Since: API level 2
public class

PasswordPolicy

extends Object
java.lang.Object
   ↳ com.samsung.android.knox.devicesecurity.PasswordPolicy

Class Overview

This class provides APIs to control settings related to the device password. Most clients of this class must have published a DeviceAdminReceiver that the user has currently enabled, as it makes use of the DevicePolicyManager.

Since
API level 2
MDM 2.0

Summary

Constants
int BIOMETRIC_AUTHENTICATION_FACE Lockscreen FACE biometric authentication option
int BIOMETRIC_AUTHENTICATION_FINGERPRINT Lockscreen Fingerprint biometric authentication option
int BIOMETRIC_AUTHENTICATION_IRIS Lockscreen IRIS biometric authentication option
Public Methods
boolean deleteAllRestrictions()
API to remove all patterns set by a specific administrator.
boolean enforcePwdChange()
API to enforce password change.
boolean excludeExternalStorageForFailedPasswordsWipe(boolean enable)
API to include or exclude external storage when device is wiped due to exceeding maximum number of failed password attempts.
AuthenticationConfig getEnterpriseIdentityAuthentication()
API to get current Enterprise Identity authentication configuration.
List<String> getForbiddenStrings(boolean allAdmins)
API to retrieve the forbidden strings that cannot be used in the device password.
int getMaximumCharacterOccurences()
API to get the maximum number of times a character can occur in the device password.
int getMaximumCharacterSequenceLength()
API to get the maximum alphabetic sequence length allowed in the device password.
int getMaximumFailedPasswordsForDeviceDisable()
API to get the maximum number of failed password attempts after which the device is disabled.
int getMaximumNumericSequenceLength()
API to get the maximum numeric sequence length allowed in the device password.
int getMinPasswordComplexChars(ComponentName admin)
API to get the minimum number of complex characters required in the password.
int getMinimumCharacterChangeLength()
API to get the minimum number of changed characters a password string may have compared to the previous one.
int getPasswordChangeTimeout()
API to get the time value after which password must be changed if the user cancels the first password change enforcement.
int getPasswordExpires(ComponentName admin)
API to get the password age (number of days after which the password expires) in days for the current password.
int getPasswordHistory(ComponentName admin)
API to get the number of previous passwords that are stored in history.
int getPasswordLockDelay()
API to get the idle time after which the key guard lock (lock screen) is enabled.
String getRequiredPwdPatternRestrictions(boolean allAdmins)
API to retrieve the restricted password string patterns.
Map<IntegerString> getSupportedBiometricAuthentications()
API to get the supported biometric authentication methods on the device.
boolean isBiometricAuthenticationEnabled(int bioAuth)
API to check whether the biometric authentication option on the list of lockscreen password options is enabled or not.
boolean isExternalStorageForFailedPasswordsWipeExcluded()
API to check whether the external storage is included when device is wiped due to exceeding maximum number of failed password attempts.
boolean isMultifactorAuthenticationEnabled()
API to check whether multi-factor authentication is enabled or not.
boolean isPasswordVisibilityEnabled()
API to check whether the make password visible setting is enabled.
boolean isScreenLockPatternVisibilityEnabled()
API to check whether screen lock pattern visibility is enabled.
boolean lock()
API to lock the user.
void reboot(String reason)
API to reboot the device immediately,
boolean setBiometricAuthenticationEnabled(int bioAuth, boolean enable)
API to enable or disable the biometric authentication option on the list of lockscreen password options.
int setEnterpriseIdentityAuthentication(AuthenticationConfig config)
API to configure and enforce Enterprise Identity authentication.
boolean setForbiddenStrings(List<String> forbiddenStrings)
API to set strings that are forbidden in the device password.
boolean setMaximumCharacterOccurrences(int count)
API to set the maximum number of times a character can occur in the device password.
boolean setMaximumCharacterSequenceLength(int length)
API to set the maximum length of an alphabetic sequence that is allowed in the device password.
boolean setMaximumFailedPasswordsForDeviceDisable(int num)
API to set the maximum number of failed password attempts after which device is disabled
boolean setMaximumNumericSequenceLength(int length)
API to set the maximum length of the numeric sequence that is allowed in the device password.
void setMinPasswordComplexChars(ComponentName admin, int size)
API to set the password character length required when setting a new password.
boolean setMinimumCharacterChangeLength(int length)
API to set the minimum number of changed characters a password string may have when compared to the previous one.
void setMultifactorAuthenticationEnabled(boolean enable)
API to enable or disable multi-factor authentication.
boolean setPasswordChangeTimeout(int timeout)
API to set time value after which the password must be changed after the user cancels the first password change enforcement.
void setPasswordExpires(ComponentName admin, int value)
API to set password expiry days for a particular administrator.
void setPasswordHistory(ComponentName admin, int value)
API to set the number of previous passwords that the user cannot use when prompted to change the password.
boolean setPasswordLockDelay(int time)
API to set idle time after which key guard lock (lock screen) is enabled.
boolean setPasswordVisibilityEnabled(boolean allow)
API to enable or disable making the password visible while typing.
boolean setRequiredPasswordPattern(String regex)
API to set or override a pattern for password match.
boolean setScreenLockPatternVisibilityEnabled(boolean enable)
API to enable or disable screen lock pattern visibility.
boolean unlock()
API to unlock the user.
[Expand]
Inherited Methods
From class java.lang.Object

Constants

public static final int BIOMETRIC_AUTHENTICATION_FACE

Since: API level 29

Lockscreen FACE biometric authentication option

Since
MDM 5.9
MDM 5.9
Constant Value: 4 (0x00000004)

public static final int BIOMETRIC_AUTHENTICATION_FINGERPRINT

Since: API level 12

Lockscreen Fingerprint biometric authentication option

Since
API level 12
MDM 5.1
Constant Value: 1 (0x00000001)

public static final int BIOMETRIC_AUTHENTICATION_IRIS

Since: API level 13

Lockscreen IRIS biometric authentication option

Since
API level 13
MDM 5.2
Constant Value: 2 (0x00000002)

Public Methods

public boolean deleteAllRestrictions ()

Since: API level 2

API to remove all patterns set by a specific administrator.

