Since: API level 6
public class

CertificatePolicy

extends Object
java.lang.Object
   ↳ com.samsung.android.knox.keystore.CertificatePolicy

Class Overview

This class provides APIs to control certificate security. It is possible to disable certificates, restrict installation of user certificates, notify the user about certificate information and issues, and enable certificate revocation status check in the system library.

Since
API level 6
KNOX 1.0

Summary

Constants
String ACTION_CERTIFICATE_FAILURE Broadcast intent action sent to notify the administrator about a digital signature failure that occurred during certificate transactions on the device.
String ACTION_CERTIFICATE_REMOVED Broadcast intent action sent to notify the administrator about a certificate removal on the device.
String EXTRA_CERTIFICATE_FAILURE_MESSAGE Used as an intent extra field with ACTION_CERTIFICATE_FAILURE.
String EXTRA_CERTIFICATE_FAILURE_MODULE Used as an intent extra field with ACTION_CERTIFICATE_FAILURE.
String EXTRA_CERTIFICATE_REMOVED_SUBJECT Used as an intent extra field with ACTION_CERTIFICATE_REMOVED.
String EXTRA_USER_ID Used as an intent extra field with ACTION_CERTIFICATE_REMOVED and ACTION_CERTIFICATE_FAILURE.
Public Methods
boolean addPermissionApplicationPrivateKey(PermissionApplicationPrivateKey permission)
API to give the permission of reading private keys to an application.
boolean addTrustedCaCertificateList(List<X509Certificate> certificates)
API to add a list of trusted CA certificates.
boolean addUntrustedCertificateList(List<X509Certificate> certificates)
API to add a list of untrusted certificates.
boolean allowUserRemoveCertificates(boolean allow)
API to allow or block the user of removing certificates or resetting the keystores.
boolean clearPermissionApplicationPrivateKey()
API to revoke permissions of reading private keys of any application.
boolean clearTrustedCaCertificateList()
API to clear the list of trusted CAs certificates.
boolean clearUntrustedCertificateList()
API to clear the list of untrusted certificates.
boolean enableCertificateFailureNotification(boolean enable)
API to enable notifying the user whenever a certificate digital signature failure occurs.
boolean enableCertificateValidationAtInstall(boolean enable)
API to enable validation of certificates when installing them into device's Certificate Store.
boolean enableOcspCheck(String pkgName, boolean enable)
API to enable OCSP when using revocation check for certificates used by applications.
boolean enableRevocationCheck(String pkgName, boolean enable)
API to enable revocation check for certificates used by applications.
List<PermissionApplicationPrivateKey> getListPermissionApplicationPrivateKey()
API to list all permissions of reading private keys.
List<CertificateControlInfo> getTrustedCaCertificateList()
API to retrieve the list of trusted CA certificates.
List<CertificateControlInfo> getUntrustedCertificateList()
API to retrieve the list of untrusted certificates.
boolean isCertificateFailureNotificationEnabled()
API to check whether the user will be notified when certificate digital signature failure occurs.
boolean isCertificateValidationAtInstallEnabled()
API to verify if validation of certificates at install time is enabled.
boolean isNonTrustedAppInstallBlocked()
API to check whether the installation of applications signed with a non-trusted CA certificate is allowed or not.
boolean isOcspCheckEnabled(String pkgName)
API to verify if revocation check via OCSP is enabled.
boolean isRevocationCheckEnabled(String pkgName)
API to verify if revocation check is enabled.
boolean isUserRemoveCertificatesAllowed()
API to verify if removal of certificates and resetting the keystores is allowed.
boolean removePermissionApplicationPrivateKey(PermissionApplicationPrivateKey permission)
API to revoke the permission of reading private keys to an application.
boolean removeTrustedCaCertificateList(List<X509Certificate> certificates)
API to remove a list of certificates from the trusted CA list.
boolean removeUntrustedCertificateList(List<X509Certificate> certificates)
API to remove a list of certificates from the untrusted certificate list.
boolean setNonTrustedAppInstallBlock(boolean enable)
API to allow or block the installation of applications signed with a non-trusted CA certificate.
[Expand]
Inherited Methods
From class java.lang.Object

Constants

public static final String ACTION_CERTIFICATE_FAILURE

Since: API level 6

Broadcast intent action sent to notify the administrator about a digital signature failure that occurred during certificate transactions on the device. The intent contains three extras. One extra reports the module where the failure occurred; to obtain it, use EXTRA_CERTIFICATE_FAILURE_MODULE. Other extra is a message describing the failure; to obtain it, use EXTRA_CERTIFICATE_FAILURE_MESSAGE. The other extra is the id of the user where a certificate failure happened; to obtain it use EXTRA_USER_ID. Receiver must hold "com.samsung.android.knox.permission.KNOX_CERTIFICATE" to receive this broadcast.

