Since: API level 2
public class

DeviceSecurityPolicy

extends Object
java.lang.Object
   ↳ com.samsung.android.knox.devicesecurity.DeviceSecurityPolicy

Class Overview

This class provides APIs to control device security settings.

Since
API level 2
MDM 2.0

Summary

Constants
int WIPE_EXTERNAL_MEMORY Flag to wipe external memory
int WIPE_INTERNAL_EXTERNAL_MEMORY Flag to wipe internal and external memory
int WIPE_INTERNAL_MEMORY Flag to wipe internal memory
Public Methods
boolean addClipboardTextData(String clip)
API to add text data to the device clipboard.
boolean clearClipboardData()
API to clear the device clipboard.
String getClipboardTextData()
API to read text data from the device clipboard.
boolean getRequireDeviceEncryption(ComponentName admin)
API to determine whether device encryption is required.
boolean getRequireStorageCardEncryption(ComponentName admin)
API to determine whether storage card encryption is required.
boolean isExternalStorageEncrypted()
API to check the state of external storage encryption.
boolean isInternalStorageEncrypted()
API to check the state of internal storage encryption.
void setExternalStorageEncryption(boolean isEncrypt)
API to encrypt external storage.
void setInternalStorageEncryption(boolean isEncrypt)
API to encrypt internal storage.
void setRequireDeviceEncryption(ComponentName admin, boolean value)
API to set whether device encryption is required.
void setRequireStorageCardEncryption(ComponentName admin, boolean value)
API to set whether storage card encryption is required.
boolean wipeDevice(int flags)
API to selectively wipe external memory, internal memory, or both.
[Expand]
Inherited Methods
From class java.lang.Object

Constants

public static final int WIPE_EXTERNAL_MEMORY

Since: API level 2

Flag to wipe external memory

Since
API level 2
MDM 2.0
Constant Value: 2 (0x00000002)

public static final int WIPE_INTERNAL_EXTERNAL_MEMORY

Since: API level 2

Flag to wipe internal and external memory

Since
API level 2
MDM 2.0
Constant Value: 3 (0x00000003)

public static final int WIPE_INTERNAL_MEMORY

Since: API level 2

Flag to wipe internal memory

Since
API level 2
MDM 2.0
Constant Value: 1 (0x00000001)

Public Methods

public boolean addClipboardTextData (String clip)

Since: API level 5

API to add text data to the device clipboard.

Parameters
clip text data to be added to the device clipboard
Returns
  • true if clipboard string was successfully added, else false .
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to add new text data on the device clipboard.

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CLIPBOARD" permission which has a protection level of signature.
Since
API level 5
MDM 3.0
Multiuser Environment
Global Scope

public boolean clearClipboardData ()

Since: API level 5

API to clear the device clipboard.

Returns
  • Returns true if the clipboard was cleared successfully, else false.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to clear the data from the device clipboard. The return is true if the device clipboard is cleared or false if the clipboard is not cleared. This API will clear all the clipboard content from device, even the locked ones.

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CLIPBOARD" permission which has a protection level of signature.
Since
API level 5
MDM 3.0
Multiuser Environment
Global Scope

public String getClipboardTextData ()

Since: API level 5

API to read text data from the device clipboard.

Returns
  • text data from the device clipboard.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to read text data from the device clipboard. The return is null if the device clipboard contains no data or the data cannot be read.

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CLIPBOARD" permission which has a protection level of signature.
Since
API level 5
MDM 3.0
Multiuser Environment
Global Scope

public boolean getRequireDeviceEncryption (ComponentName admin)

Since: API level 2

API to determine whether device encryption is required.

Parameters
admin The component name of the administrator
Returns
  • true if device encryption is enabled, false otherwise.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to check whether a given administrator has requested device encryption and take appropriate action based on applied policy.
Since
API level 2
MDM 2.0
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Multiuser Environment
Global Scope

public boolean getRequireStorageCardEncryption (ComponentName admin)

Since: API level 2

API to determine whether storage card encryption is required.

Parameters
admin The component Name of the administrator
Returns
  • true if device encryption is enabled, false otherwise.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to check whether a given administrator has requested SD card encryption and take appropriate action based on applied policy.
Since
API level 2
MDM 2.0
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Multiuser Environment
Global Scope

public boolean isExternalStorageEncrypted ()

Since: API level 2

API to check the state of external storage encryption.

Returns
  • true if external storage is encrypted, else false
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to check whether external storage encryption is enabled and take appropriate action based on applied policy.
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 2
MDM 2.0
Multiuser Environment
Global Scope

public boolean isInternalStorageEncrypted ()

Since: API level 2

API to check the state of internal storage encryption.