Returns
  • true if successful, else false.
Throws
SecurityException If caller does not have required permissions
Usage
When the current password pattern owner deletes his patterns, a new owner is elected, normally the one who set the pattern before the current owner. If the new owner is not available then the next is chosen from the stack.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean result = passwordPolicy.deleteAllRestrictions();
     if (true == result) {
         // all password restriction has been deleted
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     boolean result = passwordPolicy.deleteAllRestrictions();
     if (true == result) {
         // all password restriction has been deleted
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public boolean enforcePwdChange ()

Since: API level 2

API to enforce password change.

Returns
  • true if password change enforcement has started, false if password change enforcement has not started.
Throws
SecurityException If caller does not have required permissions
Usage
This API is called by an application that is managing the device. The API enforces changing an existing password (or enforces creating a password if the device has none). An administrator can use this API to present to the user a password dialog to change a password or set up a new password. If a password is already set in the device, and the administrator wants to allow the user to cancel the password dialog for a period of time, he can use setPasswordChangeTimeout(int) to set the period (in minutes) that the user can keep using the device before changing the existing password (default value is 0 - no option to cancel). If device has no password set, the user is required to change the password and is given no option to cancel. In this case, the password change timeout is ignored. This API will always enforce a PIN or Password, even if user has a pattern set.


Note: In order to confirm that password was succesfully changed, listen to ACTION_PASSWORD_CHANGE.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     // if Device has no password and password change timeout is 0.
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user required to create a password with no
         // option to cancel dialog.
     }

     // if device already has a password and password change timeout is 0 .
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user is required to change existing password with no option
         // to cancel dialog.
     }

     // if device has no password and we set password change timeout to some
     // positive value.
     passwordPolicy.setPasswordChangeTimeout(10);
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user is required to create a password with no
         // option to cancel dialog because password change timeout is only used
         // for password changes, not new passwords.
     }

     // if device already has password and we set password change timeout to some
     // positive value.
     passwordPolicy.setPasswordChangeTimeout(10);
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user is required to change existing password with the
         // option to cancel it for the first time. After 10 minutes the user is prompted again with no option to cancel.
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
Besides PIN and Password, Container also has support for pattern change enforcement.
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     // if Device has no password and password change timeout is 0.
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user required to create a password with no
         // option to cancel dialog.
     }

     // if device already has a password and password change timeout is 0 .
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user is required to change existing password with no option
         // to cancel dialog.
     }

     // if device has no password and we set password change timeout to some
     // positive value.
     passwordPolicy.setPasswordChangeTimeout(10);
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user is required to create a password with no
         // option to cancel dialog because password change timeout is only used
         // for password changes, not new passwords.
     }

     // if device already has password and we set password change timeout to some
     // positive value.
     passwordPolicy.setPasswordChangeTimeout(10);
     boolean result = passwordPolicy.enforcePwdChange();
     if (true == result) {
         // if successful user is required to change existing password with the
         // option to cancel it for the first time. After 10 minutes the user is prompted again with no option to cancel.
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public boolean excludeExternalStorageForFailedPasswordsWipe (boolean enable)

Since: API level 6

API to include or exclude external storage when device is wiped due to exceeding maximum number of failed password attempts.

Parameters
enable true to exclude external storage during device wipe, false to include external storage during device wipe
Returns
  • true if successful, else false
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can include or exclude external storage when the device is wiped due to exceeding the maximum number of failed password attempts without user interaction.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean excludeExternalStorageWipe = true;
     // disable expernal storage wipe
     passwordPolicy.excludeExternalStorageForFailedPasswordsWipe(excludeExternalStorageWipe);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.
Since
API level 6
MDM 4.0
Multiuser Environment
Global Scope

public AuthenticationConfig getEnterpriseIdentityAuthentication ()

Since: API level 15

API to get current Enterprise Identity authentication configuration.
Note: Due to Android security limitations, the enterprise identity authentication feature will not work when Device Owner is enabled on the device.

Returns
  • Enterprise Identity config object
Usage
Admin can use this api to get current Enterprise Identity authentication configurations.

Note: Currently Enterprise Identity is supported only on Container.
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy mPasswordPolicy = kcm.getPasswordPolicy();
 try {
     AuthenticationConfig authConfig = mPasswordPolicy.getEnterpriseIdentityAuthentication();
     if(authConfig != null ) {
         //successfully retrieved authentication config 
     } else {
        //unable to get authentication config
     }
 }catch (SecurityException e) {
     Log.e(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to add the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.
Since
API level 15
MDM 5.4
Multiuser Environment
User Scope

public List<String> getForbiddenStrings (boolean allAdmins)

Since: API level 4

API to retrieve the forbidden strings that cannot be used in the device password.

Parameters
allAdmins If set to true, returns the concatenated list of forbidden strings of all administrators. If set to false, returns the forbidden string list for the calling administrator only.
Returns
  • All forbidden strings or null if there are no forbidden strings
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can retrieve the strings that are forbidden in the device password. Personal data (variations on the user's name, email address, or X400 address) are examples of data that can be forbidden. If more than one administrator has set this value, the effective forbidden string list is the concatenation of forbidden strings specified by all administrators.
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 4
MDM 2.2
Multiuser Environment
User Scope

public int getMaximumCharacterOccurences ()

Since: API level 4

API to get the maximum number of times a character can occur in the device password.

Returns
  • Maximum number of times a character can occur in the device password. A value of '0' means that no restrictions are applied.
Usage
An administrator can retrieve the maximum number of times a character can occur in the device password. If more than one administrator has set this value then the least value takes priority.
Since
API level 4
MDM 2.2
Multiuser Environment
User Scope

public int getMaximumCharacterSequenceLength ()

Since: API level 6

API to get the maximum alphabetic sequence length allowed in the device password.

