Michael Cheung
Feb 09, 2018
3:03 am

Sample App: java.lang.SecurityException

Hi,

When I run the sample app, I get this exception when pressing the "GRANT PERMISSIONS" button and the "TOGGLE CAMERA" button.

"ACTIVATE ADMIN", "DEACTIVATE ADMIN", and "ACTIVATE LICENSE" all work without issue.

 

For "GRANT PERMISSIONS", the full text is:

"java.lang.SecurityException: Admin does not have android.permission.sec.MDM_APP_MGMT OR com.samsung.android.knox.permission.KNOX_APP_MGMT"

 

For "TOGGLE CAMERA", the full text is:

"java.lang.SecurityException: Admin does not have android.permission.sec.MDM_HW_CONTROL OR com.samsung.android.knox.permission.KNOX_HW_CONTROL"

Samuel Goldwax
Feb 09, 2018
5:37 pm

Hi Michael,

Edit: The sample application for the Knox SDK is currently outdated as it does not properly support SKL license keys. An update with this app should be pushed soon.

Thanks,

Sam

Michael Cheung
Feb 14, 2018
2:45 am

When using the SKL license key with this app, IIRC it gave an error like "invalid license key" or something.  This java.lang.SecurityException only showed up when I switched it to use the ELM key.

I poked around looking for an older version of the sample app, and picked up one that downloads as "sSDK_Demo_2.zip" package com.samsung.business.sdk.standard.demo1, which compiles to an app titled "sSDK Sample1".  This app explicitly asks for an ELM key, as the demoELMKey.  When compiled, it only has the "Activate Admin" and "Toggle Camera" buttons.  "Activate Admin" runs fine, but "Toggle Camera" still prints the java.lang.SecurityException to the log view, asking again about android.permission.sec.MDM_HW_CONTROL OR com.samsung.android.knox.permission.KNOX_HW_CONTROL.

For refernce, I'm running this on a device with Knox 2.7.1, standard SDK 5.7.1

Samuel Goldwax
Feb 14, 2018
6:06 pm

Hi Michael,

If you want to use the new Knox SDK on a device running Knox versions below 2.8, you have to implement the license activation slightly different, which I outline in this thread. As I mention there, sample code for this functionality will be uploaded to the site in the near future. 

The legacy 'getting started' app is quite weird in that it only attempts license activation after a failed call to a Knox API. So in this case, the license activation should start after you get the SecurityExcpetion when pressing the toggle camera button. I would actually recommend this sample app more if you're just looking for an implementation of license activation for the legacy SDK.

Please let me know if you have more questions!

Thanks,

Sam

Michael Cheung
Feb 16, 2018
11:08 pm

Hi Sam,

When I use that sample app the ELM activation, etc., is fine as usual, but the device admin activation prompt doesn't include the "Set hardware restrictions" permission.

 

I added

 

<uses-permission android:name="android.permission.sec.MDM_HW_CONTROL"/>

 

to the manifest, which gets "Set hardware restrictions" to show up in the device admin activation prompt.

 

I then use this code to try and toggle the camera enabled/disabled,

however, it doesn't work - I still get the same old error:

java.lang.SecurityException: Admin does not have
android.permission.sec.MDM_HW_CONTROL OR com.sams
ung.android.knox.permission.KNOX_HW_CONTROL

 

Code:

 

EnterpriseDeviceManager enterpriseDeviceManager = new EnterpriseDeviceManager(this);

RestrictionPolicy restrictionPolicy = enterpriseDeviceManager.getRestrictionPolicy();

boolean cameraEnabled = restrictionPolicy.isCameraEnabled(false);

try{
    restrictionPolicy.setCameraState(!cameraEnabled);
    SAUtils.showAlert(this, "Toggle", "Camera state set to: " + !cameraEnabled, getResources().getString(R.string.ok));
}catch(SecurityException e){
    SAUtils.showAlert(this, "Security Exception", e.toString(), getResources().getString(R.string.ok));
}catch(Exception e){
    SAUtils.showAlert(this, "Generic Exception", e.toString(), getResources().getString(R.string.ok));
}

Comments

Just to clarify, is this code extending the Standard License Activation app I linked ealier? Also are you using a legacy ELM key for the license activation? Thanks!

Samuel GoldwaxFeb 19, 2018 at 6:26 pm

Yes, the code is extending the app you linked.  The key I am using is an ELM key, not sure if you mean legacy as in there were older versions of ELM (in which case I can say that this key was generated around the start of February), or legacy as in SKL vs ELM, where I can confirm that I am using the ELM key and not the SKL key.

Michael CheungFeb 20, 2018 at 6:48 pm
2
Samuel Goldwax
Feb 22, 2018
6:01 pm

Hi Michael,

Thanks for the information so far!