NOTE: Since KNOX 2.6, this intent is no longer supported by Chrome.

Since
API level 6
KNOX 1.0
Constant Value: "com.samsung.android.knox.intent.action.CERTIFICATE_FAILURE"

public static final String ACTION_CERTIFICATE_REMOVED

Since: API level 19

Broadcast intent action sent to notify the administrator about a certificate removal on the device. The intent contains two extras. One extra is the subject of the removed certificate; to obtain it use EXTRA_CERTIFICATE_REMOVED_SUBJECT. The other extra is the id of the user that performed the removal of the certificate; to obtain it use EXTRA_USER_ID. Receiver must hold "com.samsung.android.knox.permission.KNOX_CERTIFICATE" to receive this broadcast.

Since
API level 19
KNOX 2.6
Constant Value: "com.samsung.android.knox.intent.action.CERTIFICATE_REMOVED"

public static final String EXTRA_CERTIFICATE_FAILURE_MESSAGE

Since: API level 6

Used as an intent extra field with ACTION_CERTIFICATE_FAILURE. Contains the message describing the digital signature failure that occurred during certificate transactions on the device (use getStringExtra(String) to retrieve the extra value).

Since
API level 6
KNOX 1.0
Constant Value: "com.samsung.android.knox.intent.extra.CERTIFICATE_FAILURE_MESSAGE"

public static final String EXTRA_CERTIFICATE_FAILURE_MODULE

Since: API level 6

Used as an intent extra field with ACTION_CERTIFICATE_FAILURE. Contains the module where a digital signature failure occurred during certificate transactions on the device (use getStringExtra(String) to retrieve the extra value).

Since
API level 6
KNOX 1.0
Constant Value: "com.samsung.android.knox.intent.extra.CERTIFICATE_FAILURE_MODULE"

public static final String EXTRA_CERTIFICATE_REMOVED_SUBJECT

Since: API level 19

Used as an intent extra field with ACTION_CERTIFICATE_REMOVED. Contains the subject of removed certificate (use getStringExtra(String) to retrieve the extra value).

Since
API level 19
KNOX 2.6
Constant Value: "com.samsung.android.knox.intent.extra.CERTIFICATE_REMOVED_SUBJECT"

public static final String EXTRA_USER_ID

Since: API level 19

Used as an intent extra field with ACTION_CERTIFICATE_REMOVED and ACTION_CERTIFICATE_FAILURE. Contains the id of the user which removed a certificate or where a certificate failure happened (use getIntExtra(String, int) to retrieve the extra value).

Since
API level 19
KNOX 2.6
Constant Value: "com.samsung.android.knox.intent.extra.USER_ID"

Public Methods

public boolean addPermissionApplicationPrivateKey (PermissionApplicationPrivateKey permission)

Since: API level 11

API to give the permission of reading private keys to an application.

Returns
  • true if successful, else false
Throws
SecurityException If caller does not have required permissions.
Usage

An application that wants to read a installed private key will use the KeyChain . It will ask the user to allow the application to read a private key, showing a list of currently available private keys. By using this policy, the administrator will bypass the interaction with the user, selecting the correct private key automatically. This policy will verify if the application package name and the host:port (which is provided by the application) matches an entry made by an administrator, and then grant access to a installed private key. During the validation, the pair host:port is provided by the application, therefore, one must trust the application before using this policy.

Please note: this policy must be used carefully, since it will allow an application to read private keys without alerting the user.

 String pkgName = "com.example.app";
 String host = "myserver.com";
 int port = 80;
 String alias = "mykey";
 PermissionApplicationPrivateKey pkey = new PermissionApplicationPrivateKey(pkgName, host, port,
         alias);
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 CertificatePolicy certPolicy = edm.getCertificatePolicy();

 try {
     boolean result = certPolicy.addPermissionApplicationPrivateKey(pkey);
     if (true == result) {
         // application will receive permission to access private key, when it
         // ask for it.
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certPolicy = kcm.getCertificatePolicy();

 String pkgName = "com.example.app";
 String host = "myserver.com";
 int port = 80;
 String alias = "mykey";
 PermissionApplicationPrivateKey pkey = new PermissionApplicationPrivateKey(pkgName, host, port,
         alias);

 try {
     boolean result = certPolicy.addPermissionApplicationPrivateKey(pkey);
     if (true == result) {
         // application will receive permission to access private key, when it
         // ask for it.
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.

From MDM 5.6 on, depending on the Credential Storage type identified by storageName parameter used in PermissionApplicationPrivateKey(String, String, int, String, String) , a new permission will also be enforced. System Credential Storages will check for "com.samsung.android.knox.permission.KNOX_UCM_ESE_MGMT" permission, while non-system ones check for "com.samsung.android.knox.permission.KNOX_UCM_OTHER_MGMT" permission. Please refer to Universal Credential Manager (UCM) DEV guide in order to have more details of how to get these new permissions.
Since
API level 11
KNOX 2.0
Multiuser Environment
User Scope

public boolean addTrustedCaCertificateList (List<X509Certificate> certificates)

Since: API level 6

API to add a list of trusted CA certificates.