Returns
  • The maximum allowed alphabetic sequence length. A value of '0' specifies that no alphabetic sequence restrictions are applied.
Usage
An administrator can use this API to retrieve the length of alphabetic sequences that are allowed in the device password. For example, if the return value is '3' then "abc", "tsr", or "aaa" are alphabetic sequences of length '3' that are allowed in the device password. If more than one administrator has set this value, the minimum value takes priority.

Since
API level 6
MDM 4.0
Multiuser Environment
User Scope

public int getMaximumFailedPasswordsForDeviceDisable ()

Since: API level 2

API to get the maximum number of failed password attempts after which the device is disabled.

Returns
  • Number of failed password attempts after which device is disabled if successful, else 0.
Usage
An administrator can use this API to retrieve the maximum number of failed password attempts after which the device is disabled. For a device managed by multiple administrators, the lowest value that has been set applies.
Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public int getMaximumNumericSequenceLength ()

Since: API level 4

API to get the maximum numeric sequence length allowed in the device password.

Returns
  • The maximum allowed numeric sequence length. A value of '0' specifies that no numeric sequence restrictions are applied.
Usage
An administrator can use this API to retrieve the numeric sequence length allowed in the device password. For example, if the return value is '3' then "123" or "987" are allowed in the device password. For a device managed by multiple administrators, the minimum numeric sequence length is enforced.
Since
API level 4
MDM 2.2
Multiuser Environment
User Scope

public int getMinPasswordComplexChars (ComponentName admin)

Since: API level 2

API to get the minimum number of complex characters required in the password.

Returns
  • The number of complex characters in the password if successful, else 0.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to get the minimum number of complex characters required in the password and take appropriate action. According to protocol, complex characters can be digit or symbol that contribute to making stricter passwords. If MinPasswordComplexChars = 1, then at least one digit is required. If MinPasswordComplexChars > 1, then at least one digit and at least one symbol are required, and the count of complex characters >= MinPasswordComplexChars

Note: Since MDM 5.2 if MinPasswordComplexChars >= 4, then at least one lowercase character and one uppercase character are required.

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public int getMinimumCharacterChangeLength ()

Since: API level 6

API to get the minimum number of changed characters a password string may have compared to the previous one.

Returns
  • Minimum number of changed characters (i.e., string distance) that the new password string contains compared to the previous one. A value of '0' specifies that no restrictions are applied.
Usage
An administrator can use this API to retrieve the minimum number of changed characters that a password string can have compared to the previous one. If more than one administrator has set this value, the maximum value takes priority.
Since
API level 6
MDM 4.0
Multiuser Environment
User Scope

public int getPasswordChangeTimeout ()

Since: API level 2

API to get the time value after which password must be changed if the user cancels the first password change enforcement.

Returns
  • The password timeout value in minutes if successful, else 0.
Usage
This API is called by an application that is managing the device. The API gets the timeout in minutes after which the password must be changed after the administrator uses enforcePwdChange() and the user cancels the first password change enforcement. If a password is already set in the device and the administrator calls enforcePwdChange(), the user can cancel the password change dialog; the password change is then definitely enforced again after the timeout set (default value is 0 - no option to cancel). If no password is set in the device and the administrator calls enforcePwdChange(), the user cannot cancel the change, so, in this case, the password change timeout is ignored.

Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public int getPasswordExpires (ComponentName admin)

Since: API level 2

API to get the password age (number of days after which the password expires) in days for the current password.

Parameters
admin Which DeviceAdminReceiver this request is associated with.
Returns
  • The number of days after which the password expires starting from when it was first set if successful, else 0.
Throws
SecurityException If caller does not have required permissions
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public int getPasswordHistory (ComponentName admin)

Since: API level 2

API to get the number of previous passwords that are stored in history.

Returns
  • The number of previous passwords that cannot be used when setting a new password if successful, else 0.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to get the password history value in days and take appropriate action. An administrator can compel a device to store the specified number of previous passwords. The history supports the device in verifying that the user is not entering a previous password when prompted for a new one.
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public int getPasswordLockDelay ()

Since: API level 2

API to get the idle time after which the key guard lock (lock screen) is enabled.

Returns
  • Time between screen time out and device is locked, -1 if none is set or administrator does not care.
Usage
Specifies how soon the device can be unlocked again after use without re-prompting for the passcode.

Since
API level 2
MDM 2.0
Multiuser Environment
Global Scope

public String getRequiredPwdPatternRestrictions (boolean allAdmins)

Since: API level 2

API to retrieve the restricted password string patterns.

Parameters
allAdmins If set to true, the restricted password string pattern for all administrators is retrieved. If set to false, only the restricted password string pattern for the calling administrator is retrieved.
Returns
  • All concatenated pattern string if success, else null.
Throws
SecurityException If caller does not have required permissions
Usage
If more than one pattern is restricted, this API concatenates all patterns and returns the concatenated list. The API can be used to apply complexity to a new password value.

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public Map<IntegerString> getSupportedBiometricAuthentications ()

Since: API level 13

API to get the supported biometric authentication methods on the device.

Returns
  • Map object containing the unique integer key and the name of the supported biometric authentication methods.
Usage
Admin can get the unique integer key and the name of the supported biometric authentication methods on the device, and enable or disable it by using setBiometricAuthenticationEnabled(int, boolean).
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     // get the unique integer key and the name of the supported biometric authentication methods on the device (1, "Fingerprint")
     Map<Integer,String> map = passwordPolicy.getSupportedBiometricAuthentications();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     // get the unique integer key and the name of the supported biometric authentication methods on the device (1, "Fingerprint")
     Map<Integer,String> map = passwordPolicy.getSupportedBiometricAuthentications();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Since
API level 13
MDM 5.2
Multiuser Environment
User Scope

public boolean isBiometricAuthenticationEnabled (int bioAuth)

Since: API level 12

API to check whether the biometric authentication option on the list of lockscreen password options is enabled or not.

