOMAIN. Contains the UID of the application that tried to access a blocked domain.

Since
API level 20
MDM 5.7
Constant Value: "com.samsung.android.knox.intent.extra.BLOCKED_DOMAIN_UID"

public static final String EXTRA_BLOCKED_DOMAIN_URL

Since: API level 20

Used as an intent extra field with ACTION_BLOCKED_DOMAIN. Contains the blocked URL.

Since
API level 20
MDM 5.7
Constant Value: "com.samsung.android.knox.intent.extra.BLOCKED_DOMAIN_URL"

public static final int FIREWALL_ALLOW_RULE

Since: API level 17

Value that indicates the bitmask value for an ALLOW

Since
API level 17
MDM 5.5
Constant Value: 1 (0x00000001)

public static final String FIREWALL_ALL_PACKAGES

Since: API level 19

Value that indicates all applications package names.

Since
API level 19
MDM 5.6
Constant Value: "*"

public static final int FIREWALL_ALL_RULES

Since: API level 17

Value that indicates the bitmask value for All Rule Types (All types combined by OR)

Since
API level 17
MDM 5.5
Constant Value: 15 (0x0000000f)

public static final int FIREWALL_DENY_RULE

Since: API level 17

Value that indicates the bitmask value for a DENY

Since
API level 17
MDM 5.5
Constant Value: 2 (0x00000002)

public static final int FIREWALL_REDIRECT_EXCEPTION_RULE

Since: API level 17

Value that indicates the bitmask value for a REDIRECT_EXCEPTION

Since
API level 17
MDM 5.5
Constant Value: 8 (0x00000008)

public static final int FIREWALL_REDIRECT_RULE

Since: API level 17

Value that indicates the bitmask value for a REDIRECT

Since
API level 17
MDM 5.5
Constant Value: 4 (0x00000004)

Public Methods

public FirewallResponse[] addDomainFilterRules (List<DomainFilterRule> rules)

Since: API level 19

API to add rules to allow/block domain names.

Parameters
rules List of DomainFilterRule to be added.
Returns
  • A FirewallResponse array for the specified rules or null in case the parameter rules is null. The i-th element of the response array will be related to the i-th element of the specified rules array.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to add rules to allow/block applications from accessing domains. By default, the system will not block any DNS resolution, so you don't need to worry about adding domain filter rules except when you want to deny DNS resolution to some (or all) domains.

Once the rules are added, next time the application tries to access any denied domain it will be blocked. This API allows only one administrator to manage rules at a time, which means that if some administrator tries to add rules while another one has already added any, the operation will return FAILED and an error message describing that. For additional information on how to properly create and use domain filter rules, please refer to DomainFilterRule class.

Administrator can apply a rule for a specific application or for all applications at once (using FIREWALL_ALL_PACKAGES). If a rule with FIREWALL_ALL_PACKAGES value is already in database and a rule is added with a specific application, the general one will not be considered to resolve the domain access enforcement for this specific application.

Some applications may not resolve a domain through default DNS, instead they forward the request to a specific domain. In this case, the domain rule will not be enforced.

NOTE: A domain can not be on the whitelist and blacklist simultaneously, adding it again but to a different list type will result in removal from previous list. If a new rule contains the same domain in the blacklist and whitelist, the whitelist rule will be considered.

NOTE: Since MDM 5.7, DomainFilterRule can also be used to manage DNS servers which will resolve domain names for a given application. Two DNS servers can be provided, one is the primary(mandatory) and the second is a backup(optional) server. To change DNS servers previously set just pass a rule object with the new DNS servers to this API, both DNS servers will be overwritten. For more details refer to DomainFilterRule class.

NOTE: Deny rules may also need to block:
  • *.googlezip.net to avoid the Chrome's data saver proxy, which bypasses the rules when accessing websites with http protocol.
  • IPv4 and IPv6 traffic on port 53 via FirewallRule for Chromium-based browsers, since Chromium has its own DNS-resolution implementation. Blocking this implementation's resolution makes it fallback to the system's one.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 Firewall firewall = edm.getFirewall();

 List<DomainFilterRule> rules = new ArrayList<DomainFilterRule>();

 // Deny list , domains to block
 List<String> denyList = new ArrayList<String>();
 denyList.add("www.google.com");
 denyList.add("*android.com");
 denyList.add("www.samsung*");

 // Allow list, domains to allow
 List<String> allowList = new ArrayList<String>();
 allowList.add("www.youtube.com");

 // In order to validate the application's signature related to the rule, fill this
 // variable with the desired signature.
 String signature = null;

 // DNS server 1
 String dns1 = "8.8.8.8";
 // DNS server 2
 String dns2 = "8.8.4.4";
 
 // add rule for chrome application
 rules.add(new DomainFilterRule(new AppIdentity("com.android.chrome", signature), denyList,
         allowList, dns1, dns2));
 try {
     FirewallResponse[] response = firewall.addDomainFilterRules(rules);
     if (FirewallResponse.Result.SUCCESS == response[0].getResult()) {
         // success
     } else {
         // failed
     }
 } catch (SecurityException ex) {
     // missing required MDM permission
 }
 
For Container:
 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 Firewall firewall = kcm.getFirewall();

 List<DomainFilterRule> rules = new ArrayList<DomainFilterRule>();