Parameters
certificates The list of CA certificates to add to trust list.
Returns
  • true when the certificates are successfully added to the trusted CAs certificate list, false if operation failed.
Throws
SecurityException If caller does not have required permissions.
Usage

Use this API to add a list of trusted CA certificates. After a CA is added, this policy is activated, and only certificates that are signed by a trusted CA can be installed. Also, the certificates previously installed by user which are not trusted will be removed from the system. They will be quarantined, and if in the future they become trusted again (if administrator adds this certificate CA to the list or; disables the policy cleaning the trusted CA list), they will be re-installed. During this period, user cannot see or use any of them. Adding a certificate to the list of trusted CA does not install the certificate on the system. Preloaded CA certificates, named System Credentials in Settings Application are not modified. To disable preloaded CA certificates please use untrusted certificates policy addUntrustedCertificateList(List). Please note that a certificate with an unknown issuer is treated as not trusted, like the concept of a whitelist. And this happens even when a root CA is trusted, but an intermediate certificate is not present in the system. This policy interacts with untrusted certificates policy addUntrustedCertificateList(List). For security reasons, untrusted list will take precedence over trusted list. When a certificate is added to untrusted list, it will be removed from the system even if it is part of a trusted certificate chain. If administrator tries to add a list with at least one certificate that is not from a certificate authority, no certificate from the list will be added and it will return false.

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       List<X509Certificate> list = new ArrayList<X509Certificate>();
       // add the certificates to be inserted on the trusted list
       try {
           boolean result = certPolicy.addTrustedCaCertificateList(list);
           if (true == result) {
               // trusted certificates were successfully added
           } else {
               // fail to add trusted certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       List<X509Certificate> list = new ArrayList<X509Certificate>();
       // add the certificates to be inserted on the trusted list
       try {
           boolean result = certPolicy.addTrustedCaCertificateList(list);
           if (true == result) {
               // trusted certificates were successfully added
           } else {
               // fail to add trusted certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean addUntrustedCertificateList (List<X509Certificate> certificates)

Since: API level 6

API to add a list of untrusted certificates.

Parameters
certificates The list of untrusted certificates.
Returns
  • true when the certificates are successfully added to the untrusted certificate list, false if operation failed.
Throws
SecurityException If caller does not have required permissions.
Usage

Use this API to add a list of untrusted certificates. After a certificate is added, this policy is activated, and untrusted certificates won't be installed (nor certificates signed by an untrusted certificate). Also, untrusted certificates previously installed will be removed from the system. They will be quarantined, and if in the future they become trusted again (when administrator removes this certificate from the untrusted list), they will be re-installed. During this period, user cannot see or use any of them. Certificates that were preloaded in the device cannot be removed, and are disabled (user is not able to re-enable them). Please note that a certificate with an unknown issuer is treated as trusted, like the concept of a blacklist. And this happens even when a root CA is untrusted, but an intermediate certificate is not present in the system. This policy interacts with trusted CAs policy addTrustedCaCertificateList(List) . For security reasons, untrusted list will take precedence over trusted list. When a certificate is added to untrusted list, it will be removed from the system even if it is part of a trusted certificate chain.

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       List<X509Certificate> list = new ArrayList<X509Certificate>();
       // add the certificates to be inserted on the untrusted list
       try {
           boolean result = certPolicy.addUntrustedCertificateList(list);
           if (true == result) {
               // untrusted certificates were successfully added
           } else {
               // fail to add untrusted certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       List<X509Certificate> list = new ArrayList<X509Certificate>();
       // add the certificates to be inserted on the untrusted list
       try {
           boolean result = certPolicy.addUntrustedCertificateList(list);
           if (true == result) {
               // untrusted certificates were successfully added
           } else {
               // fail to add untrusted certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean allowUserRemoveCertificates (boolean allow)

Since: API level 11

API to allow or block the user of removing certificates or resetting the keystores.

Returns
  • true if successful, else false
Throws
SecurityException If caller does not have required permissions.
Usage

Use this API to block the user of removing any certificate. It will also block the user of resetting the keystores (that clears all installed credentials, certificates and private keys).

The APIs to remove certificates and reset the keystores will take priority over this API, and it will work regardless of its state.

