Summary: Constants | Methods | Inherited Methods | [Expand All]
Since: API level 11
public class

AdvancedRestrictionPolicy

extends Object
java.lang.Object
   ↳ com.samsung.android.knox.restriction.AdvancedRestrictionPolicy

Class Overview

This class provides APIs to restrict advanced features.

Since
API level 11
KNOX 2.0

Summary

Constants
int CCMODE_STATE_DISABLED This state is returned by getCCModeState() API specifying the device has failed to enable CC mode.
int CCMODE_STATE_ENABLED This state is returned by getCCModeState() API specifying CC mode is enabled on device.
int CCMODE_STATE_ENFORCING Deprecated in API level 27
int CCMODE_STATE_NONE This state is returned by getCCModeState() API specifying the device needs factory reset for Ready State (CCMODE_STATE_READY).
int CCMODE_STATE_NOT_SUPPORTED This state is returned by getCCModeState() API specifying the device doesn't support CC mode.
int CCMODE_STATE_READY This state is returned by getCCModeState() API specifying the device is ready to enable CC mode.
Public Methods
boolean allowBLE(boolean allow)
API to allow or disallow Bluetooth scanning and Bluetooth access.
boolean allowFirmwareAutoUpdate(boolean enable)
API to enforce checking for Firmware Update automatically (Auto update) in the Device Settings.
boolean allowIntelligenceOnlineProcessing(boolean allow)
API to disallow online processing of Advanced intelligence features provided by Samsung native applications on the device.
boolean allowLocalContactStorage(boolean allow)
API to allow or disallow local contact storage.
boolean allowOnlySecureConnections(boolean enable)
API to allow only IPsec or SSL/TLS VPN connections.
boolean allowRemoteControl(boolean allow)
Deprecated in API level 35
boolean allowUserSetAlwaysOn(boolean allow)
API to prevent the user from changing Always ON configuration.
boolean allowWifiScanning(boolean allow)
API to allow or disallow Wifi scanning.
boolean enableODETrustedBootVerification(boolean enable)
Deprecated in API level 27
int getCCModeState()
Deprecated in API level 35
boolean isBLEAllowed()
API to check whether Bluetooth scanning and Bluetooth are allowed or disallowed.
boolean isFirmwareAutoUpdateAllowed(boolean showMsg)
API to check whether or not option for checking Firmware Update automatically (Auto update) is enforced in Device Settings.
boolean isIntelligenceOnlineProcessingAllowed()
API to check whether online processing of Advanced intelligence features provided by Samsung is allowed or disallowed.
boolean isLocalContactStorageAllowed()
API to check local contact storage is allowed or disallowed.
boolean isODETrustedBootVerificationEnabled()
Deprecated in API level 27
boolean isOnlySecureConnectionsAllowed()
API to check whether only IPSec or SSL/TLS VPN connections are allowed.
boolean isRemoteControlAllowed()
Deprecated in API level 35
boolean isUserSetAlwaysOnAllowed()
API to verify whether the user is allowed to change VPN Always ON mode configuration or not.
boolean isWifiScanningAllowed()
API to check whether Wifi scanning is allowed or disallowed.
boolean setCCMode(boolean enable)
Deprecated in API level 35
[Expand]
Inherited Methods
From class java.lang.Object

Constants

public static final int CCMODE_STATE_DISABLED

Since: API level 15

This state is returned by getCCModeState() API specifying the device has failed to enable CC mode. This Device blocked by Lockscreen and need factory-reset for restore.

Since
API level 15
KNOX 2.4
Constant Value: 1 (0x00000001)

public static final int CCMODE_STATE_ENABLED

Since: API level 15

This state is returned by getCCModeState() API specifying CC mode is enabled on device.

Since
API level 15
KNOX 2.4
Constant Value: 4 (0x00000004)

public static final int CCMODE_STATE_ENFORCING

Since: API level 15

Deprecated in API level 27

This state is returned by getCCModeState() API specifying the device is enforced and wait for meeting all prerequisites. (setCCMode(boolean)).

Since
API level 15
KNOX 2.4
Constant Value: 3 (0x00000003)

public static final int CCMODE_STATE_NONE

Since: API level 15

This state is returned by getCCModeState() API specifying the device needs factory reset for Ready State (CCMODE_STATE_READY).

Since
API level 15
KNOX 2.4
Constant Value: 0 (0x00000000)

public static final int CCMODE_STATE_NOT_SUPPORTED

Since: API level 15

This state is returned by getCCModeState() API specifying the device doesn't support CC mode.

Since
API level 15
KNOX 2.4
Constant Value: -1 (0xffffffff)

public static final int CCMODE_STATE_READY

Since: API level 15

This state is returned by getCCModeState() API specifying the device is ready to enable CC mode. (setCCMode(boolean))

Since
API level 15
KNOX 2.4
Constant Value: 2 (0x00000002)

Public Methods

public boolean allowBLE (boolean allow)

Since: API level 26

API to allow or disallow Bluetooth scanning and Bluetooth access.