Parameters
bioAuth lockscreen biometric authentication option
Returns
  • true if the biometric authentication option is enabled and false if it is disabled.
Usage
Admin can check whether the biometric authentication option on the list of lockscreen password options is enabled or not, and take appropriate action based on enterprise policy.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     // check whether the fingerprint option is enabled
     passwordPolicy.isBiometricAuthenticationEnabled(BIOMETRIC_AUTHENTICATION_FINGERPRINT);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
When CC Mode (setCCMode(boolean)) is enabled on device, Administrator cannot enable Fingerprint option in lock screen. If Multi factor authentication (enforceMultifactorAuthentication(boolean)) is enforced, user can use Fingerprint as one of Multi factor authentication even if Administrator disables Fingerprint.

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     // check whether the fingerprint option is enabled
     passwordPolicy.isBiometricAuthenticationEnabled(BIOMETRIC_AUTHENTICATION_FINGERPRINT);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Since
API level 12
MDM 5.1
Multiuser Environment
User Scope

public boolean isExternalStorageForFailedPasswordsWipeExcluded ()

Since: API level 6

API to check whether the external storage is included when device is wiped due to exceeding maximum number of failed password attempts.

Returns
  • true if external storage is excluded and false if it is included in device wipe.
Usage
An administrator can check whether the external storage is included when device is wiped due to exceeding maximum number of failed password attempts. The administrator can then take appropriate action based on enterprise policy.
Since
API level 6
MDM 4.0
Multiuser Environment
Global Scope

public boolean isMultifactorAuthenticationEnabled ()

Since: API level 24

API to check whether multi-factor authentication is enabled or not.

Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to check whether multi-factor authentication is enabled for specific user space.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean status = passwordPolicy.isMultifactorAuthenticationEnabled();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     boolean status = passwordPolicy.isMultifactorAuthenticationEnabled();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Since
API level 24
KNOX 3.0
Multiuser Environment
User Scope

public boolean isPasswordVisibilityEnabled ()

Since: API level 6

API to check whether the make password visible setting is enabled.

Returns
  • True if make password visible is enabled, else false
Usage
An administrator can use this API to check whether the password visible setting is enabled and take appropriate action based on enterprise policy.
Since
API level 6
MDM 4.0
Multiuser Environment
User Scope

public boolean isScreenLockPatternVisibilityEnabled ()

Since: API level 5

API to check whether screen lock pattern visibility is enabled.

Returns
  • true if screen lock pattern visibility is enabled, else false
Usage
An administrator can use this API to check whether screen lock pattern visibility is enabled and take appropriate action based on enterprise policy.
Since
API level 5
MDM 3.0
Multiuser Environment
User Scope

public boolean lock ()

Since: API level 24

API to lock the user.

Throws
SecurityException If caller does not have required permissions
Usage
Use this API to lock the user. It will return true if the user is successfully locked.


Note: This API can be called only by Device owner or Profile owner.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean status = passwordPolicy.lock();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     boolean status = passwordPolicy.lock();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_SECURITY" permission which has a protection level of signature.
Since
API level 24
KNOX 3.0
Multiuser Environment
User Scope
See Also

public void reboot (String reason)

Since: API level 2

API to reboot the device immediately,

Parameters
reason Reason for rebooting (any string; may be null)
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to silently reboot the device. The administrator can call this functionality after updating system level data. The operation passes 'reason' (may be null) to the underlying __reboot system call. The API call should not return a reply.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     passwordPolicy.reboot("admin");
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     passwordPolicy.reboot("admin");
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public boolean setBiometricAuthenticationEnabled (int bioAuth, boolean enable)

Since: API level 12

API to enable or disable the biometric authentication option on the list of lockscreen password options.
For specific biometric authentication options see,
BIOMETRIC_AUTHENTICATION_FINGERPRINT
BIOMETRIC_AUTHENTICATION_IRIS
BIOMETRIC_AUTHENTICATION_FACE

Parameters
bioAuth lockscreen biometric authentication option
enable true to enable the biometric authentication option, false to disable it.
Returns
  • true if successful, else false
Throws
SecurityException If caller does not have required permissions
Usage
Admin can enable or disable the biometric authentication option without user interaction. The user and 3rd party applications cannot enable the biometric authentication option setting once it is disabled.
Since Knox 3.0, in case if Biometric is used by Device Lock Screen and that Biometric got disabled then user will not be able to authenticate Lock Screen using it. Also user is free to add/delete biometric data , so third party apps can use biometric provided Keyguard is secure.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     // enable the fingerprint option
     passwordPolicy.setBiometricAuthenticationEnabled(BIOMETRIC_AUTHENTICATION_FINGERPRINT |
             BIOMETRIC_AUTHENTICATION_IRIS | BIOMETRIC_AUTHENTICATION_FACE, true);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
When CC Mode (setCCMode(boolean)) is enabled on device, Administrator cannot enable Fingerprint option in lock screen. If Multi factor authentication (enforceMultifactorAuthentication(boolean)) is enforced, user can use Fingerprint as one of Multi factor authentication even if Administrator disables Fingerprint.

 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     // enable the fingerprint option
     passwordPolicy.setBiometricAuthenticationEnabled(BIOMETRIC_AUTHENTICATION_FINGERPRINT |
             BIOMETRIC_AUTHENTICATION_IRIS | BIOMETRIC_AUTHENTICATION_FACE, true);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

NOTE: From MDM 5.2, in case of MDFPP(Mobile Device Fundamentals Protection Profile) SDP enabled container, fingerprint will be disabled.