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       try {
           boolean result = certPolicy.allowUserRemoveCertificates(true);
           if (true == result) {
               // user can't remove certificates or reset the keystores.
           } else {
               // failure to set policy
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       try {
           boolean result = certPolicy.allowUserRemoveCertificates(true);
           if (true == result) {
               // user can't remove certificates or reset the keystores.
           } else {
               // failure to set policy
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 11
KNOX 2.0
Multiuser Environment
User Scope

public boolean clearPermissionApplicationPrivateKey ()

Since: API level 11

API to revoke permissions of reading private keys of any application.

Returns
  • true if successful, else false
Throws
SecurityException If caller does not have required permissions.
Usage

After allowing some applications to read the installed private keys bypassing the interaction with the user, administrator may revoke all permissions. After revoking the permissions, the user may be prompted again to select a private key and give permission to each application.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 CertificatePolicy certPolicy = edm.getCertificatePolicy();

 try {
     boolean result = certPolicy.clearPermissionApplicationPrivateKey();
     if (true == result) {
         // applications will not receive automatic permission
         // to access private key, when they ask for it.
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certPolicy = kcm.getCertificatePolicy();

 try {
     boolean result = certPolicy.clearPermissionApplicationPrivateKey();
     if (true == result) {
         // applications will not receive automatic permission
         // to access private key, when they ask for it.
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 11
KNOX 2.0
Multiuser Environment
User Scope

public boolean clearTrustedCaCertificateList ()

Since: API level 6

API to clear the list of trusted CAs certificates.

Returns
  • true if the list was successfully cleared, else false.
Throws
SecurityException If caller does not have required permissions.
Usage

Use this API to clear the list of trusted CA certificates. Certificates that were not signed by a trusted CA and had been quarantined will be reviewed, and if they became trusted, they will be re-installed.

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       try {
           boolean status = certPolicy.clearTrustedCaCertificateList();
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       try {
           boolean status = certPolicy.clearTrustedCaCertificateList();
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean clearUntrustedCertificateList ()

Since: API level 6

API to clear the list of untrusted certificates.

Returns
  • true if the list was successfully cleared, else false.
Throws
SecurityException If caller does not have required permissions.
Usage

Use this API to clear the list of untrusted certificates. Certificates that were untrusted and had been quarantined will be reviewed, and if they became trusted, they will be re-installed.

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       try {
           boolean status = certPolicy.clearUntrustedCertificateList();
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       try {
           boolean status = certPolicy.clearUntrustedCertificateList();
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean enableCertificateFailureNotification (boolean enable)

Since: API level 6

API to enable notifying the user whenever a certificate digital signature failure occurs.

Parameters
enable true to enable,false to disable
Returns
  • true if successful, else false
Throws
SecurityException If caller does not have required permissions.
Usage

Use this API to notify the user whenever a certificate digital signature failure occurs. User will be notified with a toast containing the message "Digital signature failure occurred in: " and the name of the module that found the failure. This policy does not apply to third party or Google applications since we can not change their implementation.

NOTE 1: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

NOTE 2: Since KNOX 2.6, this policy is no longer supported by Chrome.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       try {
           boolean result = certPolicy.enableCertificateFailureNotification(true);
           if (true == result) {
               // user will be notified whenever occurs a certificate related fail
           } else {
               // user will not be notified whenever occurs a certificate related fail
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       try {
           boolean result = certPolicy.enableCertificateFailureNotification(true);
           if (true == result) {
               // user will be notified whenever occurs a certificate related fail
           } else {
               // user will not be notified whenever occurs a certificate related fail
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean enableCertificateValidationAtInstall (boolean enable)

Since: API level 6

API to enable validation of certificates when installing them into device's Certificate Store.

Parameters
enable true to enable, false to disable
Returns
  • true if successful, else false
Throws
SecurityException If caller does not have required permissions.
Usage

Use this API to block the installation of invalid certificates. This will enable a multiple-step check of certificates before installing them. Some of the criteria used to validate a certificate are: certification path, expiration date, revocation status, etc.

The Certification Path, also called certificate chain, is an important part of validation process. A certificate with a issuer CA (Certificate Authority) that is not present in the device's certificate store is deemed unknown, and its installation is blocked. All certificates in a chain (Root CA and intermediate CAs) must be previously stored in the certificate store. Self-signed CAs are also validated, although they don't need any chain.

Please note that the validation process needs Internet access to check the revocation status of the certificate. If the certificate does not contain revocation information, or the revocation server could not be reached, the validation fails.

When the validation process fails, user may be warned of its cause using the policy enableCertificateFailureNotification(boolean). If this API is not enabled, user will NOT receive detailed information of the certificate validation error. The validation failures are also sent to administrator through the intent ACTION_CERTIFICATE_FAILURE.

The device's certificate store may not be the only place containing certificates in the device. Many applications that use network connection may use their own store (e.g.: Email, Social Network, etc). The certificates installed to these stores are not validated by this policy.

Certificates previously installed to device's certificate store will not be validated after enabling this policy.