Parameters
allow true to allow, false to disallow.
Returns
  • true if operation is successful, else false.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to disable Bluetooth scanning and Bluetooth access without user interaction.

NOTE: If disabled, all Bluetooth functionality is disabled. If Bluetooth scanning is disabled, the device declines location accuracy and does not allow apps and services to scan for and connect to nearby devices automatically via Bluetooth. 

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     boolean allow = false; // disallow Bluetooth scanning and Bluetooth access
     if (ekm.getAdvancedRestrictionPolicy().allowBLE(allow)) {
         Log.w(TAG, "Bluetooth scanning and Bluetooth access are not allowed");
     } else {
         Log.w(TAG, "Failed to set the policy.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "Exception" + e);
 }

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION" permission with a protection level of signature.
Since
API level 26
KNOX 3.2
Multiuser Environment
Global Scope
See Also

public boolean allowFirmwareAutoUpdate (boolean enable)

Since: API level 11

API to enforce checking for Firmware Update automatically (Auto update) in the Device Settings.

Returns
  • true if operation is successful, else false.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to enforce checking for Firmware Update automatically option in the device Settings. 

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     boolean allow = false; // disallow firmware auto update
     if (ekm.getAdvancedRestrictionPolicy().allowFirmwareAutoUpdate(allow)) {
         Log.w(TAG, "firmware auto update not allowed");
     } else {
         Log.w(TAG, "Failed to set the policy.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "Exception" + e);
 }

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION" permission with a protection level of signature.
Since
API level 11
KNOX 2.0
Multiuser Environment
Global Scope

public boolean allowIntelligenceOnlineProcessing (boolean allow)

Since: API level 37

API to disallow online processing of Advanced intelligence features provided by Samsung native applications on the device.

Parameters
allow true to allow, false to disallow online processing of Advanced intelligence features
Returns
  • true If online processing of Advanced intelligence features provided by Samsung is allowed or disallowed successfully
Throws
SecurityException If caller does not have required permissions.
Usage
An administrator can use this API to disallow online processing of Advanced intelligence features provided by Samsung native applications on the device.

Note:
  • It is strongly recommended to handle NoSuchMethodError when invoking this function as certain Knox SDK 3.10 devices may not support the Advanced intelligence features and the associated API. If NoSuchMethodError occurs, there are no security concerns since the Advanced intelligence features are unsupported in such cases.
  • For devices that do not support Advanced intelligence features provided by Samsung, the policy will have no effect.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     if (ekm.getAdvancedRestrictionPolicy().allowIntelligenceOnlineProcessing(false)) {
         Log.w(TAG, "Online processing of Advanced intelligence features by Samsung is disallowed successfully.");
     } else {
         Log.w(TAG, "Online processing of Advanced intelligence features by Samsung is not disallowed.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 } catch (NoSuchMethodError ne) {
     Log.w(TAG, "NoSuchMethodError: " + ne);
 }
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION" permission which has a protection level of signature.
Since
API level 37
KNOX 3.10
Multiuser Environment
User Scope
See Also

public boolean allowLocalContactStorage (boolean allow)

Since: API level 28

API to allow or disallow local contact storage.

Parameters
allow true to allow, false to disallow.
Returns
  • true if operation is successful, else false.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to allow or disallow loacal contact storage. 
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     boolean allow = false; // disallow local contact storage
     if (ekm.getAdvancedRestrictionPolicy().allowLocalContactStorage(allow)) {
         Log.w(TAG, "Local contact storage is not allowed");
     } else {
         Log.w(TAG, "Failed to set the policy.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "Exception" + e);
 }
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION" permission with a protection level of signature.
Since
API level 28
KNOX 3.3
Multiuser Environment
User Scope
See Also
  • #isLocalContactStorageAllowed(boolean)

public boolean allowOnlySecureConnections (boolean enable)

Since: API level 30

API to allow only IPsec or SSL/TLS VPN connections.

Parameters
enable true to force the use of only secure connections, false to allow all connections.
Returns
  • true if setting allow/disallow only secure connections was successful, else false.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to force the Android system VPN client to use either IPSec or SSL/TLS when connecting to networks.

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     boolean enable = true;
     if (ekm.getAdvancedRestrictionPolicy().allowOnlySecureConnections(enable)) {
         Log.w(TAG, "Policy successfully set. Only VPN connections using IPSec or SSL/TLS are allowed.");
     } else {
         Log.w(TAG, "Policy not successfully set.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "Exception" + e);
 }

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION" permission with a protection level of signature.
Since
API level 30
KNOX 3.4.1
Multiuser Environment
Global Scope
See Also

public boolean allowRemoteControl (boolean allow)

Since: API level 24

Deprecated in API level 35

API to enable or disable Knox Remote Control feature on device.