Permission
The use of this API requires the caller to add the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.
Since
API level 12
MDM 5.1
Multiuser Environment
User Scope

public int setEnterpriseIdentityAuthentication (AuthenticationConfig config)

Since: API level 15

API to configure and enforce Enterprise Identity authentication. The Enterprise Identity authentication is another type of lock type (similar to PIN/Password/Pattern)which allows user to use their enterprise credential as device unlock method.
Note: Due to Android security limitations, the enterprise identity authentication feature will not work when Device Owner is enabled on the device.

Returns
Usage
An administrator can use this api to change user's current lock type (PIN/Password/Fingerprint/etc) to Enterprise Identity. The admin can either configure Enterprise Identity and let user to choose lock type or the admin can enforce user to choose Enterprise Identity. Enterprise Identity lock will enforce password quality and all password complexity rules set on the device. So the admin is responsible for setting up proper password quality and complexity rules which matches the Enterprise Identity server(e.g Active Directory). If device password complexity rules do not match with Enterprise Identity rules, the user will not be able to successfully set up enterprise identity as an unlock type even if the user uses valid credentials. Also it is the adminstrator's responsiblity to install authenticator application before calling this api. It is also recommended to disable uninstallation and clearing data of the authenticator package in the case where user tries to uninstall the application or clear its data. Administrator must understand the various fields on the configuration object and their significance before using this api.

Note: Currently Enterprise Identity is supported only for container. ERROR_USER_NOT_AUTHORIZED will be return when it called from device level.
For Container:


Note:
Currently Enterprise Identity is not supported for MDFPP SDP enabled container.

 // Assume container already created and lock type set as PIN/Password and Admin wants to migrate to Enterprise Identity lock. 
 // The Following steps MUST followed for successful Enterprise Identity migration.
 
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy mPasswordPolicy = kcm.getPasswordPolicy();
 BasePasswordPolicy mBasePasswordPolicy = kcm.getBasePasswordPolicy();
 String AUTHENTICATOR_PKGNAME = AuthenticationConfig.SAMSUNG_KERBEROS_AUTHENTICATOR;
 String AUTHENTICATOR_PKGPATH = "/mnt/sdcard/authenticator.apk";
 
 //Step 1: Install authenticator application inside the container
 ApplicationPolicy appPolicy = kcm.getApplicationPolicy();
 boolean result = appPolicy.installApplication(AUTHENTICATOR_PKGPATH, false);
 //make sure user should not able to uninstall this authenticator apk
 appPolicy.setApplicationUninstallationDisabled (AUTHENTICATOR_PKGNAME);
 //make sure user should not able to clear data of this authenticator apk
 List list = new ArrayList();
 list.add(AUTHENTICATOR_PKGNAME);
 appPolicy.addPackagesToClearDataBlackList(list);
 
 //Step 2: Set up proper password quality and complexity rules. It should reflect current password quality and complexity rules 
 //set on Enterprise Identity server(e.g Active directory) otherwise error will be reported.
 mBasePasswordPolicy.setPasswordQuality( DevicePolicManager.PASSWORD_QUALITY_ALPHABETIC);
 mBasePasswordPolicy.setPasswordMinimumLength(8);
 mBasePasswordPolicy.setPasswordMinimumUpperCase(1);
 mBasePasswordPolicy.setPasswordMinimumLowerCase(1);
 mBasePasswordPolicy.setPasswordMinimumSymbols(0);
 mBasePasswordPolicy.setPasswordMinimumNumeric (1);    
  
 //Step 3: Set Enterprise Identity config 
 AuthenticationConfig  authConfig = new AuthenticationConfig();

 //Set the authenticator package name .Make sure given package already installed on the device
 authConfig.setAuthenticatorPkgName (AUTHENTICATOR_PKGNAME);

 //Set authenticator signature (optional);
 authConfig.setAuthenticatorPkgSignature(null);
 
 //Show Enterprise Identity option on available lock types.
 authConfig.setHideEnterpriseIdentityLock(true);

 //Enforce Enterprise Identity
 authConfig.setForceEnterpriseIdentityLock(true);

 //configure authenticator params
 Bundle authBundle  = new Bundle();
 authBundle.putString ("LIBDEFAULTS_DEFAULT_REALM", "SISOIDP.IN");
 authBundle.putString ("FEDERATION_SERVER_URL", "idpsrv.sisoidp.in");
 authConfig.setAuthenticatorConfig(authBundle);
 int ret = mPasswordPolicy.setEnterpriseIdentityAuthentication(authConfig);
 //success 
 // Step 4: Trigger password change flow 
 if ( ret == 0 ){
     mPasswordPolicy.enforcePwdChange();
 } else {
     // fail cases
     switch (ret) {
        case AuthenticationConfig.ERROR_INTERNAL_FAIL:
            Log.d ( TAG, " Error:unable to configure due to some internal error");
            break;
        case AuthenticationConfig.ERROR_USER_NOT_AUTHORIZED:
            Log.d ( TAG, " Error:Not authorized to do this operation");
            break;
        case AuthenticationConfig.ERROR_INVALID_INPUT:
            Log.d ( TAG, " Error:Invalid input");
            break;
        case AuthenticationConfig.ERROR_AUTHENTICATOR_PACKAGE_NOT_INSTALLED:
            Log.d ( TAG, " Authenticator package not installed");
            break;
        case AuthenticationConfig.ERROR_AUTHENTICATOR_SIGNATURE_MISMATCH:
            Log.d ( TAG, " Authenticator signature not matching");
            break;
     }     
 }
 
Permission
The use of this API requires the caller to add the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.
Since
API level 15
MDM 5.4
Multiuser Environment
User Scope

public boolean setForbiddenStrings (List<String> forbiddenStrings)

Since: API level 4

API to set strings that are forbidden in the device password.