 // Deny list , domains to block
 List<String> denyList = new ArrayList<String>();
 denyList.add("www.google.com");
 denyList.add("*android.com");
 denyList.add("www.samsung*");

 // Allow list, domains to allow
 List<String> allowList = new ArrayList<String>();
 allowList.add("www.youtube.com");

 // In order to validate the application's signature related to the rule, fill this
 // variable with the desired signature.
 String signature = null;

 // DNS server 1
 String dns1 = "8.8.8.8";
 // DNS server 2
 String dns2 = "8.8.4.4";

 // add rule for chrome application
 rules.add(new DomainFilterRule(new AppIdentity("com.android.chrome", signature), denyList,
         allowList, dns1, dns2));
 try {
     FirewallResponse[] response = firewall.addDomainFilterRules(rules);
     if (FirewallResponse.Result.SUCCESS == response[0].getResult()) {
         // success
     } else {
         // failed
     }
 } catch (SecurityException ex) {
     // missing required MDM permission
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature.
Since
API level 19
MDM 5.6
Multiuser Environment
User Scope

public FirewallResponse[] addRules (FirewallRule[] rules)

Since: API level 17

API to add rules to allow, block or redirect IP requests.

Parameters
rules array of FirewallRule to be added.
Returns
  • A FirewallResponse list for the specified rules or null in case the parameter rules is null. The i-th element of the list will be related to the i-th element of the specified rules array.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to add rules to allow, block or redirect IP requests. By default, the system will not interfere on data traffic, so you don't need to worry about adding IP rules except when you want to block or redirect some (all) access.

Once the rules are added and enforced (please refer to enableFirewall(boolean)), next time the application tries to send an IP request, the latest rule set will be analyzed before deciding to allow, block or redirect the request. For additional information on how to properly create and use IP rules, please refer to FirewallRule class.

It is important to notice that the IP rules will have effect only if enableFirewall(boolean) has been called with true. Any administrator can add IP rules, but only one administrator can activate IP rules enforcement at a time.

NOTE: It's recommended to disable the browser (e.g.Chrome) data saver feature in order to get the correct operation of this API, as the browser may bypass the firewall rules by using its own implementation for resolving the IP addresses.
As administrator has no control over browser's built-in data saver feature and thus cannot turn it off, administrator can use domain filter rules addDomainFilterRules(List) to block the DNS requests for the application and get the blocked domains with domain filter report enableDomainFilterReport(boolean). This will help identify which domains are used specifically on data saver mode, and blocking these specific domains will force browser to operate out of this mode.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 Firewall firewall = edm.getFirewall();

 // In order to validate the application's signature related to the rule, fill this
 // variable with the desired signature.
 String signature = null;

 int numRules = 5;
 FirewallRule[] rules = new FirewallRule[numRules];
 
 // To Add a Deny Rule
 rules[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
 rules[0].setIpAddress("*");
 rules[0].setPortNumber("80");
 rules[0].setApplication(new AppIdentity("com.android.chrome", signature));
 
 // To Add a Allow Rule
 rules[1] = new FirewallRule(RuleType.ALLOW, AddressType.IPV4);
 rules[1].setIpAddress("192.168.1.2");
 rules[1].setPortNumber("80");
 rules[1].setPortLocation(PortLocation.LOCAL);
 rules[1].setApplication(new AppIdentity("com.android.chrome", signature));
 rules[1].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
 rules[1].setDirection(Direction.OUTPUT);
 rules[1].setProtocol(Protocol.TCP);
 
 // To Add a Redirect Rule
 rules[2] = new FirewallRule(RuleType.REDIRECT, AddressType.IPV4);
 rules[2].setIpAddress("*");
 rules[2].setPortNumber("443");
 rules[2].setPortLocation(PortLocation.REMOTE);
 rules[2].setNetworkInterface(NetworkInterface.MOBILE_DATA_ONLY);
 rules[2].setTargetIpAddress("192.168.2.1");
 rules[2].setTargetPortNumber("60");
 
 // To Add a Redirect Exception Rule
 rules[3] = new FirewallRule(RuleType.REDIRECT_EXCEPTION, AddressType.IPV4);
 rules[3].setIpAddress("192.168.1.1");
 rules[3].setPortNumber("443");
 rules[3].setProtocol(Protocol.TCP);
 
 // To Add a Allow Rule (Using IPv6 Address)
 rules[4] = new FirewallRule(RuleType.ALLOW, AddressType.IPV6);
 rules[4].setIpAddress("2001:12C0:8000:AAAA:200:192:176:65");
 rules[4].setPortNumber("80");
 rules[4].setPortLocation(PortLocation.LOCAL);
 rules[4].setPackageName("com.android.chrome");
 rules[4].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
 // Since Android Q, Direction.ALL will behave as Direction.OUTPUT
 rules[4].setDirection(Direction.ALL);
 rules[4].setProtocol(Protocol.TCP);
 FirewallResponse[] response = firewall.addRules(rules);
 
