Security policy group provides policies for security control. More...

Data Structures
struct	security_name_fld_data
	Certificate name filed data. More...

struct	security_information_fields
	Certificate filed data. More...

Enumerations

Functions
mdm_result_t	mdm_lock_now (void)
	API to immediately lock the device screen. More...

mdm_result_t	mdm_wipe_data (mdm_wipe_t type)
	API to erase the device's external or internal storage. More...

mdm_result_t	mdm_reboot (void)
	API to reboot the device immediately. More...

mdm_result_t	mdm_install_certificate (mdm_certificate_t type, const char file_path, const char name, const char *password)
	API to install certificates on a device. More...

mdm_result_t	mdm_set_internal_storage_encryption (mdm_status_t value)
	API to encrypt / decrypt internal storage. More...

mdm_status_t	mdm_get_internal_storage_encryption_status (void)
	API checks the status of internal storage encryption on device. More...

mdm_data_t *	mdm_get_installed_certificate_names (mdm_certificate_t type)
	API returns a list of certificate names currently installed on a device. The names included in the list will all be under the same specified certificate type. More...

mdm_data_t *	mdm_get_installed_certificates (mdm_certificate_t type)
	API returns a list of user certificates currently installed on a device. More...

mdm_result_t	mdm_remove_certificate (mdm_certificate_t type, const char *name)
	API to remove certificate authority (CA) or user certificates on a device. More...

mdm_result_t	mdm_clear_installed_certificates (mdm_certificate_t type)
	API to remove all installed certificates from the device. More...

mdm_result_t	mdm_power_off_device (void)
	API to power off the device. More...

mdm_status_t	mdm_get_lock_state (void)
	API to get the current status of lock screen. Checks if lock screen is locked, or unlocked. More...

mdm_result_t	knox_mdm_set_allow_lockscreen_type_change (mdm_status_t status)
	API to allow or restrict changes to the lock screen type. More...

mdm_status_t	knox_mdm_get_allow_lockscreen_type_change (void)
	API to check if changing the lock screen type is allowed. More...

Detailed Description

Security policy group provides policies for security control.

Security policy group.

Required Header

#include <mdm.h>

Overview

This group provides APIs to control security related functionality on the device such as certificate installation and wipe.

Enumeration Type Documentation

enum mdm_certificate_t

Certificate type.

Since (Knox_wearable):: 2.2.0

Since (Tizen):: 3.0.0.1

See also: mdm_install_certificate, mdm_get_installed_certificate_names

Enumerator
MDM_VPN_CERTIFICATE	user certificate in vpn certificate store.
MDM_WIFI_CERTIFICATE	user certificate in Wi-Fi certificate store.
MDM_EMAIL_CERTIFICATE	user certificate in email certificate store.
MDM_SYSTEM_CERTIFICATE	ca certificate.

Definition at line 59 of file security.h.

enum mdm_wipe_t

Device wipe type.

Since (Knox_wearable):: 1.0.0

Since (Tizen):: 2.3.1.5

See also: mdm_wipe_data

Enumerator
MDM_WIPE_INTERNAL_MEMORY	Wipe internal memory.
MDM_WIPE_EXTERNAL_MEMORY	Wipe external memory.

Definition at line 39 of file security.h.

Function Documentation

mdm_status_t knox_mdm_get_allow_lockscreen_type_change ( void )

API to check if changing the lock screen type is allowed.

Since (Knox_wearable):: 2.3.0

Since (Tizen):: 4.0.0.0

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Use this API to check if the end user is allowed to change the lock screen type, and take the appropriate action based on the enterprise policy.

mdm_status_t status = knox_mdm_get_allow_lockscreen_type_change();
if(result == MDM_RESTRICTED) {
    // Changes are blocked
    ...
} else if(result == MDM_ALLOWED) {
    // Changes are allowed
    ...
}
else
{
    // ERROR
    ...
}

Returns: mdm_status_t : The current prevention status.

Return values

MDM_RESTRICTED	The end user is restricted from changing the lock screen type.
MDM_ALLOWED	The end user is allowed to change the lock screen type.
MDM_STATUS_ERROR	On any error.

See also: knox_mdm_set_allow_lockscreen_type_change

mdm_result_t knox_mdm_set_allow_lockscreen_type_change ( mdm_status_t status )

API to allow or restrict changes to the lock screen type.

Since (Knox_wearable):: 2.3.0

Since (Tizen):: 4.0.0.0

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: The admin can use this API to allow or restrict the end user from changing the lock screen type. Restricting changes via this API prevents the user from modifying the lock screen type using the UI settings on the device.