Parameters
forbiddenStrings List of strings forbidden in the device password. Pass null or a empty entry in list to remove all strings.
Returns
  • true - on success
    false - on failure
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to set strings that are forbidden in the device password. Forbidden strings may include personal data (variations on the user's name, email address, or X400 address) or any other strings.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     List<String> forbiddenStrings = new ArrayList<String>();
     forbiddenStrings.add("user123");
     forbiddenStrings.add("12345");
     forbiddenStrings.add("user123@company.com");
     boolean result = passwordPolicy.setForbiddenStrings(forbiddenStrings);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

 // Reset forbidden strings
 // Option 1:
 try {
     List<String> forbiddenStrings = null;
     boolean result = passwordPolicy.setForbiddenStrings(forbiddenStrings)
 } catch (SecurityException e) {
     Log.w(TAG, SecurityException: + e);
 }

 // Option 2:
 try {
     List<String> forbiddenStrings = new ArrayList<String>();
     forbiddenStrings.add("");
     boolean result = passwordPolicy.setForbiddenStrings(forbiddenStrings)
 } catch (SecurityException e) {
     Log.w(TAG, SecurityException: + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     List<String> forbiddenStrings = new ArrayList<String>();
     forbiddenStrings.add("user123");
     forbiddenStrings.add("12345");
     forbiddenStrings.add("user123@company.com");
     boolean result = passwordPolicy.setForbiddenStrings(forbiddenStrings);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }

 // Reset forbidden strings
 // Option 1:
 try {
     List<String> forbiddenStrings = null;
     boolean result = passwordPolicy.setForbiddenStrings(forbiddenStrings)
 } catch (SecurityException e) {
     Log.w(TAG, SecurityException: + e);
 }

 // Option 2:
 try {
     List<String> forbiddenStrings = new ArrayList<String>();
     forbiddenStrings.add("");
     boolean result = passwordPolicy.setForbiddenStrings(forbiddenStrings)
 } catch (SecurityException e) {
     Log.w(TAG, SecurityException: + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 4
MDM 2.2
Multiuser Environment
User Scope

public boolean setMaximumCharacterOccurrences (int count)

Since: API level 4

API to set the maximum number of times a character can occur in the device password.

Parameters
count Maximum number of times a character can occur in the device password. A value of '0' specifies that no restrictions are applied.
Returns
  • true - on successful setting of this restriction
    false - on failure to set this restriction
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to specify the maximum number of occurrences of a character in the device password. Characters can be numeric, alphabetic, or symbolic. For example, "aaabcde" has three occurrences of an 'a', "1b1c1de" has three occurrences of a '1', and "a@b@c@" has three occurrences of a '@'. A value of '0' specifies that no restrictions are applied.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     int maxCharOccur = 3;
     boolean result = passwordPolicy.setMaximumCharacterOccurrences(maxCharOccur);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     int maxCharOccur = 3;
     boolean result = passwordPolicy.setMaximumCharacterOccurrences(maxCharOccur);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 4
MDM 2.2
Multiuser Environment
User Scope

public boolean setMaximumCharacterSequenceLength (int length)

Since: API level 6

API to set the maximum length of an alphabetic sequence that is allowed in the device password.

Parameters
length Maximum allowed length of alphabetic sequences. A value of '0' specifies that no alphabetic sequence restrictions are applied.
Returns
  • true - on successful setting of this restriction
    false - on failure to set this restriction
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to set the maximum alphabetic sequence length. This setting specifies that the device password must not contain alphabetic sequences greater than the given length. For example, if the alphabetic sequence length is set to 5, the alphabetic sequence "abcde" is allowed but the sequence "abcdef" is prohibited. A value of '0' specifies that no alphabetic sequence restrictions are applied.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     int maxAlphabeticSequenceLength = 3;
     boolean result = passwordPolicy.setMaximumCharacterSequenceLength(maxAlphabeticSequenceLength);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     int maxAlphabeticSequenceLength = 3;
     boolean result = passwordPolicy.setMaximumCharacterSequenceLength(maxAlphabeticSequenceLength);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 6
MDM 4.0
Multiuser Environment
User Scope

public boolean setMaximumFailedPasswordsForDeviceDisable (int num)

Since: API level 2

API to set the maximum number of failed password attempts after which device is disabled

Parameters
num Number of failed password attempts after which device is disabled. A value of zero (0) specifies that no such restrictions are applied.
Returns
  • true if successful, else false.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator who is managing the device can call this API to set the maximum number of failed password attempts after which the device is disabled. When the device is disabled, the user cannot enter a password. The only way to re-enable the device is for the administrator to set the value to "0" again.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     // setting 10 as max number of attempts.
     int numberofFailedAttempts = 10;
     boolean result = passwordPolicy
             .setMaximumFailedPasswordsForDeviceDisable(numberofFailedAttempts);
     if (true == result) {
         // device will be disabled after 10 wrong attempts of
         // password
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     // setting 10 as max number of attempts.
     int numberofFailedAttempts = 10;
     boolean result = passwordPolicy
             .setMaximumFailedPasswordsForDeviceDisable(numberofFailedAttempts);
     if (true == result) {
         // device will be disabled after 10 wrong attempts of
         // password
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.
Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public boolean setMaximumNumericSequenceLength (int length)

Since: API level 4

API to set the maximum length of the numeric sequence that is allowed in the device password.

Parameters
length Maximum allowed length of numeric sequences. A value of '0' specifies that no numeric sequence restrictions are applied.
Returns
  • true - on successful setting of this restriction
    false - on failure to set this restriction
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can call this API to set the maximum numeric sequence length allowed in the device password. This API specifies that the device password must not contain a numeric sequences greater than the given length. For example, if the maximum numeric sequence length is set to 5, the numeric sequence "12345" is allowed but "123456" is prohibited. A value of '0' specifies that no numeric sequence restrictions are applied.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     int maxNumericSequenceLength = 3;
     boolean result = passwordPolicy.setMaximumNumericSequenceLength(maxNumericSequenceLength);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     int maxNumericSequenceLength = 3;
     boolean result = passwordPolicy.setMaximumNumericSequenceLength(maxNumericSequenceLength);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 4
MDM 2.2
Multiuser Environment
User Scope

public void setMinPasswordComplexChars (ComponentName admin, int size)

Since: API level 2

API to set the password character length required when setting a new password. According to protocol, complex characters are digits or symbols that contribute to making stricter passwords. If MinPasswordComplexChars = 1, then at least one digit is required. If MinPasswordComplexChars > 1, then at least one digit and at least one symbol are required, and the count of complex characters >= MinPasswordComplexChars.