 // Add rule to use as a Proxy (http)
 FirewallRule[] proxyRule = new FirewallRule[1];
 // All output traffic going through the port 80 will be redirected to the proxy server configured
 // on IP 192.168.100.10
 proxyRule[0] = new FirewallRule(RuleType.REDIRECT, AddressType.IPV4);
 proxyRule[0].setIpAddress("*");
 proxyRule[0].setPortNumber("80");
 proxyRule[0].setTargetIpAddress("192.168.100.10");
 proxyRule[0].setTargetPortNumber("680");
 
 FirewallResponse[] ProxyResponse = firewall.addRules(proxyRule);
 
 // Add rule to restrict the network used for an application
 // All output traffic from an application, in this case Chrome, will be blocked on Mobile
 // Interface.
 FirewallRule[] appRule = new FirewallRule[1];
 appRule[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
 appRule[0].setIpAddress("*");
 appRule[0].setPortNumber("*");
 appRule[0].setApplication(new AppIdentity("com.android.chrome", signature));
 appRule[0].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
 
 FirewallResponse[] appResponse = firewall.addRules(appRule);

 // Add rule to restrict data traffic on tethered interfaces
 // All data traffic from tethered interfaces will be blocked by the rule below
 FirewallRule[] tetherRule = new FirewallRule[1];
 tetherRule[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
 tetherRule[0].setIpAddress("*");
 tetherRule[0].setPortNumber("*");
 tetherRule[0].setDirection(Direction.FORWARD);
 
 FirewallResponse[] response = firewall.addRules(tetherRule);
 
For Container:
 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 Firewall Firewall = kcm.getFirewall();

 // In order to validate the application's signature related to the rule, fill this
 // variable with the desired signature.
 String signature = null;

 int numRules = 5;
 FirewallRule[] rules = new FirewallRule[numRules];
 
 // To Add a Deny Rule
 rules[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
 rules[0].setIpAddress("*");
 rules[0].setPortNumber("80");
 // INPUT rules will affect all users of the device
 rules[0].setDirection(Direction.INPUT);
 
 // To Add a Allow Rule
 rules[1] = new FirewallRule(RuleType.ALLOW, AddressType.IPV4);
 rules[1].setIpAddress("192.168.1.2");
 rules[1].setPortNumber("80");
 rules[1].setPortLocation(PortLocation.LOCAL);
 rules[1].setApplication(new AppIdentity("com.android.chrome", signature));
 rules[1].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
 rules[1].setDirection(Direction.OUTPUT);
 rules[1].setProtocol(Protocol.TCP);
 
 // To Add a Redirect Rule
 rules[2] = new FirewallRule(RuleType.REDIRECT, AddressType.IPV4);
 rules[2].setIpAddress("*");
 rules[2].setPortNumber("443");
 rules[2].setPortLocation(PortLocation.REMOTE);
 rules[2].setNetworkInterface(NetworkInterface.MOBILE_DATA_ONLY);
 rules[2].setTargetIpAddress("192.168.2.1");
 rules[2].setTargetPortNumber("60");
 
 // To Add a Redirect Exception Rule
 rules[3] = new FirewallRule(RuleType.REDIRECT_EXCEPTION, AddressType.IPV4);
 rules[3].setIpAddress("192.168.1.1");
 rules[3].setPortNumber("443");
 rules[3].setProtocol(Protocol.TCP);
 
 // To Add a Allow Rule (Using IPv6 Address)
 rules[4] = new FirewallRule(RuleType.ALLOW, AddressType.IPV6);
 rules[4].setIpAddress("2001:12C0:8000:AAAA:200:192:176:65");
 rules[4].setPortNumber("80");
 rules[4].setPortLocation(PortLocation.LOCAL);
 rules[4].setPackageName("com.android.chrome");
 rules[4].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
 rules[4].setDirection(Direction.OUTPUT);
 rules[4].setProtocol(Protocol.TCP);
 FirewallResponse[] response = firewall.addRules(rules);
 
 // Add rule to use as a Proxy (http)
 // All output traffic going through the port 80 will be redirected to the proxy server configured
 // on IP
 // 192.168.100.10
 FirewallRule[] proxyRule = new FirewallRule[1];
 proxyRule[0] = new FirewallRule(RuleType.REDIRECT, AddressType.IPV4);
 proxyRule[0].setIpAddress("*");
 proxyRule[0].setPortNumber("80");
 proxyRule[0].setTargetIpAddress("192.168.100.10");
 proxyRule[0].setTargetPortNumber("80");
 
 FirewallResponse[] proxyResponse = firewall.addRules(proxyRule);
 
 // Add rule to restrict the network used for an application
 // All output traffic used by the application, in this case chrome, will be blocked on Mobile
 // Interface.
 FirewallRule[] appRule = new FirewallRule[1];
 appRule[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
 appRule[0].setIpAddress("*");
 appRule[0].setPortNumber("*");
 appRule[0].setApplication(new AppIdentity("com.android.chrome", signature));
 appRule[0].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
 
 FirewallResponse[] appResponse = firewall.addRules(appRule);
 
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature.
Since
API level 17
MDM 5.5
Multiuser Environment
User Scope

public FirewallResponse[] clearRules (int bitmask)

Since: API level 17

API to clear IP rules.

Parameters
bitmask Rule type(s) which values must be cleared. Possible values are FIREWALL_ALLOW_RULE, FIREWALL_DENY_RULE, FIREWALL_REDIRECT_RULE, FIREWALL_REDIRECT_EXCEPTION_RULE , FIREWALL_ALL_RULES. These values are bitwise and can be combined with logical OR.
Returns
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to clear the IP rules previously added. The rules added by other administrators are not affected.