Remarks: Lock screen type restriction mdm_status_t is written to MDM_POLICY_ON_LOCKSCREEN_TYPE_CHANGE notification file. You can register a callback for this event using mdm_register_policy_receiver.

mdm_result_t result = knox_mdm_set_allow_lockscreen_type_change(MDM_RESTRICTED);
if(result == MDM_RESULT_SUCCESS) {
    // Success
    ...
} else {
    // Error
    ...
}

Parameters

[in] status MDM_RESTRICTED — The end user is restricted from changing the lock screen type on the device.
MDM_ALLOWED — The end user is allowed to change the lock screen type on the device.

Privilege Level:: public

Privilege:: http://developer.samsung.com/tizen/privilege/mdm.security

Returns: mdm_result_t : MDM_RESULT_SUCCESS on success, an error code on error

Return values

MDM_RESULT_SUCCESS	Successful
MDM_RESULT_FAIL	General failure
MDM_RESULT_NOT_SUPPORTED	Not supported
MDM_RESULT_INVALID_PARAM	Invalid parameter
MDM_RESULT_ACCESS_DENIED	The application does not have the privilege to call this function.

See also: knox_mdm_get_allow_lockscreen_type_change

mdm_result_t mdm_clear_installed_certificates ( mdm_certificate_t type )

API to remove all installed certificates from the device.

Since (Knox_wearable):: 2.2.0

Since (Tizen):: 3.0.0.1

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Use this API to remove all installed certificates in a specified store from a device on behalf of the end user, without needing any user interaction.

mdm_result_t ret = 0;
ret = mdm_clear_installed_certificates(MDM_WIFI_CERTIFICATE);
if (ret == MDM_RESULT_SUCCESS) {
    // clear policy success
} else {
    // clear policy fail
}

Privilege Level:: public

Privilege:: http://developer.samsung.com/tizen/privilege/mdm.security

Parameters

[in] type Type of certificate store to remove all certificates from.

Returns: mdm_result_t : MDM_RESULT_SUCCESS upon successful removal of all installed certificates from a device, or an error code from the values listed below upon failure.

Return values

MDM_RESULT_SUCCESS	Successful
MDM_RESULT_FAIL	General failure
MDM_RESULT_NOT_SUPPORTED	Not supported
MDM_RESULT_INVALID_PARAM	Invalid parameter
MDM_RESULT_ACCESS_DENIED	The application does not have the privilege to call this function.

Permission:: Usage of this API is restricted to registered clients only.

See also: mdm_remove_certificate

mdm_data_t* mdm_get_installed_certificate_names ( mdm_certificate_t type )

API returns a list of certificate names currently installed on a device. The names included in the list will all be under the same specified certificate type.

Since (Knox_wearable):: 2.2.0

Since (Tizen):: 3.0.0.1

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Use this API to get a list of certificate names currently installed on a device. A certificate type must be provided.
NOTE — You can combine different types using the OR operator e.g. MDM_WIFI_CERTIFICATE|MDM_EMAIL_CERTIFICATE

mdm_result_t ret = 0;
mdm_data_t *lp_data = mdm_get_installed_certificate_names(MDM_WIFI_CERTIFICATE);
if (lp_data) {
    GList *lp_list = (GList *)lp_data->data;
    if (lp_list) {
        lp_list = g_list_first(lp_list);
        while (lp_list && lp_list->data) {
            printf(Name : "%s", lp_list->data);
            lp_list = g_list_next(lp_list);
        }
    }
    mdm_free_data(lp_data);
    ret = MDM_RESULT_SUCCESS;
} else {
    ret = MDM_RESULT_FAIL;
}

Parameters

[in] type Certificate type for which certificate list need to be obtained.

Returns: mdm_data_t * on success, NULL on error

See also: mdm_get_installed_certificates

mdm_data_t* mdm_get_installed_certificates ( mdm_certificate_t type )

API returns a list of user certificates currently installed on a device.