Note: Since MDM 5.2 if MinPasswordComplexChars >= 4, then at least one lowercase character and one uppercase character are required.

Parameters
size Number of complex characters that must be present in the password.
Throws
SecurityException If caller does not have required permissions
Usage
This API is called by an application that manages the device to set the minimum complex characters in the password.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(Context.DEVICE_POLICY_SERVICE);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);
     // enforcing complex character as 2, i.e., user needs to enter
     // at least one digit and one symbol in new password.
     int complexChar = 2;

     dpm.setPasswordQuality(enterpriseDeviceAdmin, DevicePolicyManager.PASSWORD_QUALITY_COMPLEX);// For HC

     passwordPolicy.setMinPasswordComplexChars(enterpriseDeviceAdmin, complexChar);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 DevicePolicyManager dpm = (DevicePolicyManager) getSystemService(Context.DEVICE_POLICY_SERVICE);
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);
     // enforcing complex character as 2, i.e., user needs to enter
     // at least one digit and one symbol in new password.
     int complexChar = 2;

     dpm.setPasswordQuality(enterpriseDeviceAdmin, DevicePolicyManager.PASSWORD_QUALITY_COMPLEX);// For HC

     passwordPolicy.setMinPasswordComplexChars(enterpriseDeviceAdmin, complexChar);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The calling device administrator must have a "limit-password" tag for Android version 3.0 onward in the "uses-policies" section of its metadata so as to call this method; if the tag does not exist, a security exception is thrown.
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since
API level 2
MDM 2.0
Dependency
Password quality should be PASSWORD_QUALITY_COMPLEX.
Multiuser Environment
User Scope

public boolean setMinimumCharacterChangeLength (int length)

Since: API level 6

API to set the minimum number of changed characters a password string may have when compared to the previous one.

Returns
  • true - on successful setting of this restriction
    false - on failure to set this restriction
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to specify that a new password must have a minimum number of changed characters. The difference between both strings shall be calculated using the Levenshtein algorithm. Characters can be numeric, alphabetic, or symbolic. According to the Levenshtein method, strings like "test" and "best" differ from each other by 1 unit. "test" and "toad" differ from each other by 3 units. "test" and "est" differ from each other by 1 unit. A value of '0' specifies that no restrictions are applied.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     int minChangedChars = 3;
     boolean result = passwordPolicy.setMinimumCharacterChangeLength(minChangedChars);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     int minChangedChars = 3;
     boolean result = passwordPolicy.setMinimumCharacterChangeLength(minChangedChars);
     if (true == result) {
         // policy successfully set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 6
MDM 4.0
Multiuser Environment
User Scope

public void setMultifactorAuthenticationEnabled (boolean enable)

Since: API level 24

API to enable or disable multi-factor authentication.

Throws
SecurityException If caller does not have required permissions
Usage
When this policy is enforced more than one form of authentication is required to unlock keyguard for specific user space. As an example, user is required to authenticate finger print and also required to authenticate one of the device unlock methods chosen among pattern/pin/password. By default this policy is disabled, unless administrator chooses to enable it.

If administrator disables biometric authentication then multi-factor cannot be enforced, unless user already has multi-factor setup prior to biometric being disabled.


Note: This API can be called only by Device owner or Profile owner.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     passwordPolicy.setMultifactorAuthenticationEnabled(true);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     passwordPolicy.setMultifactorAuthenticationEnabled(true);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_SECURITY" permission which has a protection level of signature.
Since
API level 24
KNOX 3.0
Multiuser Environment
User Scope

public boolean setPasswordChangeTimeout (int timeout)

Since: API level 2

API to set time value after which the password must be changed after the user cancels the first password change enforcement.

Parameters
timeout The password change timeout value in minutes.
Returns
  • true if the value was set successfully, else false
Throws
SecurityException If caller does not have required permissions
Usage
This API is called by an application that is managing the device. The API sets the timeout in minutes after which the password must be changed after the administrator uses enforcePwdChange() and the user cancels the first password change enforcement. If a password is already set in the device and the administrator calls enforcePwdChange(), the user can cancel the password change dialog; the password change is definitely enforced again after the timeout set (default value is 0 - no option to cancel). If no password is set in the device and the administrator calls enforcePwdChange(), the user cannot cancel it, so, in this case, the password change timeout is ignored.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 int timeout = 10;
 try {
     boolean result = passwordPolicy.setPasswordChangeTimeout(timeout);
     if (true == result) {
         // password change timeout value set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 int timeout = 10;
 try {
     boolean result = passwordPolicy.setPasswordChangeTimeout(timeout);
     if (true == result) {
         // password change timeout value set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public void setPasswordExpires (ComponentName admin, int value)

Since: API level 2

API to set password expiry days for a particular administrator.

Parameters
admin Which DeviceAdminReceiver this request is associated with.
value Number of days after which the password expires.
Throws
SecurityException If caller does not have required permissions
Usage
This API is called by an application that is managing the device to set the maximum password age in days after which the password has to be changed. Value 0 will reset this policy and no expiry will be applied.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);
     int passwordExpiryDays = 10;
     passwordPolicy.setPasswordExpires(enterpriseDeviceAdmin, passwordExpiryDays);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);
     int passwordExpiryDays = 10;
     passwordPolicy.setPasswordExpires(enterpriseDeviceAdmin, passwordExpiryDays);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The device administrator must have a "expire-password" tag in the "uses-policies" section of its metadata so as to call this method; if the tag does not exist, a SecurityException is thrown.
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.
Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public void setPasswordHistory (ComponentName admin, int value)

Since: API level 2

API to set the number of previous passwords that the user cannot use when prompted to change the password.