Returns
  • true if internal storage is encrypted, else false
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to check whether internal storage encryption is enabled and take appropriate action based on applied policy. For devices with Android 3.0 onward, this API returns true only if encryption is completed.
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 2
MDM 2.0
Multiuser Environment
Global Scope

public void setExternalStorageEncryption (boolean isEncrypt)

Since: API level 2

API to encrypt external storage.

Parameters
isEncrypt true if encryption is required, false if decryption is required
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to enable external Secure Digital (SD) card encryption if available. Before calling this API, the administrator must ensure that the device password is set to alphanumeric quality. The administrator can set an alphanumeric quality password by using the Android API setPasswordQuality(ComponentName, int).


  1. The user is prompted to start/cancel encryption/decryption.
  2. If the user chooses to start encryption/decryption:
    1. The user is prompted to enter the device password, and encryption/decryption starts.
    2. Once completed the SD card remounts.
  3. If the user chooses to cancel encryption/decryption:
    1. The administrator can configure device behavior (for example, unmount SD card).
    2. On the next SD card mount the SD card is forced to start the encryption/decryption process.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(
         Context.DEVICE_POLICY_SERVICE);
 DeviceSecurityPolicy deviceSecurityPolicy = edm.getDeviceSecurityPolicy();
 try {
     // Check first if password is enabled with sufficient strength
     if (dpm.isActivePasswordSufficient()) {
         // First apply policy
         deviceSecurityPolicy.setRequireStorageCardEncryption(true);
         // Initiate encryption
         deviceSecurityPolicy.setExternalStorageEncryption(true);
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 2
MDM 2.0
Multiuser Environment
Global Scope

public void setInternalStorageEncryption (boolean isEncrypt)

Since: API level 2

API to encrypt internal storage.

Parameters
isEncrypt true if encryption is required, false if decryption is required
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to enable full device encryption, which includes device memory and an internal Secure Digital (SD) card. Before calling this API, the administrator must ensure that the device password is set to alphanumeric quality. The administrator can set an alphanumeric quality password by using the Android API setPasswordQuality(ComponentName, int).


  1. The user is prompted to start/cancel encryption/decryption; see ACTION_START_ENCRYPTION.
  2. Device must reboot.
    1.  EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(
               Context.DEVICE_POLICY_SERVICE);
       DeviceSecurityPolicy deviceSecurityPolicy = edm.getDeviceSecurityPolicy();
       try {
           // Check first if password is enabled with sufficient strength
           if (dpm.isActivePasswordSufficient()) {
               // First apply policy
               deviceSecurityPolicy.setRequireDeviceEncryption(true);
               // Initiate encryption
               deviceSecurityPolicy.setInternalStorageEncryption(true);
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 2
MDM 2.0
Multiuser Environment
Global Scope

public void setRequireDeviceEncryption (ComponentName admin, boolean value)

Since: API level 2

API to set whether device encryption is required.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 DeviceSecurityPolicy deviceSecurityPolicy = edm.getDeviceSecurityPolicy();
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);
     deviceSecurityPolicy.setRequireDeviceEncryption(enterpriseDeviceAdmin, true);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Parameters
admin The component name of the administrator
value true to enable encryption, false to disable.
Throws
SecurityException If caller does not have required permissions
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature. Moreover, the device administrator must have a "encrypted-storage" tag for Android version 3.0 onward in the "uses-policies" section of its meta-data; if the tag does not exist, a security exception is thrown.
Since
API level 2
MDM 2.0
Multiuser Environment
Global Scope

public void setRequireStorageCardEncryption (ComponentName admin, boolean value)

Since: API level 2

API to set whether storage card encryption is required.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 DeviceSecurityPolicy deviceSecurityPolicy = edm.getDeviceSecurityPolicy();
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context,
             EDMTestsAdmin.class);
     deviceSecurityPolicy.setRequireStorageCardEncryption(enterpriseDeviceAdmin, true);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Parameters
admin The component Name of the administrator
value true to enable encryption, false to disable.
Throws
SecurityException If caller does not have required permissions
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature. Moreover, the device administrator must have a "require-storagecard-encryption" tag in the "uses-policies" section of its meta-data.
Since
API level 2
MDM 2.0
Multiuser Environment
Global Scope

public boolean wipeDevice (int flags)

Since: API level 2

API to selectively wipe external memory, internal memory, or both.

Returns
  • For external memory wipe, returns true if successful, else false. For other cases, device reboots to complete wipe operation.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to wipe both SD card data as well as application data. Internal formatting may require rebooting the device.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 DeviceSecurityPolicy deviceSecurityPolicy = edm.getDeviceSecurityPolicy();
 try {
     boolean result = deviceSecurityPolicy
             .wipeDevice(DeviceSecurityPolicy.WIPE_EXTERNAL_MEMORY);
     if (true == result) {
         // SD card memory successfully wiped
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 2
MDM 2.0
Multiuser Environment
Global Scope