Domain filter rules are not cleared by this API. To clear domain filter rules, please refer to removeDomainFilterRules(List).
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 Firewall firewall = edm.getFirewall();
 
 // Clear only Allow Rules
 int bitmask = Firewall.FIREWALL_ALLOW_RULE;
 FirewallResponse[] response = firewall.clearRules(bitmask);
 
 // Clear only Deny Rules
 bitmask = Firewall.FIREWALL_DENY_RULE;
 response = firewall.clearRules(bitmask);
 
 // Clear only Allow and Deny Rules
 bitmask = Firewall.FIREWALL_ALLOW_RULE | Firewall.FIREWALL_DENY_RULE;
 response = firewall.clearRules(bitmask);
 
 // Clear All Rules
 bitmask = Firewall.FIREWALL_ALL_RULES;
 response = firewall.clearRules(bitmask);
 
For Container:
 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 Firewall Firewall = kcm.getFirewall();
 
 // Clear only Allow Rules
 int bitmask = Firewall.FIREWALL_ALLOW_RULE;
 FirewallResponse[] response = firewall.clearRules(bitmask);
 
 // Clear only Deny Rules
 bitmask = Firewall.FIREWALL_DENY_RULE;
 response = firewall.clearRules(bitmask);
 
 // Clear only Allow and Deny Rules
 bitmask = Firewall.FIREWALL_ALLOW_RULE | Firewall.FIREWALL_DENY_RULE;
 response = firewall.clearRules(bitmask);
 
 // Clear All Rules
 bitmask = Firewall.FIREWALL_ALL_RULES;
 response = firewall.clearRules(bitmask);
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature.
Since
API level 17
MDM 5.5
Multiuser Environment
User Scope

public FirewallResponse enableDomainFilterOnIptables (boolean enabled)

Since: API level 28

API to enable the association between domain and firewall rules.

Parameters
enabled true to enable and false to disable association between domain and firewall rules.
Returns
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to enable/disable association between addDomainFilterRules(List) and addRules(FirewallRule[]) APIs.
Once enabled, next time an application tries to send a domain name resolution request, the Domain rules (DomainFilterRule) will be analyzed before Firewall rules (FirewallRule), deciding to allow or block the request.

This module will try to match each domain request against a list of DomainFilterRule configured by the admin.

With this solution, an administrator will be able to access whitelisted domains even when Firewall policy dictates that all IP’s should be blocked.
If the administrator disables it passing false, domain rules may end up being overridden by Firewall rules.

This API doesn't support multiple administrators, so only the administrator who is currently managing domain filter rules in database can enable/disable it.

NOTE: This API will not take effect on tethered connections. In other words, it will not associate domains with Firewall rules set to direction FORWARD.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 Firewall firewall = edm.getFirewall();

 try {
     FirewallResponse responseForEnable = firewall.enableDomainFilterOnIptables(true); // Enable DomainFilterOnIptables
     FirewallResponse responseForDisable = firewall.enableDomainFilterOnIptables(false); // Disable DomainFilterOnIptables
 } catch (SecurityException ex) {
     // missing required permission
 }
For Container:
 KnoxContainerManager kcm =
 EnterpriseKnoxManager.getInstance(context).getKnoxContainerManager(containerID);
 Firewall firewall = kcm.getFirewall();

 try {
     FirewallResponse responseForEnable = firewall.enableDomainFilterOnIptables(true); // Enable DomainFilterOnIptables
     FirewallResponse responseForDisable = firewall.enableDomainFilterOnIptables(false); // Disable DomainFilterOnIptables
 } catch (SecurityException ex) {
     // missing required permission
 }
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature.
Since
API level 28
KNOX 3.3
Multiuser Environment
User Scope

public FirewallResponse enableDomainFilterReport (boolean enabled)

Since: API level 19

API to enable report of URLs blocked by domain filter rules.

Parameters
enabled true to enable and false to disable report.
Returns
  • true if succeeded, false otherwise.
Throws
SecurityException If caller does not have required permissions
Usage
Administrator can use this API to enable/disable the recording of user attempts to access blocked URLs by the domain filter rules. The report is disabled by default. The limit of reports that will be stored is 10000. When this limit is exceeded, the oldest report will be replaced by the newest and so on, as in a circular buffer.

This API supports multiple administrators, so, if one administrator enables it, the blocked URLs will be reported regardless of whom is managing domain rules at that time. When all administrators disable report, the blocked URLs will no longer be reported.

Please note IP logs are collected by Audit Log policy from KNOX Premium SDK.

NOTE: In MDM 5.6 and previous versions, the limit of reports was 1000.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); 
 Firewall firewall = edm.getFirewall(); // enabling report try { boolean result =
 firewall.enableDomainFilterReport(true); if (result) { // success } else { // failed } }
 catch (SecurityException ex) { //missing required permission }
For Container:
 KnoxContainerManager kcm =
 EnterpriseKnoxManager.getInstance(context).getKnoxContainerManager(containerID); 
 Firewall firewall = kcm.getFirewall(); // enabling report try { boolean result =
 firewall.enableDomainFilterReport(true); if (result) { // success } else { // failed } }
 catch (SecurityException ex) { //missing required permission }
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature.
Since
API level 19
MDM 5.6
Multiuser Environment
User Scope

public FirewallResponse enableFirewall (boolean enabled)

Since: API level 17

API to turn on/off IP rules enforcement.