When this policy is enabled, the policy to install certificates also verifies for validation of its certificates during installation.

For information regarding the certificate validation process please check the following standard documents:

Certification Path Validation: RFC 3280
OCSP (Revocation): RFC 2560

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       try {
           boolean result = certPolicy.enableCertificateValidationAtInstall(true);
           if (true == result) {
               // certificates will be validate before installing
           } else {
               // failure to set policy
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       try {
           boolean result = certPolicy.enableCertificateValidationAtInstall(true);
           if (true == result) {
               // certificates will be validate before installing
           } else {
               // failure to set policy
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean enableOcspCheck (String pkgName, boolean enable)

Since: API level 6

API to enable OCSP when using revocation check for certificates used by applications.

Parameters
pkgName package for which OCSP check should be enabled or disabled. To enable OCSP check on all packages, use the string: "*" (asterisk).
enable true to enable, false to disable
Returns
  • true if successful, else false
Throws
SecurityException If caller does not have required permissions.
Usage

Use this API to enable OCSP when checking for certificate revocation for the applications using SSL connections or SMIME encryption/signing. This has no effect if revocation policy enableRevocationCheck(String, boolean) is not enabled. This will enable the use of OCSP during revocation check. OCSP check is used prior to CRL. If OCSP could not get a decisive response about a certificate, it will try to use CRL. The OCSP response server must be listed in the certificate information under Authority Info Access.

For information regarding certificate revocation please check the following standards documents:

CRL: RFC 3280
OCSP: RFC 2560

NOTE: Since KNOX 2.6, this policy is no longer supported by Chrome.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 CertificatePolicy certPolicy = edm.getCertificatePolicy();
 try {
     String packageName = "com.android.browser";
     boolean result = certPolicy.enableRevocationCheck(packageName, true);
     if (true == result) {
         // revocation will be checked for this app
         boolean resultOcsp = certPolicy.enableOcspCheck(packageName, true);
         if (true == resultOcsp) {
             // revocation will be checked for this app using OCSP
         } else {
             // failure to set policy OCSP
         }
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certPolicy = kcm.getCertificatePolicy();
 try {
     String packageName = "com.android.browser";
     boolean result = certPolicy.enableRevocationCheck(packageName, true);
     if (true == result) {
         // revocation will be checked for this app
         boolean resultOcsp = certPolicy.enableOcspCheck(packageName, true);
         if (true == resultOcsp) {
             // revocation will be checked for this app using OCSP
         } else {
             // failure to set policy OCSP
         }
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Dependency
It will check OCSP only when revocation check is enabled, using enableRevocationCheck(String, boolean)
Multiuser Environment
User Scope

public boolean enableRevocationCheck (String pkgName, boolean enable)

Since: API level 6

API to enable revocation check for certificates used by applications.

Parameters
pkgName package for which revocation check should be enabled or disabled. To enable revocation check on all packages, use the string: "*" (asterisk).
enable true to enable, false to disable
Returns
  • true if successful, else false
Throws
SecurityException If caller does not have required permissions.
Usage

Use this API to check for certificate revocation for the applications using SSL connections or SMIME encryption/signing. This will enable the check for revocation of the server certificate chain during SSL mutual authentication process.This policy only applies to the application if it uses standard TrustManager implementation, this includes most of the native applications, but it does not include third party browsers. Revocation check is primarily done using certificate revocation lists (CRL) that can be downloaded using a CRL distribution point listed in the certificate. If the policy enableOcspCheck(String, boolean) is active then the check will first be done through OCSP method and if it fails a standard check using CRLs will be performed.

The CRL check basically downloads a file from the specified server that contains a list of revoked IDs that is maintained by the CA of the certificate being checked. If the certificate ID is in the list then it is revoked and the SSL/SMIME verification will fail, otherwise it will proceed.

For information regarding certificate revocation please check the following standards documents:

CRL: RFC 3280
OCSP: RFC 2560

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 CertificatePolicy certPolicy = edm.getCertificatePolicy();
 try {
     String packageName = "com.android.browser";
     boolean result = certPolicy.enableRevocationCheck(packageName, true);
     if (true == result) {
         // revocation will be checked for this app
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certPolicy = kcm.getCertificatePolicy();
 try {
     String packageName = "com.android.browser";
     boolean result = certPolicy.enableRevocationCheck(packageName, true);
     if (true == result) {
         // revocation will be checked for this app
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public List<PermissionApplicationPrivateKey> getListPermissionApplicationPrivateKey ()

Since: API level 11

API to list all permissions of reading private keys.