Just to clarify, in general 'legacy' referes to pre-Knox SDK, so I just mean using an ELM key rather than an SKL key.

It looks like this is going to require a bit more investigation. Could you reproduce the error then send me a dumpstate of the device over at s.goldwax@partner.samsung.com?

Also just as a quick aside, the sample code for backwards compatibility is now available! Check out this sample app to see how to use the Knox SDK on Knox 2.7.1 and below.

Thanks,

Sam

Michael Cheung
Feb 22, 2018
7:25 pm

OK, email has been sent.  Will take a look at that other sample app.

Michael Cheung
Feb 22, 2018
9:39 pm

Hey Sam,

I tried out that other app, but no joy there either.  The results I got were almost identical to my first/initial post, all the way at the top.  Activate/Deactivate admin works fine, activate ELM works fine, grant permissions/toggle camera give me "...Admin does not have..." exceptions.  Adding the permissions to the manifest with uses-permission, like before, makes additional permissions show up in the device administrator activation dialog, but does not stop the grant permissions/toggle camera from throwing exceptions.

Greg Hata
Apr 05, 2018
6:58 pm

I'm having the same issue with the sample apps(including the backwards-compatibility app).  Has there been any resolution?

Michael Cheung
Apr 13, 2018
9:24 pm

No, I haven't heard anything from Samuel or anyone else since my last post.  Actually, I didn't even get an e-mail notification that you posted here... I coincidentally decided to take another look at this today.

Samuel Goldwax
Apr 13, 2018
10:29 pm

Hi Michael,

Sorry for the long wait. We've actually now introduced SKL support for our Knox SDK sample apps, so you should now be able to use the SKL key (and backward-compatible key for that sample app) with the sample code available on SEAP. I've looked through the dumpstate you provided, and it looks like the license activated fine but did not provide any permissions, hence the SecurityExceptions. Were you using the Knox SDK backward-compatible key as the ELM key in the legacy sample apps?

Thanks,

Sam

Michael Cheung
Apr 14, 2018
1:15 am

Yes, I am using the "Backwards-compatible key" in the list of Knox SDK keys.

The devices I am targeting include devices with Knox version 2.7 and earlier - am I still able to use the SKL key?

Alexey Ozerov
Apr 14, 2018
10:32 am

I'm at the same point now. Activating the ELM license works ok, but the app throws SecurityException: Admin does not have android.permission.sec.MDM_HW_CONTROL OR com.samsung.android.knox.permission.KNOX_HW_CONTROL when using RestrictionPolicy features. Using Knox SDK seems to be a nightmare for developers, it takes lot of time and needs big luck to make it working.

Samuel Goldwax
Selected Answer
Apr 16, 2018
4:38 pm

Hi all,

The key here is to use the correct license key(s) based on the Knox version and SDK. To clarify, activating the backwards-compatible key does not grant any Knox permissions, and thus cannot be used in place of a legacy ELM key for the older sample apps. This is why SecurityExceptions are thrown when you activate this license: it activates successfully but no permissions are granted. The backwards-compatible key should only be used when using the Knox SDK on devices with Knox version < 2.8, since these Knox versions require an ELM activation of some sort. Even in this scenario, however, all Knox permissions are granted based on the SKL license. 

@Michael, yes you're able to use the Knox SDK on these versions, like I mentioed. You just have to make sure you activate both the SKL and backwards-compatible key, rather than just the SKL key.

Let me know if anything else needs clarification.

Thanks,

Sam 

 

Alexey Ozerov
Apr 16, 2018
5:34 pm

This is what I understood and what is kind of working: We have to activate both SKL and EML license in order to get the Knox SDK to work.

Comments

This is the intended use case. For devices with Knox version 2.8 and above, you only need the SKL activation. For lower versions, you need both the SKL activation and the backwards-compatible actvation.

Edit: spelling

Samuel GoldwaxApr 16, 2018 at 8:45 pm

Thank you. I wished the documentation and the sample apps were so clear.

Alexey OzerovApr 17, 2018 at 7:56 am
Michael Cheung
Apr 20, 2018
9:16 pm

I see, thank you for sticking with this, Sam.  I was able to use the backwards compatibility app that you linked, with the SKL key as the KLM key - grant permissions/toggle camera works now.

Thank you for all your help.

spruche wunsche
Nov 02, 2018
3:38 pm

Post Deleted

Our content monitors have determined that this post violated our terms of service.

Please ensure your posts comply with our forum guidelines. We are committed to providing helpful and professional information in this space.

Thank you,

The SEAP team

Deleted Nov 02, 2018 5:07 pm