Jason Ver Linden
Aug 06, 2018
7:25 pm

Knox 2.x -> 3.0 Container Password

Hi there, we have an mdm app that creates a container. Part of the process in creating the container is to set a password and various password restrictions on the container. This has worked for us in all versions of 2.x using the KnoxConfigurationType class and attaching it to the KnoxContainerManager class using something along the lines of:

KnoxConfigurationType newConfig = null;
KnoxConfigurationType predefinedConfiguration = KnoxContainerManager.getConfigurationTypeByName("knox-b2b");
newConfig = predefinedConfiguration.clone("kast_custom_configuration"); // Clones and assigns a new name
newConfig.setContainerLayout(KnoxContainerManager.CONTAINER_LAYOUT_TYPE_CLASSIC);
newConfig.allowLayoutSwitching(false);
newConfig.setPasswordMinimumLength(6);
newConfig.setMaximumFailedPasswordsForWipe(10);
newConfig.setMaximumCharacterSequenceLength(2);
newConfig.setMaximumNumericSequenceLength(2);
KnoxContainerManager.addConfigurationType(this.getApplicationContext(), newConfig);

When creating the container, we would get prompted to enter a password for the container. Now with Knox 3.0, we don't get prompted for a password and the workspace is created without one. How can we achieve the same using Knox 3.0?

Edit 1

I do see the post here https://seap.samsung.com/html-docs/android/Content/knox-password.htm#h2_1 about how passwords on the workspace work now. I followed the example listed by adding the following code to my admin receiver class when admin is activated:

EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
PasswordPolicy pp = edm.getPasswordPolicy();
pp.enforcePwdChange();

However, when I open the workspace created, I do not get prompted to set a password for the workspace.

Edit 2

So it would appear the code example listed on the above link is incorrect. Instead of using EnterpriseDeviceManager, we should be using the KnoxContainerManager. I put the following code in my ContainerReceiver class

EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
KnoxContainerManager kmcm = ekm.getKnoxContainerManager(statusCode);
PasswordPolicy passwordPolicy = kmcm.getPasswordPolicy();
passwordPolicy.enforcePwdChange();

This will prompt to set a password when I open the workspace. However, I am still facing an issue getting it to recognize the password settings that should be applied to the workspace. If I try to specify the KnoxConfigurationType like the above example and then reference it when creating a container, I get an "Internal Error Has Occurred" when creating the container:

KnoxConfigurationType newConfig = null;
KnoxConfigurationType predefinedConfiguration = KnoxContainerManager.getConfigurationTypeByName("knox-b2b");
newConfig = predefinedConfiguration.clone("kast_custom_configuration"); // Clones and assigns a new name
newConfig.setContainerLayout(KnoxContainerManager.CONTAINER_LAYOUT_TYPE_CLASSIC);
newConfig.allowLayoutSwitching(false);
newConfig.setPasswordMinimumLength(16);
newConfig.setMaximumFailedPasswordsForWipe(10);
newConfig.setMaximumCharacterSequenceLength(2);
newConfig.setMaximumNumericSequenceLength(2);

KnoxContainerManager.addConfigurationType(this.getApplicationContext(), newConfig);
int requestID = KnoxContainerManager.createContainer("kast_custom_configuration");

 

Edit 3

It's almost working. It appears one of the settings is causing the internal error (setMaximumFailedPasswordsForWipe()). So along with the code in the container receiver to enforce the password change, the following code works to configure the password settings with the exception of the above mentioned method:

KnoxConfigurationType newConfig = null;
KnoxConfigurationType predefinedConfiguration = KnoxContainerManager.getConfigurationTypeByName("knox-b2b");
newConfig = predefinedConfiguration.clone("kast_custom_configuration"); // Clones and assigns a new name
newConfig.setMaximumCharacterSequenceLength(2);
newConfig.setMaximumNumericSequenceLength(2);
newConfig.setPasswordMinimumLength(16);
newConfig.setContainerLayout(KnoxContainerManager.CONTAINER_LAYOUT_TYPE_CLASSIC);
newConfig.allowLayoutSwitching(false);
//newConfig.setMaximumFailedPasswordsForWipe(10); <-- Causes internal error

KnoxContainerManager.addConfigurationType(this.getApplicationContext(), newConfig);
int requestID = KnoxContainerManager.createContainer("kast_custom_configuration");

Any way to get this setting to work?

Edit 4

Actually this approach does not work when copying over the mdm to the workspace as by the time the container reciever is executed, it no longer is the admin of the workspace, and thus cannot set the password policy for the workspace. So how can I enforce password settings on the workspace if:

1. I need the container id of the workspace in order to get the Knox Container Manager for that workspace to get the password policy

2. By the time I get the container id of the workspace on the device side, the device side mdm is no longer the admin of the receiver and thus I can't update the password policy. It has to be done from the mdm inside the workspace.

How can I get the following code to work:

KnoxConfigurationType newConfig = null;
KnoxConfigurationType predefinedConfiguration = KnoxContainerManager.getConfigurationTypeByName("knox-b2b");
newConfig = predefinedConfiguration.clone("kast_custom_configuration"); // Clones and assigns a new name
newConfig.setMaximumCharacterSequenceLength(2);
newConfig.setMaximumNumericSequenceLength(2);
newConfig.setPasswordMinimumLength(16);
newConfig.setContainerLayout(KnoxContainerManager.CONTAINER_LAYOUT_TYPE_CLASSIC);
newConfig.allowLayoutSwitching(false);
//newConfig.setMaximumFailedPasswordsForWipe(10); <-- Causes internal error

KnoxContainerManager.addConfigurationType(this.getApplicationContext(), newConfig);
int requestID = KnoxContainerManager.createContainer("kast_custom_configuration", "com.samsung.knox.example.container");

Where do I put the code to enforce password change?

EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance(context);
KnoxContainerManager kmcm = ekm.getKnoxContainerManager(statusCode);
PasswordPolicy passwordPolicy = kmcm.getPasswordPolicy();
passwordPolicy.enforcePwdChange();

That does not work in the container receiver when copying the mdm to the workspace.

Jenna S.Samsung SEAP Moderator
Aug 16, 2018
12:23 am

Hello Jason,

Keep the code as it was orginally

   EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
   PasswordPolicy pp = edm.getPasswordPolicy();
   pp.enforcePwdChange();

Make sure to include this line in your code as well:

newConfig.setPasswordQuality(DevicePolicyManager.PASSWORD_QUALITY_SOMETHING);

This should work, let me know if you are still encountering issues.

Best regards,

Jenna