Returns
  • List of permissions given, each containing the administrator package name.
Throws
SecurityException If caller does not have required permissions.
Usage

After allowing some applications to read the installed private keys bypassing the interaction with the user, administrator may list all permissions.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 CertificatePolicy certPolicy = edm.getCertificatePolicy();

 try {
     List<PermissionApplicationPrivateKey> list = certPolicy
             .getListPermissionApplicationPrivateKey();
     Iterator it = list.iterator();
     while (it.hasNext()) {
         PermissionApplicationPrivateKey pkey = it.next();
         String adminPkgName = pkey.getAdminPkgName();
         String pkgName = pkey.getPackageName();
         String host = pkey.getHost();
         int port = pkey.getPort();
         String alias = pkey.getAlias();
         // do something with the values
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certPolicy = kcm.getCertificatePolicy();

 try {
     List<PermissionApplicationPrivateKey> list = certPolicy
             .getListPermissionApplicationPrivateKey();
     Iterator it = list.iterator();
     while (it.hasNext()) {
         PermissionApplicationPrivateKey pkey = it.next();
         String adminPkgName = pkey.getAdminPkgName();
         String pkgName = pkey.getPackageName();
         String host = pkey.getHost();
         int port = pkey.getPort();
         String alias = pkey.getAlias();
         // do something with the values
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 11
KNOX 2.0
Multiuser Environment
User Scope

public List<CertificateControlInfo> getTrustedCaCertificateList ()

Since: API level 6

API to retrieve the list of trusted CA certificates.

Returns
  • List of certificate control info containing the administrator package name and its list of trusted certificates.
Throws
SecurityException If caller does not have required permissions
Usage

Administrator can use this API to get the list of trusted CA certificates from all administrators.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       try {
           List<CertificateControlInfo> certList = certPolicy.getTrustedCaCertificateList();
           Iterator it = certList.iterator();
           while (it.hasNext()) {
               CertificateControlInfo certCtrInfo = it.next();
               String adminPkgName = certCtrInfo.adminPackageName;
               List<X509Certificate> x509certList = certCtrInfo.entries;
               // do something with the certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       try {
           List<CertificateControlInfo> certList = certPolicy.getTrustedCaCertificateList();
           Iterator it = certList.iterator();
           while (it.hasNext()) {
               CertificateControlInfo certCtrInfo = it.next();
               String adminPkgName = certCtrInfo.adminPackageName;
               List<X509Certificate> x509certList = certCtrInfo.entries;
               // do something with the certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public List<CertificateControlInfo> getUntrustedCertificateList ()

Since: API level 6

API to retrieve the list of untrusted certificates.

Returns
  • List of certificate control info containing the administrator package name and its list of untrusted certificates.
Throws
SecurityException If caller does not have required permissions
Usage

Administrator can use this API to get the list of untrusted certificates from all administrators.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       try {
           List<CertificateControlInfo> certList = certPolicy.getUntrustedCertificateList();
           Iterator it = certList.iterator();
           while (it.hasNext()) {
               CertificateControlInfo certCtrInfo = it.next();
               String adminPkgName = certCtrInfo.adminPackageName;
               List<X509Certificate> x509certList = certCtrInfo.entries;
               // do something with the certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       try {
           List<CertificateControlInfo> certList = certPolicy.getUntrustedCertificateList();
           Iterator it = certList.iterator();
           while (it.hasNext()) {
               CertificateControlInfo certCtrInfo = it.next();
               String adminPkgName = certCtrInfo.adminPackageName;
               List<X509Certificate> x509certList = certCtrInfo.entries;
               // do something with the certificates
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean isCertificateFailureNotificationEnabled ()

Since: API level 6

API to check whether the user will be notified when certificate digital signature failure occurs.

Returns
  • true if user will be notified, else false
Throws
SecurityException If caller does not have required permissions
Usage

Administrator can check whether the user is being notified when certificate digital signature failure occurs. The default value will be false.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       try {
           boolean result = certPolicy.isCertificateFailureNotificationEnabled();
           if (true == result) {
               // user will be notified if the failure occur
           } else {
               // user will not be notified if the failure occur
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       try {
           boolean result = certPolicy.isCertificateFailureNotificationEnabled();
           if (true == result) {
               // user will be notified if the failure occur
           } else {
               // user will not be notified if the failure occur
           }
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean isCertificateValidationAtInstallEnabled ()

Since: API level 6

API to verify if validation of certificates at install time is enabled.

Returns
  • true if enabled, false if disabled
Usage

Use this API to verify if certificates will be validated prior of installing them to the device's certificate store.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       boolean result = certPolicy.isCertificateValidationAtInstallEnabled();
       if (true == result) {
           // will validate certificates at install time
       } else {
           // won't validate certificates at install time
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       boolean result = certPolicy.isCertificateValidationAtInstallEnabled();
       if (true == result) {
           // will validate certificates at install time
       } else {
           // won't validate certificates at install time
       }
       
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean isNonTrustedAppInstallBlocked ()

Since: API level 13

API to check whether the installation of applications signed with a non-trusted CA certificate is allowed or not.