Parameters
enabled true to enable and false to disable IP rules enforcement.
Returns
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to turn on/off the enforcement of IP rules. Upon enabling it, all IP rules previously added by this administrator will be activated. If the administrator disables it passing false, IP rules will not be enforced anymore.

Multiple Administrator Scenarios
When a device is managed by multiple administrators, IP rules behave as follows:
- All administrators can add IP rules.
- Only one administrator can enforce IP rules at time.

Example:
Administrator 1 enforces IP rules.
Administrator 2 will be able to configure rules but it will not able to enforce IP rules.
Administrator 3 will be able to configure rules but it will not able to enforce IP rules.

As soon as administrator 1 turns off IP rules enforcement, the other administrators will be able to enable it.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 Firewall firewall = edm.getFirewall();
 
 FirewallResponse responseForEnable = firewall.enableFirewall(true); // Enable the Firewall
 FirewallResponse responseForDisable = firewall.enableFirewall(false); // Disable the Firewall
 
For Container:
 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context).getKnoxContainerManager(containerID);
 Firewall Firewall = kcm.getFirewall();
 
 FirewallResponse responseForEnable = firewall.enableFirewall(true); // Enable the Firewall
 FirewallResponse responseForDisable = firewall.enableFirewall(false); // Disable the Firewall
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature.
Since
API level 17
MDM 5.5
Multiuser Environment
User Scope

public List<DomainFilterReport> getDomainFilterReport (List<String> packageNameList)

Since: API level 19

API to get domain filter reports.

Parameters
packageNameList List of package names the reports must be retrieved for. Pass NULL to indicate all reports from all packages must be retrieved.
Returns
  • List of DomainFilterReport matching the provided package names or all reports if NULL was provided as parameter.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to retrieve a list of domain filter reports. Administrator can retrieve list of reports for a specific application (package name) or for all applications at once (passing NULL to parameter). For additional information about the reports, please refer to DomainFilterReport.

This API supports multiple administrators, so any administrator is allowed to retrieve the list of stored reports any time.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); 
 Firewall firewall = edm.getFirewall(); // retrieve rules added for chrome application
 List<String> packageNameList = new ArrayList<String>();
 packageNameList.add("com.android.chrome"); try {
 List<DomainFilterReport> reports = firewall.getDomainFilterReport(packageNameList);
 // print reports } catch (SecurityException ex) { //missing required permissions }
For Container:
 KnoxContainerManager kcm =
 EnterpriseKnoxManager.getInstance(context).getKnoxContainerManager(containerID); Firewall
 firewall = kcm.getFirewall(); // retrieve rules added for chrome application
 List<String> packageNameList = new ArrayList<String>();
 packageNameList.add("com.android.chrome"); try {
 List<DomainFilterReport> reports = firewall.getDomainFilterReport(packageNameList);
 // print reports } catch (SecurityException ex) { //missing required permissions }
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature.
Since
API level 19
MDM 5.6
Multiuser Environment
User Scope

public List<DomainFilterRule> getDomainFilterRules (List<String> packageNameList)

Since: API level 19

API to get domain filter rules.

Parameters
packageNameList List of package names the rules must be retrieved for. Pass NULL to indicate all rules from all packages must be retrieved.
Returns
  • List of DomainFilterRule matching the provided package names or all rules if NULL was provided as parameter.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to retrieve the list of domain filter rules previously added in firewall database. Administrator can retrieve list of rules for a specific application (package name) or for all application at once (passing NULL to parameter).

This API doesn't support multiple administrators, so only the administrator who is currently managing domain filter rules in database can retrieve the applied rules.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context); 
 Firewall firewall = edm.getFirewall(); // retrieve rules added for chrome application
 List<String> packageNameList = new ArrayList<String>();
 packageNameList.add("com.android.chrome"); try {
 List<DomainFilterRule> rules = firewall.getDomainFilterRules(packageNameList); //
 print rules } catch (SecurityException ex) { //missing required permissions }
For Container:
 KnoxContainerManager kcm =
 EnterpriseKnoxManager.getInstance(context).getKnoxContainerManager(containerID); Firewall
 firewall = kcm.getFirewall(); // retrieve rules added for chrome application
 List<String> packageNameList = new ArrayList<String>();
 packageNameList.add("com.android.chrome"); try {
 List<DomainFilterRule> rules = firewall.getDomainFilterRules(packageNameList); //
 print rules } catch (SecurityException ex) { //missing required permissions }
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature.
Since
API level 19
MDM 5.6
Multiuser Environment
User Scope

public FirewallRule[] getRules (int bitmask, FirewallRule.Status status)

Since: API level 17

API to get IP rules.