Parameters
value Number of previous passwords that cannot be used when setting a new password.
Throws
SecurityException If caller does not have required permissions
Usage
This API is called by an application that is managing the device to set the maximum password history (the number of previous passwords that cannot be used when setting a new password). Value 0 will reset this policy and no history will be checked.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);

     passwordPolicy.setPasswordHistory(enterpriseDeviceAdmin, 5);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class);

     passwordPolicy.setPasswordHistory(enterpriseDeviceAdmin, 5);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The calling device administrator must have a "limit-password" tag for Android version 3.0 onward in the "uses-policies" section of its metadata so as to call this method;if the tag does not exist, a SecurityException is thrown.
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public boolean setPasswordLockDelay (int time)

Since: API level 2

API to set idle time after which key guard lock (lock screen) is enabled.

Parameters
time Time to wait in seconds for passcode prompt after lock screen.
Returns
  • true if successful, else false.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to set the duration of idle time before the key guard lock (lock screen) is enabled. Device settings provide to the user a way to set time values to lock the device automatically or instantly by pressing power key. Considering the conflict between these functionalities and this API, the strictest value (shorter time) is the one that will be applied, no matter if it was defined by administrator or by user via device settings. When the functionality of 'lock instantly with power key' is enabled and the power key is pressed, the screen will be locked instantly regardless of the time set by either the administrator or the user. If the device is managed by multiple administrators, the lowest value is used as the lock time. If the password is set, the user is prompted for the password while unlocking the device. If administrator does not care about the idle time he can set -1. If set to 0 then device is locked immediately after screen time out.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     // enforcing 10 second timeout
     int time = 10;
     boolean result = passwordPolicy.setPasswordLockDelay(time);
     if (true == result) {
         // screen gets locked after 10 seconds of idle time
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since
API level 2
MDM 2.0
Multiuser Environment
Global Scope

public boolean setPasswordVisibilityEnabled (boolean allow)

Since: API level 6

API to enable or disable making the password visible while typing.

Parameters
allow true to enable, false to disable
Returns
  • true if successful, else false
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can enable or disable making the password visible without user interaction. The user and third-party applications cannot enable the visibility setting once it is disabled.


Note: Since Knox 3.0, this API will also disable the eye icon during password configuration and lockscreen.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean enableMakePwdVisible = true;
     // disable visible pattern
     passwordPolicy.setPasswordVisibilityEnabled(enableMakePwdVisible);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:

Note : This API is not applicable for container. Container will follow owner's behavior.

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.
Since
API level 6
MDM 4.0
Multiuser Environment
User Scope for multi-user scenario only

public boolean setRequiredPasswordPattern (String regex)

Since: API level 2

API to set or override a pattern for password match.

Parameters
regex The required pattern to be matched.
Returns
  • true if successful, else false.
Throws
SecurityException If caller does not have required permissions
Usage
The administrator that last set the password pattern becomes the password pattern owner, meaning that only the owner's patterns are used to match new passwords. An administrator can force the user to enter a password based on a regular expression. For example, if the regular expression is [a-zA-Z]{4}[0-9]{4}, the administrator forces the user to enter an 8-character password with first 4 characters alphabetic and next 4 characters numeric. The administrator must be careful when setting this pattern. Android requires a minimum password length of 4 characters and a maximum length of 16 characters. The pattern set must always allow passwords following these constraints.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 String regex = "[a-zA-Z]{4}[0-9]{4}";
 try {
     // forced to enter 8 characters containing 4 alphabetic characters and 4 digits.
     boolean result = passwordPolicy.setRequiredPasswordPattern(regex);
     if (true == result) {
         // password pattern set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 String regex = "[a-zA-Z]{4}[0-9]{4}";
 try {
     // forced to enter 8 characters containing 4 alphabetic characters and 4 digits.
     boolean result = passwordPolicy.setRequiredPasswordPattern(regex);
     if (true == result) {
         // password pattern set
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission which has a protection level of signature.

Since
API level 2
MDM 2.0
Multiuser Environment
User Scope

public boolean setScreenLockPatternVisibilityEnabled (boolean enable)

Since: API level 5

API to enable or disable screen lock pattern visibility.

Parameters
enable true to enable screen lock pattern visibility, false to disable it
Returns
  • true if successful, else false.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to enable or disable the screen lock pattern visibility without user interaction. The user or third-party applications cannot enable the visibility if it has been disabled.
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean disableVisiblePattern = true;
     // disable visible pattern
     passwordPolicy.setScreenLockPatternVisibilityEnabled(disableVisiblePattern);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     boolean disableVisiblePattern = true;
     // disable visible pattern
     passwordPolicy.setScreenLockPatternVisibilityEnabled(disableVisiblePattern);
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_SECURITY" permission with a protection level of signature.
Since
API level 5
MDM 3.0
Multiuser Environment
User Scope

public boolean unlock ()

Since: API level 24

API to unlock the user.

Throws
SecurityException If caller does not have required permissions
Usage
Calling this API will unlock the user. It will return true if user is successfully unlocked.


Note: This API can be called only by Device owner or Profile owner.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 PasswordPolicy passwordPolicy = edm.getPasswordPolicy();
 try {
     boolean status = passwordPolicy.unlock();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 PasswordPolicy passwordPolicy = kcm.getPasswordPolicy();
 try {
     boolean status = passwordPolicy.unlock();
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_ADVANCED_SECURITY" permission which has a protection level of signature.
Since
API level 24
KNOX 3.0
Multiuser Environment
User Scope
See Also