Since (Knox_wearable):: 2.2.0

Since (Tizen):: 3.0.0.1

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Use this API to get a list of certificates currently installed on a device under a specified store. The API returns the following information: Certificate type, cast to security_information_fields to be read in detail.

mdm_result_t ret = 0;
mdm_data_t *lp_data = mdm_get_installed_certificates(MDM_SYSTEM_CERTIFICATE);
if (lp_data) {
    GList *lp_list = (GList *)lp_data->data;
    if (lp_list) {
        lp_list = g_list_first(lp_list);
        while (lp_list && lp_list->data) {
            security_information_fields *lp_certi_data = (security_information_fields *)lp_list->data;
            if (lp_certi_data) {
                printf("[Certi data: %d,%d,%s,%s,%s,%s,%s,%s,%s,%s \
                            (Issuer data: %s,%s,%s,%s,%s,%s,%s) \
                            (Subject data: %s,%s,%s,%s,%s,%s,%s)]",
                            lp_certi_data->version,
                            lp_certi_data->serialNumber,
                            lp_certi_data->sigAlgo,
                            lp_certi_data->issuerStr,
                            lp_certi_data->subjectStr,
                            lp_certi_data->pubKeyAlgo,
                            lp_certi_data->pubKey,
                            lp_certi_data->issuerUID,
                            lp_certi_data->subjectUID,
                            lp_certi_data->filePath,
                            lp_certi_data->issuer.countryName,
                            lp_certi_data->issuer.stateOrProvinceName,
                            lp_certi_data->issuer.localityName,
                            lp_certi_data->issuer.organizationName,
                            lp_certi_data->issuer.organizationUnitName,
                            lp_certi_data->issuer.commonName,
                            lp_certi_data->issuer.emailAddress,
                            lp_certi_data->subject.countryName,
                            lp_certi_data->subject.stateOrProvinceName,
                            lp_certi_data->subject.localityName,
                            lp_certi_data->subject.organizationName,
                            lp_certi_data->subject.organizationUnitName,
                            lp_certi_data->subject.commonName,
                            lp_certi_data->subject.emailAddress);
            }
            lp_list = g_list_next(lp_list);
        }
    }
    mdm_free_data(lp_data);
    ret = MDM_RESULT_SUCCESS;
} else {
    ret = MDM_RESULT_FAIL;
}

Parameters

[in] type Type of certificate repository to get the certificates from.
NOTE — You can combine different types using the OR operator.

Returns: mdm_data_t * on success, NULL on error

See also: mdm_get_installed_certificate_names

mdm_status_t mdm_get_internal_storage_encryption_status ( void )

API checks the status of internal storage encryption on device.

Since (Knox_wearable):: 1.0.0

Since (Tizen):: 2.3.1.5

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Admin can check whether internal storage is encrypted or not. It returns the value set by mdm_set_internal_storage_encryption.

mdm_status_t status = mdm_get_internal_storage_encryption_status();
if (status == MDM_TRUE || status == MDM_FALSE) {
    // function success
} else {
    // function error
}

Returns: mdm_status_t : The current prevention status.

Return values

MDM_TRUE	if internal storage is encrypted.
MDM_FALSE	if decrypted.
MDM_STATUS_ERROR	if error occured.

See also: mdm_set_internal_storage_encryption

mdm_status_t mdm_get_lock_state ( void )

API to get the current status of lock screen. Checks if lock screen is locked, or unlocked.

Since (Tizen):: 3.0.0.1

Since (Knox_wearable):: 2.2.0

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Use this API to check if the screen is locked or unlocked.

mdm_status_t status = mdm_get_lock_state();
if (status == MDM_STATUS_ERROR) {
    // function error
} else {
    if ( status == MDM_TRUE ) {
        //screen is locked
    } else {
        // screen is unlocked
    }
}

Returns: mdm_status_t : Current lock status, one of MDM_TRUE or MDM_FALSE. In case of error return MDM_STATUS_ERROR.

See also: mdm_lock_now

mdm_result_t mdm_install_certificate	(	mdm_certificate_t	type,
		const char *	file_path,
		const char *	name,
		const char *	password
	)

API to install certificates on a device.

Since (Knox_wearable):: 2.2.0

Since (Tizen):: 3.0.0.1

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Use this API to install certificates on behalf of the end user, without needing any user interaction.
mdm_result_t ret = MDM_RESULT_SUCCESS;
ret = mdm_install_certificate(MDM_WIFI_CERTIFICATE, "/tmp/mdm_cert.crt", "mdm_security_cert", "password");
if (ret == MDM_RESULT_SUCCESS) {
// setting success
} else {
// setting fail
}

Privilege Level:: public

Privilege:: http://developer.samsung.com/tizen/privilege/mdm.security

Parameters

[in]	type	Set key store to install certificate in. You can pass more then one store using OR. Certificate installation in system store is not supported due to system limitations.
[in]	file_path	Path of certificate file to install
[in]	name	Name of certificate in a store
[in]	password	Password, if certificate/container is encrypted (i.e. .p12). For instance in case of .pem .crt and .cer files password is ignored.