Returns
  • true - Installation of non-trusted applications is blocked, false - any application can be installed.
Usage

Use this API to verify if application's signature will be checked within the trusted/untrusted list upon its installation.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 CertificatePolicy certPolicy = edm.getCertificatePolicy();
 try {
     if (certificatePolicy.isNonTrustedAppInstallBlocked()) {
         Log.w(TAG, "only trusted apps can be installed");
     } else {
         Log.w(TAG, "any app can be installed regardless who have signed it.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
 try {
     if(certificatePolicy.isNonTrustedAppInstallBlocked()) {
        Log.w(TAG, "only trusted apps can be installed");
     } else {
        Log.w(TAG, "any app can be installed regardless who have signed it.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Since
API level 13
KNOX 2.2
Multiuser Environment
User Scope

public boolean isOcspCheckEnabled (String pkgName)

Since: API level 6

API to verify if revocation check via OCSP is enabled.

Parameters
pkgName the package whose revocation status via OCSP is to be checked
Returns
  • true if enabled, false if disabled
Usage

Use this API to verify if certificates will be checked for revocation using OCSP.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 CertificatePolicy certPolicy = edm.getCertificatePolicy();
 String packageName = "com.android.browser";
 boolean result = certPolicy.isOcspCheckEnabled(packageName);
 if (true == result) {
     // will use OCSP to check revocation for this app
 } else {
     // won't use OCSP to check revocation for this app
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certPolicy = kcm.getCertificatePolicy();
 String packageName = "com.android.browser";
 boolean result = certPolicy.isOcspCheckEnabled(packageName);
 if (true == result) {
     // will use OCSP to check revocation for this app
 } else {
     // won't use OCSP to check revocation for this app
 }
 
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean isRevocationCheckEnabled (String pkgName)

Since: API level 6

API to verify if revocation check is enabled.

Parameters
pkgName the package whose revocation status is to be checked
Returns
  • true if enabled, false if disabled
Usage

Use this API to verify if certificates will be checked for revocation.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 CertificatePolicy certPolicy = edm.getCertificatePolicy();
 String packageName = "com.android.browser";
 boolean result = certPolicy.isRevocationCheckEnabled(packageName);
 if (true == result) {
     // revocation will be checked for this app
 } else {
     // revocation won't be checked for this app
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certPolicy = kcm.getCertificatePolicy();
 String packageName = "com.android.browser";
 boolean result = certPolicy.isRevocationCheckEnabled(packageName);
 if (true == result) {
     // revocation will be checked for this app
 } else {
     // revocation won't be checked for this app
 }
 
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean isUserRemoveCertificatesAllowed ()

Since: API level 11

API to verify if removal of certificates and resetting the keystores is allowed.

Returns
  • true if allowed, false if blocked.
Usage

Use this API to verify if user is allowed to remove certificates and reset the keystores.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       boolean result = certPolicy.isUserRemoveCertificatesAllowed();
       if (true == result) {
           // user is allowed to remove certificates and reset the keystores.
       } else {
           // user is blocked of removing certificates and resetting the keystores.
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       boolean result = certPolicy.isUserRemoveCertificatesAllowed();
       if (true == result) {
           // user is allowed to remove certificates and reset the keystores.
       } else {
           // user is blocked of removing certificates and resetting the keystores.
       }
       
Since
API level 11
KNOX 2.0
Multiuser Environment
User Scope

public boolean removePermissionApplicationPrivateKey (PermissionApplicationPrivateKey permission)

Since: API level 11

API to revoke the permission of reading private keys to an application.

Returns
  • true if successful, else false
Throws
SecurityException If caller does not have required permissions.
Usage

After allowing an application to read a installed private key bypassing the interaction with the user, administrator may revoke such permission. After revoking the permission, the user may be prompted again to select a private key and give permission to the application.

 String pkgName = "com.example.app";
 String host = "myserver.com";
 int port = 80;
 String alias = "mykey";
 PermissionApplicationPrivateKey pkey = new PermissionApplicationPrivateKey(pkgName, host, port,
         alias);
 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 CertificatePolicy certPolicy = edm.getCertificatePolicy();

 try {
     boolean result = certPolicy.removePermissionApplicationPrivateKey(pkey);
     if (true == result) {
         // application will not receive automatic permission
         // to access private key, when it ask for it.
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certPolicy = kcm.getCertificatePolicy();

 String pkgName = "com.example.app";
 String host = "myserver.com";
 int port = 80;
 String alias = "mykey";
 PermissionApplicationPrivateKey pkey = new PermissionApplicationPrivateKey(pkgName, host, port,
         alias);

 try {
     boolean result = certPolicy.removePermissionApplicationPrivateKey(pkey);
     if (true == result) {
         // application will not receive automatic permission
         // to access private key, when it ask for it.
     } else {
         // failure to set policy
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 11
KNOX 2.0
Multiuser Environment
User Scope

public boolean removeTrustedCaCertificateList (List<X509Certificate> certificates)

Since: API level 6

API to remove a list of certificates from the trusted CA list.