Parameters
allow true or false to Enable/Disable Remote Control
Returns
  • true If Remote Control is enabled or disabled successfully
Throws
SecurityException If caller does not have required permissions.
Usage
An administrator can use this API to enable or disable remote control feature on device


Note: This API can be called only by Device owner or Profile owner.

 
 
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     if (ekm.getAdvancedRestrictionPolicy().allowRemoteControl(false)) {
         Log.w(TAG, "Remote Control is disabled successfully.");
     } else {
         Log.w(TAG, "Remote Control is not disabled.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 AdvancedRestrictionPolicy advancedRestrictionPolicy = kcm.getAdvancedRestrictionPolicy();
 try {
     if (advancedRestrictionPolicy.allowRemoteControl(false)) {
         Log.w(TAG, "Remote Control is disabled successfully.");
     } else {
         Log.w(TAG, "Remote Control is not disabled.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "Exception" + e);
 }
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION" permission which has a protection level of signature.

Since
API level 24
KNOX 3.0
Multiuser Environment
User Scope
See Also

public boolean allowUserSetAlwaysOn (boolean allow)

Since: API level 30

API to prevent the user from changing Always ON configuration.

Parameters
allow true to permit user changes on VPN Always ON configuration, false to block it.
Returns
  • true if the policy was successfully applied, false otherwise
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to block user changes on VPN Always ON mode. The menu item for that configuration is disabled. 
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     boolean allow = false;
     if (ekm.getAdvancedRestrictionPolicy().allowUserSetAlwaysOn(allow)) {
         Log.w(TAG, "Policy was applied successfully and user changes on Always ON settings are blocked.");
     } else {
         Log.w(TAG, "Some error occured and the policy was not applied properly.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "Exception" + e);
 }

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION" permission with a protection level of signature.
Since
API level 30
KNOX 3.4.1
Multiuser Environment
Global Scope
See Also

public boolean allowWifiScanning (boolean allow)

Since: API level 26

API to allow or disallow Wifi scanning.

Parameters
allow true to allow, false to disallow.
Returns
  • true if operation is successful, else false.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to disable Wifi scanning without user interaction.

NOTE: If Wi-Fi scanning is disabled, the device declines location accuracy and does not allow apps and services to scan for and connect to nearby devices automatically via Wi-Fi. 

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     boolean allow = false; // disallow Wifi scanning
     if (ekm.getAdvancedRestrictionPolicy().allowWifiScanning(allow)) {
         Log.w(TAG, "Wifi scanning is not allowed");
     } else {
         Log.w(TAG, "Failed to set the policy.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "Exception" + e);
 }

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION" permission with a protection level of signature.
Since
API level 26
KNOX 3.2
Multiuser Environment
Global Scope
See Also

public boolean enableODETrustedBootVerification (boolean enable)

Since: API level 11

Deprecated in API level 27

API to enable or disable ODE Trusted Boot verification.

Parameters
enable true to enable, false to disable.
Returns
  • true if operation is successful, else false.
Usage
When enabled, device decrypts the data partition only when the binary and kernel is official. 

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     boolean enable = false;
     if (ekm.getAdvancedRestrictionPolicy().enableODETrustedBootVerification(enable)) {
         Log.w(TAG, " Enable ODE Trusted Boot verification not allowed");
     } else {
         Log.w(TAG, "Failed to set the policy.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "Exception" + e);
 }

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION" permission with a protection level of signature.
Since
API level 11
KNOX 2.0
Multiuser Environment
Global Scope
See Also

public int getCCModeState ()

Since: API level 15

Deprecated in API level 35

API to check state for CC (Common Criteria) mode.

Returns
Since
API level 15
KNOX 2.4
Multiuser Environment
Global Scope
See Also

public boolean isBLEAllowed ()

Since: API level 26

API to check whether Bluetooth scanning and Bluetooth are allowed or disallowed.

Returns
  • true if Bluetooth scanning and Bluetooth are allowed, false if disallowed.
Since
API level 26
KNOX 3.2
Multiuser Environment
Global Scope
See Also

public boolean isFirmwareAutoUpdateAllowed (boolean showMsg)

Since: API level 11

API to check whether or not option for checking Firmware Update automatically (Auto update) is enforced in Device Settings.

Returns
  • true if firmware is allowed to auto update, false if disallowed.
Usage
An administrator can use this API to check whether checking for Firmware Update automatically is enforced or not.
Since
API level 11
KNOX 2.0
Multiuser Environment
Global Scope
See Also

public boolean isIntelligenceOnlineProcessingAllowed ()

Since: API level 37

API to check whether online processing of Advanced intelligence features provided by Samsung is allowed or disallowed.