Returns: mdm_result_t : MDM_RESULT_SUCCESS upon successful installation of certificates, or an error code from the values listed below upon failure.

Return values

MDM_RESULT_SUCCESS	Successful
MDM_RESULT_FAIL	General failure
MDM_RESULT_NOT_SUPPORTED	Not supported
MDM_RESULT_INVALID_PARAM	Invalid parameter
MDM_RESULT_ACCESS_DENIED	The application does not have the privilege to call this function.

Permission:: Usage of this API is restricted to registered clients only.

See also: mdm_remove_certificate

mdm_result_t mdm_lock_now ( void )

API to immediately lock the device screen.

Since (Knox_wearable):: 1.0.0

Since (Tizen):: 2.3.2.3

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Admin can lock the device immediately, as if the lock screen time-out duration has expired at this point. Current support lock types are: pattern, pin, password.

Remarks: Locked screen is signalized by MDM_POLICY_ON_DEVICE_LOCK notification. You can register a callback for this event using mdm_register_policy_receiver.

mdm_result_t ret = mdm_lock_now();
if (ret == MDM_RESULT_SUCCESS) {
    // success to lock device screen
} else {
    // fails to lock device screen
}

Privilege Level:: public

Privilege:: http://developer.samsung.com/tizen/privilege/mdm.security

Returns: mdm_result_t : MDM_RESULT_SUCCESS on success, an error code on error

Return values

MDM_RESULT_SUCCESS	Successful
MDM_RESULT_FAIL	General failure
MDM_RESULT_NOT_SUPPORTED	Not supported
MDM_RESULT_INVALID_PARAM	Invalid parameter
MDM_RESULT_ACCESS_DENIED	The application does not have the privilege to call this function.

Permission:: Usage of this API is restricted to registered clients only.

See also: mdm_is_device_locked, mdm_get_lock_state

mdm_result_t mdm_power_off_device ( void )

API to power off the device.

Since (Knox_wearable):: 1.0.0

Since (Tizen):: 2.3.2.3

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Admin can switch-off device without user interaction.

mdm_result_t ret = 0;
ret = mdm_power_off_device();
if (ret == MDM_RESULT_SUCCESS) {
    // set policy success
} else {
    // set policy failed
}

Privilege Level:: public

Privilege:: http://developer.samsung.com/tizen/privilege/mdm.security

Returns: mdm_result_t : MDM_RESULT_SUCCESS on success, an error code on error

Return values

MDM_RESULT_SUCCESS	Successful
MDM_RESULT_FAIL	General failure
MDM_RESULT_NOT_SUPPORTED	Not supported
MDM_RESULT_INVALID_PARAM	Invalid parameter
MDM_RESULT_ACCESS_DENIED	The application does not have the privilege to call this function.

Permission:: Usage of this API is restricted to registered clients only.

See also: mdm_reboot

mdm_result_t mdm_reboot ( void )

API to reboot the device immediately.

Since (Knox_wearable):: 1.0.0

Since (Tizen):: 2.3.2.3

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Admin can silently reboot device.
mdm_result_t ret = mdm_reboot();
if (ret == MDM_RESULT_SUCCESS) {
// success to reboot
} else {
// fail to reboot
}

Privilege Level:: public

Privilege:: http://developer.samsung.com/tizen/privilege/mdm.security

Returns: mdm_result_t : MDM_RESULT_SUCCESS on success, an error code on error

Return values

MDM_RESULT_SUCCESS	Successful
MDM_RESULT_FAIL	General failure
MDM_RESULT_NOT_SUPPORTED	Not supported
MDM_RESULT_INVALID_PARAM	Invalid parameter
MDM_RESULT_ACCESS_DENIED	The application does not have the privilege to call this function.

Permission:: Usage of this API is restricted to registered clients only.

See also: mdm_power_off_device

mdm_result_t mdm_remove_certificate	(	mdm_certificate_t	type,
		const char *	name
	)

API to remove certificate authority (CA) or user certificates on a device.