Parameters
certificates The list of certificates to be removed from the trusted CA certificates list.
Returns
  • true if the list was successfully removed, else false.
Throws
SecurityException If caller does not have required permissions.
Usage

Use this API to remove a list of CA certificates from the trusted list. After calling this API, all installed certificates will be verified, and the untrusted ones will be removed. All quarantined certificates will also be verified and any one that becomes trusted again will be re-installed.

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       try {
           List<X509Certificate> certList = new ArrayList<X509Certificate>();
           // add the certificates to be removed from the trusted list on the certList list
           boolean status = certPolicy.removeTrustedCaCertificateList(certList);
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       try {
           List<X509Certificate> certList = new ArrayList<X509Certificate>();
           // add the certificates to be removed from the trusted list on the certList list
           boolean status = certPolicy.removeTrustedCaCertificateList(certList);
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean removeUntrustedCertificateList (List<X509Certificate> certificates)

Since: API level 6

API to remove a list of certificates from the untrusted certificate list.

Parameters
certificates The list of certificates to be removed from the untrusted CA certificates list.
Returns
  • true if the list was successfully removed, else false.
Throws
SecurityException If caller does not have required permissions.
Usage

Use this API to remove a list of certificates from the untrusted list. After calling this API, all installed certificates will be verified, and the untrusted ones will be removed. All quarantined certificates will also be verified and any one that becomes trusted again will be re-installed.

NOTE: Before KNOX 2.6 this API was Global Scope. Since KNOX 2.6, as API was changed to User Scope and to keep backward compatibility, calling it from owner (User 0) will affect all users, and containers owned by administrator. If called from a specific user or container, this API will affect only the specific user or container.

       EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
       CertificatePolicy certPolicy = edm.getCertificatePolicy();
       try {
           List<X509Certificate> certList = new ArrayList<X509Certificate>();
           // add the certificates to be removed from the untrusted list on the certList list
           boolean status = certPolicy.removeUntrustedCertificateList(certList);
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
For Container:
       // When you create container successfully, containerID will be returned via intent.
       // Use this containerID in below API.
       EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
       KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
       CertificatePolicy certPolicy = kcm.getCertificatePolicy();
       try {
           List<X509Certificate> certList = new ArrayList<X509Certificate>();
           // add the certificates to be removed from the untrusted list on the certList list
           boolean status = certPolicy.removeUntrustedCertificateList(certList);
       } catch (SecurityException e) {
           Log.w(TAG, "SecurityException: " + e);
       }
       
Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission which has a protection level of signature.
Since
API level 6
KNOX 1.0
Multiuser Environment
User Scope

public boolean setNonTrustedAppInstallBlock (boolean enable)

Since: API level 13

API to allow or block the installation of applications signed with a non-trusted CA certificate.

Returns
  • true if operation is successful, else false.
Throws
SecurityException If caller does not have required permissions
Usage
An administrator can use this API to block the user to install applications signed with a non-trusted CA certificate. In order to this API take effect, the admin shall add a CA certificate to the trusted/untrusted list. This is because, by default, Android lets the user to install any application on the device regardless it is signed by a trusted CA or not.

Please note: this policy must be used carefully, since it directly depends on modifying trusted/untrusted keystores, which impacts all users in the device.

Installing via ADB installs package to all users by default in multi user enabled devices. So if administrator has blocked non trusted application installation for any user, then ADB installation will not work for any user.

 EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
 CertificatePolicy certPolicy = edm.getCertificatePolicy();
 try {
     if (certificatePolicy.setNonTrustedAppInstallBlock(true)) {
         Log.w(TAG, "only trusted apps can be installed");
     } else {
         Log.w(TAG, "Failed to enable the policy.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 
For Container:
 // When you create container successfully, containerID will be returned via intent.
 // Use this containerID in below API.
 EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
 KnoxContainerManager kcm = ekm.getKnoxContainerManager(containerID);
 CertificatePolicy certificatePolicy = kcm.getCertificatePolicy();
 try {
     if(certificatePolicy.setNonTrustedAppInstallBlock(enable)) {
        Log.w(TAG, "only trusted apps can be installed");
     } else {
        Log.w(TAG, "Failed to enable the policy.");
     }
 } catch (SecurityException e) {
     Log.w(TAG, "SecurityException: " + e);
 }
 

Permission
The use of this API requires the caller to have the "com.samsung.android.knox.permission.KNOX_CERTIFICATE" permission with a protection level of signature.
Since
API level 13
KNOX 2.2
Multiuser Environment
User Scope