Parameters
bitmask Rule type(s) which values must be retrieved. Possible values are FIREWALL_ALLOW_RULE, FIREWALL_DENY_RULE, FIREWALL_REDIRECT_RULE, FIREWALL_REDIRECT_EXCEPTION_RULE, FIREWALL_ALL_RULES. These values are bitwise and can be combined with logical OR.
status Status of the rules which values must be retrieved. Possible values are ENABLED, DISABLED, PENDING or null if we want all the rules regardless the status.
Returns
  • An FirewallRule array containing the rules with the informed description.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to get IP rules previously added, specifying the FirewallRule.RuleType and the FirewallRule.Status of the required rules. IP rules added by other administrators will not be retrieved.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 Firewall firewall = edm.getFirewall();
 
 // Administrator wants all the allow Rules regardless the status
 FirewallRule[] allowRules = firewall.getRules(Firewall.FIREWALL_ALLOW_RULE,
         null);
 
 // Administrator wants all the allow and deny rules that are enabled
 int bitmask = (Firewall.FIREWALL_ALLOW_RULE | Firewall.FIREWALL_DENY_RULE);
 
 FirewallRule[] allowAndDenyRules = firewall.getRules(bitmask,
         FirewallRule.Status.ENABLED);
 
 // Administrator wants rules of all types that are disabled
 FirewallRule[] disabledRules = firewall.getRules(Firewall.FIREWALL_ALL_RULES,
         FirewallRule.Status.DISABLED);
 
For Container:
 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 Firewall Firewall = kcm.getFirewall();
 
 // Administrator wants all the allow Rules regardless the status
 FirewallRule[] allowRules = firewall.getRules(Firewall.FIREWALL_ALLOW_RULE,
         null);
 
 // Administrator wants all the allow and deny rules that are enabled
 int bitmask = (Firewall.FIREWALL_ALLOW_RULE | Firewall.FIREWALL_DENY_RULE);
 
 FirewallRule[] allowAndDenyRules = firewall.getRules(bitmask,
         FirewallRule.Status.ENABLED);
 
 // Administrator wants rules of all types that are disabled
 FirewallRule[] disabledRules = firewall.getRules(Firewall.FIREWALL_ALL_RULES,
         FirewallRule.Status.DISABLED);
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature.
Since
API level 17
MDM 5.5
Multiuser Environment
User Scope

public boolean isDomainFilterOnIptablesEnabled ()

Since: API level 28

API to check if association between domain and firewall rules is enabled.

Returns
  • true if IP association between domain and firewall rules is enabled, false otherwise.
Usage
An administrator can use this API to check whether the association between domain and firewall rules is enabled or not.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 Firewall firewall = edm.getFirewall();

 try {
     boolean isDomainFilterOnIptablesEnabled = firewall.isDomainFilterOnIptablesEnabled();
     if (isDomainFilterOnIptablesEnabled) {
         // domain filter on iptables enabled
     } else {
         // domain filter on iptables disabled
     }
 } catch (SecurityException ex) {
     // missing required permission
 }

 
For Container:
 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 Firewall Firewall = kcm.getFirewall();

 try {
     boolean isDomainFilterOnIptablesEnabled = firewall.isDomainFilterOnIptablesEnabled();
     if (isDomainFilterOnIptablesEnabled) {
         // domain filter on iptables enabled
     } else {
         // domain filter on iptables disabled
     }
 } catch (SecurityException ex) {
     // missing required permission
 }

 
Since
API level 28
KNOX 3.3
Multiuser Environment
User Scope

public boolean isDomainFilterReportEnabled ()

Since: API level 19

API to check whether the domain filter report is enabled or disabled.

Returns
  • true if the report is enabled, false otherwise.
Usage
An administrator can use this API to check whether the domain filter report is enabled or disabled. If at least one administrator has enabled report, the return will be true.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 Firewall firewall = edm.getFirewall();

 try {
     boolean isReportEnabled = firewall.isDomainFilterReportEnabled();
     if (isReportEnabled) {
         // report enabled
     } else {
         // report disabled
     }
 } catch (SecurityException ex) {
     // missing required permission
 }

 
For Container:
 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 Firewall Firewall = kcm.getFirewall();

 try {
     boolean isReportEnabled = firewall.isDomainFilterReportEnabled();
     if (isReportEnabled) {
         // report enabled
     } else {
         // report disabled
     }
 } catch (SecurityException ex) {
     // missing required permission
 }

 
Since
API level 19
MDM 5.6
Multiuser Environment
User Scope

public boolean isFirewallEnabled ()

Since: API level 17

API to check if IP rules are enforced.

Returns
  • true if IP rules are enforced, false otherwise.
Usage
An administrator can use this API to check whether the enforcement of IP filter rules is enabled or not.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 Firewall firewall = edm.getFirewall();
 
 boolean isFirewallEnabled = firewall.isFirewallEnabled();

 
For Container:
 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 Firewall Firewall = kcm.getFirewall();
 
 boolean isFirewallEnabled = firewall.isFirewallEnabled();
 
 
Since
API level 17
MDM 5.5
Multiuser Environment
User Scope

public String[] listIptablesRules ()

Since: API level 17

API to list rules on iptables.