Since (Knox_wearable):: 2.2.0

Since (Tizen):: 3.0.0.1

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Use this API to uninstall certificates on behalf of the end user, without needing any user interaction.

mdm_result_t ret = 0;
mdm_data_t *lp_data = mdm_get_installed_certificate_names(MDM_WIFI_CERTIFICATE);
if (lp_data) {
    GList *lp_list = (GList *)lp_data->data;
    if (lp_list) {
        lp_list = g_list_first(lp_list);
        while (lp_list && lp_list->data) {
            ret = mdm_remove_certificate(MDM_WIFI_CERTIFICATE, lp_list->data);
            if (ret == MDM_RESULT_SUCCESS) {
                // remove certificate success
            } else {
                // remove certificate fail
            }
            lp_list = g_list_next(lp_list);
        }
    }
    mdm_free_data(lp_data);
    ret = MDM_RESULT_SUCCESS;
} else {
    ret = MDM_RESULT_FAIL;
}

Privilege Level:: public

Privilege:: http://developer.samsung.com/tizen/privilege/mdm.security

Parameters

[in]	type	The type of certificate store to remove the specified certificate from.
[in]	name	The assigned name of a certificate given at the time of installation.

Returns: mdm_result_t : MDM_RESULT_SUCCESS upon successful uninstallation of certificates, or an error code from the values listed below upon failure.

Return values

MDM_RESULT_SUCCESS	Successful
MDM_RESULT_FAIL	General failure
MDM_RESULT_NOT_SUPPORTED	Not supported
MDM_RESULT_INVALID_PARAM	Invalid parameter
MDM_RESULT_ACCESS_DENIED	The application does not have the privilege to call this function.

Permission:: Usage of this API is restricted to registered clients only.

See also: mdm_install_certificate, mdm_clear_installed_certificates

mdm_result_t mdm_set_internal_storage_encryption ( mdm_status_t value )

API to encrypt / decrypt internal storage.

Since (Knox_wearable):: 1.0.0

Since (Tizen):: 2.3.2.3

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Admin can use this API to force internal storage encryption / decryption on user's device. The function launches com.samsung.clocksetting.encryption - a Tizen UI application dedicated for encryption settings. Internal storage encryption policy must be set to MDM_TRUE in order to call this application properly.

mdm_status_t stat = mdm_get_require_device_encryption();
if (stat == MDM_FALSE || stat == MDM_TRUE) {
    if (stat == MDM_TRUE) {
        ret = mdm_set_internal_storage_encryption(MDM_TRUE);
        if (ret == MDM_RESULT_SUCCESS) {
            // function success
        } else {
            // function error
        }
    } else {
        // Internal storage encryption is restricted.
    }
} else {
    // function error
}

Privilege Level:: public

Privilege:: http://developer.samsung.com/tizen/privilege/mdm.security

Parameters

[in] value MDM_FALSE: Decrypt internal storage.
MDM_TRUE: Encrypt internal storage.

Returns: mdm_result_t : MDM_RESULT_SUCCESS on success, an error code on error

Return values

MDM_RESULT_SUCCESS	Successful
MDM_RESULT_FAIL	General failure
MDM_RESULT_NOT_SUPPORTED	Not supported
MDM_RESULT_INVALID_PARAM	Invalid parameter
MDM_RESULT_ACCESS_DENIED	The application does not have the privilege to call this function.

Permission:: Usage of this API is restricted to registered clients only.

See also: mdm_get_internal_storage_encryption_status; mdm_get_require_device_encryption

mdm_result_t mdm_wipe_data ( mdm_wipe_t type )

API to erase the device's external or internal storage.

Since (Knox_wearable):: 1.0.0

Since (Tizen):: 2.3.2.3

Feature:: http://developer.samsung.com/tizen/feature/mdm

Usage:: Admin can use this to wipe both SD card data and application data. Internal formatting may require rebooting of device.
mdm_result_t ret = mdm_wipe_data(MDM_WIPE_EXTERNAL_MEMORY);
if (ret == MDM_RESULT_SUCCESS) {
// success to wipe external storage
} else {
// fail to wipe external storage
}

Privilege Level:: public

Privilege:: http://developer.samsung.com/tizen/privilege/mdm.security

Parameters

[in] type MDM_WIPE_INTERNAL_MEMORY: Phone memory (Factory reset).
MDM_WIPE_EXTERNAL_MEMORY: MMC memory

Returns: mdm_result_t : MDM_RESULT_SUCCESS on success, an error code on error

Return values

MDM_RESULT_SUCCESS	Successful
MDM_RESULT_FAIL	General failure
MDM_RESULT_NOT_SUPPORTED	Not supported
MDM_RESULT_INVALID_PARAM	Invalid parameter
MDM_RESULT_ACCESS_DENIED	The application does not have the privilege to call this function.

Permission:: Usage of this API is restricted to registered clients only.

Data Structures

Enumerations

Functions

Detailed Description

Required Header

Overview

Enumeration Type Documentation

Function Documentation