Returns
  • true if online processing of Advanced intelligence features provided by Samsung is allowed, false if disallowed.

    Note: It is strongly recommended to handle NoSuchMethodError when invoking this function as certain Knox SDK 3.10 devices may not support the Advanced intelligence features and the associated API. If NoSuchMethodError occurs, there are no security concerns since the Advanced intelligence features are unsupported in such cases.
Since
API level 37
KNOX 3.10
Multiuser Environment
User Scope
See Also

public boolean isLocalContactStorageAllowed ()

Since: API level 28

API to check local contact storage is allowed or disallowed.

Returns
  • true allow local contact storage, falsedisallow local contact storage
Since
API level 28
KNOX 3.3
Multiuser Environment
User Scope
See Also

public boolean isODETrustedBootVerificationEnabled ()

Since: API level 11

Deprecated in API level 27

API to check whether ODE Trusted Boot verification is enabled or not.

Returns
  • true if ODE Trusted Boot verification is enabled, false if disabled.
Since
API level 11
KNOX 2.0
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION" permission with a protection level of signature.
Multiuser Environment
Global Scope
See Also

public boolean isOnlySecureConnectionsAllowed ()

Since: API level 30

API to check whether only IPSec or SSL/TLS VPN connections are allowed.

Returns
  • true if only IPSec or SSL/TLS VPN connections are allowed, false otherwise
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to check if Android system VPN must use either IPSec or SSL/TLS when connecting to networks. 

 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     boolean result = ekm.getAdvancedRestrictionPolicy().isOnlySecureConnectionsAllowed();
     if (result) {
         Log.w(TAG, "Only IPSec or SSL/TLS VPN connections are allowed.");
     } else {
         Log.w(TAG, "Any VPN connection is allowed.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "Exception" + e);
 }

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION" permission which has the protection level of signature.

Since
API level 30
KNOX 3.4.1
Multiuser Environment
Global Scope
See Also

public boolean isRemoteControlAllowed ()

Since: API level 24

Deprecated in API level 35

API to check whether Knox Remote Control feature is enabled.

Returns
  • true If Remote Control is enabled or false otherwise
Usage
An administrator can use this API to check if remote control feature is enabled.

 
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     if (ekm.getAdvancedRestrictionPolicy().isRemoteControlAllowed()) {
         Log.d(TAG, "Remote Control is enabled");
     } else {
         Log.d(TAG, "Remote Control is disabled");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 AdvancedRestrictionPolicy advancedRestrictionPolicy = kcm.getAdvancedRestrictionPolicy();
 try {
     if (advancedRestrictionPolicy.isRemoteControlAllowed()) {
         Log.w(TAG, "Remote Control is enabled.");
     } else {
         Log.w(TAG, "Remote Control is disabled.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "Exception" + e);
 }

Since
API level 24
KNOX 3.0
Multiuser Environment
User Scope
See Also

public boolean isUserSetAlwaysOnAllowed ()

Since: API level 30

API to verify whether the user is allowed to change VPN Always ON mode configuration or not.

Returns
  • true if users are allowed to modify Always ON settings, false otherwise
Usage
An administrator can use this API to check if user changes on VPN Always ON mode are allowed or not. 
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     boolean result = ekm.getAdvancedRestrictionPolicy().isUserSetAlwaysOnAllowed();
     if (result) {
         Log.w(TAG, "Users are allowed to change Always ON configuration..");
     } else {
         Log.w(TAG, "Users are not permitted to change Always ON mode.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "Exception" + e);
 }

Since
API level 30
KNOX 3.4.1
Multiuser Environment
Global Scope
See Also

public boolean isWifiScanningAllowed ()

Since: API level 26

API to check whether Wifi scanning is allowed or disallowed.

Returns
  • true if Wifi scanning is allowed, false if disallowed.
Since
API level 26
KNOX 3.2
Multiuser Environment
Global Scope
See Also

public boolean setCCMode (boolean enable)

Since: API level 11

Deprecated in API level 35

API to enable or disable CC (Common Criteria) mode.

Parameters
enable true to enable, false to disable.
Returns
  • true if operation is successful, else false.
Throws
SecurityException If caller does not have required permissions
Usage
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 try {
     boolean enable = false;
     ekm.getAdvancedRestrictionPolicy().setCCMode(enable);
     Log.w(TAG, "Set CCMode is called.");
 } catch (SecurityException e) {
     Log.w(TAG, "Exception" + e);
 }

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_RESTRICTION" permission with a protection level of signature.
Since
API level 11
KNOX 2.0
Multiuser Environment
Global Scope
See Also
  • com.samsung.android.knox.restriction.RestrictionPolicy.isFastEncryptionAllowed(boolean)
  • getCCModeState()