Returns
  • The output of the commands "iptables -t filter -L -n --line-numbers -v", "iptables -t nat -L -n --line-numbers -v", "iptables -t mangle -L -n --line-numbers -v", and "iptables -t raw -L -n --line-numbers -v" are concatenated if successful. The output returns null on failure.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to list the rules from iptables. This method concatenates the output of the following iptables commands and returns the result:
"iptables -t filter -L -n --line-numbers -v"
"iptables -t nat -L -n --line-numbers -v"
"iptables -t mangle -L -n --line-numbers -v"
"iptables -t raw -L -n --line-numbers -v"

// Sample Output

// ************ FILTER TABLE ************
// Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
// num pkts bytes target prot opt in out source destination
// 1 0 0 all -- !lo+ * 0.0.0.0/0 0.0.0.0/0 ! quota globalAlert: 2097152 bytes
//
// Chain FORWARD (policy DROP 0 packets, 0 bytes)
// num pkts bytes target prot opt in out source destination
//
// Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
// num pkts bytes target prot opt in out source destination
// 1 0 0 all -- * !lo+ 0.0.0.0/0 0.0.0.0/0 ! quota globalAlert: 2097152 bytes
//
// Chain costly_shared (0 references)
// num pkts bytes target prot opt in out source destination
// 1 0 0 penalty_box all -- * * 0.0.0.0/0 0.0.0.0/0
//
// Chain penalty_box (1 references)
// num pkts bytes target prot opt in out source destination
//
// ************ NAT TABLE ************
// Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
// num pkts bytes target prot opt in out source destination
//
// Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
// num pkts bytes target prot opt in out source destination
//
// Chain OUTPUT (policy ACCEPT 165 packets, 9584 bytes)
// num pkts bytes target prot opt in out source destination
//
// Chain POSTROUTING (policy ACCEPT 165 packets, 9584 bytes)
// num pkts bytes target prot opt in out source destination
//
// ************ MANGLE TABLE ************
// Chain PREROUTING (policy ACCEPT 5842 packets, 4615K bytes)
// num pkts bytes target prot opt in out source destination
//
// Chain INPUT (policy ACCEPT 5842 packets, 4615K bytes)
// num pkts bytes target prot opt in out source destination
//
// Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
// num pkts bytes target prot opt in out source destination
//
// Chain OUTPUT (policy ACCEPT 5842 packets, 4615K bytes)
// num pkts bytes target prot opt in out source destination
//
// Chain POSTROUTING (policy ACCEPT 5842 packets, 4615K bytes)
// num pkts bytes target prot opt in out source destination
//
// ************ RAW TABLE ************
// Chain PREROUTING (policy ACCEPT 5842 packets, 4615K bytes)
// num pkts bytes target prot opt in out source destination
//
// Chain INPUT (policy ACCEPT 5842 packets, 4615K bytes)
// num pkts bytes target prot opt in out source destination
//
// Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
// num pkts bytes target prot opt in out source destination
//
// Chain OUTPUT (policy ACCEPT 5842 packets, 4615K bytes)
// num pkts bytes target prot opt in out source destination
//
// Chain POSTROUTING (policy ACCEPT 5842 packets, 4615K bytes)
// num pkts bytes target prot opt in out source destination

Permission
The use of this API requires the caller to add the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission with a protection level of signature.

Since
API level 17
MDM 5.5
Multiuser Environment
User Scope

public FirewallResponse[] removeDomainFilterRules (List<DomainFilterRule> rules)

Since: API level 19

API to remove domain filter rules.

Parameters
rules List of DomainFilterRule to be removed.
Returns
  • A FirewallResponse array for the specified rules. The i-th element of the response array will be related to the i-th element of the specified rules array.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to remove rules previously added through addDomainFilterRules(List) API. Once removed, the rules will no longer take effect, meaning that a rule, used to block some domain name, after removed will no longer block it.

To clear all rules in database pass CLEAR_ALL as parameter to this API. In order to clear just one of the lists (allow/deny) pass null to the corresponding list parameter on the class DomainFilterRule constructor or call corresponding set method from the same class. For additional information on how to properly create and use domain filter rules, please refer to DomainFilterRule class.

This API will allow only one administrator to manage rules at a time, if some administrator tries to remove rules added by another administrator the operation will return ( FAILED) and an error message describing that.

NOTE: Since MDM 5.7, DomainFilterRule can also be used to manage DNS servers which will resolve domain names for a given application. To remove DNS servers pass a object with the same values to this API. For more details refer to DomainFilterRule class.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 Firewall firewall = edm.getFirewall();

 List<DomainFilterRule> rules = new ArrayList<DomainFilterRule>();

 // Deny list , unblock domains
 List<String> denyList = new ArrayList<String>();
 denyList.add("www.google.com");
 denyList.add("*android.com");

 // Allow list, remove domain from allow list
 List<String> allowList = new ArrayList<String>();
 allowList.add("www.youtube.com");

 // In order to validate the application's signature related to the rule, fill this
 // variable with the desired signature.
 String signature = null;

 // DNS server 1
 String dns1 = "8.8.8.8";
 // DNS server 2
 String dns2 = "8.8.4.4";

 // remove rule for chrome application, assuming they were added like in
 // addDomainFilterRules examples
 rules.add(new DomainFilterRule(new AppIdentity("com.android.chrome", signature),
         denyList, allowList, dns1, dns2));
 try {
     FirewallResponse[] response = firewall.removeDomainFilterRules(rules);
     if (FirewallResponse.Result.SUCCESS == response[0].getResult()) {
         // success
     } else {
         // failed
     }
 } catch (SecurityException ex) {
     // missing required MDM permission
 }
 
For Container:
 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 Firewall firewall = kcm.getFirewall();

 List<DomainFilterRule> rules = new ArrayList<DomainFilterRule>();

 // Deny list , unblock domains
 List<String> denyList = new ArrayList<String>();
 denyList.add("www.google.com");
 denyList.add("*android.com");

 // Allow list, remove domain from allow list
 List<String> allowList = new ArrayList<String>();
 allowList.add("www.youtube.com");

 // In order to validate the application's signature related to the rule, fill this
 // variable with the desired signature.
 String signature = null;

 // DNS server 1
 String dns1 = "8.8.8.8";
 // DNS server 2
 String dns2 = "8.8.4.4";

 // remove rule for chrome application, assuming they were added like in
 // addDomainFilterRules examples
 rules.add(new DomainFilterRule(new AppIdentity("com.android.chrome", signature),
         denyList, allowList, dns1, dns2));
 try {
     FirewallResponse[] response = firewall.removeDomainFilterRules(rules);
     if (FirewallResponse.Result.SUCCESS == response[0].getResult()) {
         // success
     } else {
         // failed
     }
 } catch (SecurityException ex) {
     // missing required MDM permission
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature.
Since
API level 19
MDM 5.6
Multiuser Environment
User Scope

public FirewallResponse[] removeRules (FirewallRule[] rules)

Since: API level 17

API to remove IP rules.

Parameters
rules array of FirewallRule to be removed from the firewall
Returns
  • A FirewallResponse list for the specified rules or null in case the parameter rules is null. The i-th element of the list will be related to the i-th element of the specified rules array.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to remove rules previously added through addRules(FirewallRule[]) API. Once removed, the rules will no longer take effect, meaning that a rule, used to allow, block or redirect some IP address, after removal will no longer apply. The rules added by other administrators are not affected.

To clear all rules at once, please refer to clearRules(int) API.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 Firewall firewall = edm.getFirewall();

 // In order to validate the application's signature related to the rule, fill this
 // variable with the desired signature.
 String signature = null;

 int numRules = 3;
 FirewallRule[] rules = new FirewallRule[numRules];
 
 rules[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
 rules[0].setIpAddress("*");
 rules[0].setPortNumber("80");
 rules[0].setApplication(new AppIdentity("com.android.chrome", signature));
 
 rules[1] = new FirewallRule(RuleType.ALLOW, AddressType.IPV4);
 rules[1].setIpAddress("192.168.1.2");
 rules[1].setPortNumber("80");
 rules[1].setPortLocation(PortLocation.LOCAL);
 rules[1].setApplication(new AppIdentity("com.android.chrome", signature));
 rules[1].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
 rules[1].setDirection(Direction.OUTPUT);
 rules[1].setProtocol(Protocol.TCP);
 
 rules[2] = new FirewallRule(RuleType.ALLOW, AddressType.IPV4);
 rules[2].setIpAddress("192.168.1.3");
 rules[2].setPortNumber("80");
 rules[2].setPortLocation(PortLocation.REMOTE);
 rules[2].setApplication(new AppIdentity("com.android.chrome", signature));
 rules[2].setNetworkInterface(NetworkInterface.MOBILE_DATA_ONLY);
 rules[2].setProtocol(Protocol.UDP);
 
 FirewallResponse[] response = firewall.removeRules(rules);
 
For Container:
 KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance(context)
         .getKnoxContainerManager(containerID);
 Firewall Firewall = kcm.getFirewall();

 // In order to validate the application's signature related to the rule, fill this
 // variable with the desired signature.
 String signature = null;

 int numRules = 3;
 FirewallRule[] rules = new FirewallRule[numRules];
 
 rules[0] = new FirewallRule(RuleType.DENY, AddressType.IPV4);
 rules[0].setIpAddress("*");
 rules[0].setPortNumber("80");
 rules[0].setApplication(new AppIdentity("com.android.chrome", signature));
 
 rules[1] = new FirewallRule(RuleType.ALLOW, AddressType.IPV4);
 rules[1].setIpAddress("192.168.1.2");
 rules[1].setPortNumber("80");
 rules[1].setPortLocation(PortLocation.LOCAL);
 rules[1].setApplication(new AppIdentity("com.android.chrome", signature));
 rules[1].setNetworkInterface(NetworkInterface.WIFI_DATA_ONLY);
 rules[1].setDirection(Direction.OUTPUT);
 rules[1].setProtocol(Protocol.TCP);
 
 rules[2] = new FirewallRule(RuleType.ALLOW, AddressType.IPV4);
 rules[2].setIpAddress("192.168.1.3");
 rules[2].setPortNumber("80");
 rules[2].setPortLocation(PortLocation.REMOTE);
 rules[2].setApplication(new AppIdentity("com.android.chrome", signature));
 rules[2].setNetworkInterface(NetworkInterface.MOBILE_DATA_ONLY);
 rules[2].setProtocol(Protocol.UDP);
 
 FirewallResponse[] response = firewall.removeRules(rules);
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_FIREWALL" permission which has a protection level of signature.
Since
API level 17
MDM 5.5
Multiuser Environment
User Scope