On this page

The page contains critical information about how the Knox 3.2 framework handles passwords.

Enforcing password overview

The Knox framework will not enforce a password requirement by default for new Workspaces created under Knox 3.x.

Certain items depend on password being created. For example Android Key Store (AKS) cannot be initialized unless a password is created. Thus EMM agents cannot provision certificates unless user has setup a password. Similarly cert enrollment via SCEP or other mechanism also requires password to be setup.

EMMs must wait until a password is created before proceeding with items that require password. IT admin MUST specify password policy prior to container creation. Following Knox mechanisms to allow specifying password policy:

  1. KnoxConfigurationType
  2. PasswordPolicy

Note – Users are prompted to set password after the Workspace launches Workspace.

After user has changed the device or profile password onPasswordChanged() method is called as a result of receiving ACTION_PASSWORD_CHANGED. EMMs can implement this method to know when password has been set. Following sample code to get the userId of the user that changed the password.

Public void onPasswordChanged(Context context, Intent intent, UserHandle user) {
 int containerId = intent.getExtras().getInt(“android.intent.extra.USER_ID”);

After receiving notification of password change and determining the user that changed the password EMMs can proceed to configure/provision items that require password. For example after this notification EMMs can start provisioning certificates.

See following flows for Knox 2.X vs Knox 3.0.

Knox 2.X

Knox 3.0

In Knox 3.0 password is not enforced during creation. IT admins can set a password policy for the user to set the password after Workspace is launched for the first time.

Note – Starting with Knox 3.0, EMM’s DeviceAdminReceiverfor CL and COM containers, located in user 0, will get all the callbacks that a DPC that is running inside the managed profile would get. For example: onPasswordChanged or onEnabled.


Enforcing password in Workspace

Knox SDK v3.0 password rules have been modified to extend the functionality of upgrading from an Android PO to a Knox Workspace. As a result, the Workspace password flow has changed and passwords are not enabled by default. This also allows developers to customize their own authentication solution. To ensure a user sets a password on their container, insert the code below in the AdminReciever class.

public void onProfileProvisioningComplete(Context context, Intent intent) {	
   EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
   PasswordPolicy pp = edm.getPasswordPolicy();

Now a user will be prompted to create a password prior to entering the container when a PO is upgraded to a Knox container, with the license activation method.

Note - If you are using Knox SDK v3.0 or below, password is enabled by default. Follow the steps below.

Set Password in Workspace

To set a password for a Knox Workspace, ensure that the container is configured properly prior to being created. This example clones a knox-b2b container.

KnoxConfigurationType predefinedConfiguration = KnoxContainerManager.getConfigurationTypeByName("knox-b2b");
KnoxConfigurationType newConfig = predefinedConfiguration.clone("custom"); //Clones and assigns a new name

Change Password on device side

The following configurations must be enforced by the IT admin:

  • Set password change timeout
  • Set password expired date
  • Enforce password change

Perform the following procedure:

  1. Create the EnterpriseDeviceManager object.
  2. Get the PasswordPolicy object.
  3. Use setPasswordChangeTimeout and pass in the amount in minutes.
  4. Get the enterpriseDeviceAdmin
  5. Set the password expiration date with setPasswordExpires. Pass in the amount in days.
  6. Enforce a password change with enforcePwdChange.
EnterpriseDeviceManager edm = EnterpriseDeviceManager.getInstance(context);
PasswordPolicy passwordPolicy = edm.getPasswordPolicy();


//EDMTestsAdmin extends DeviceAdminReceiver and is notified when password expires
ComponentName enterpriseDeviceAdmin = new ComponentName(context, EDMTestsAdmin.class); 

passwordPolicy.setPasswordExpires(enterpriseDeviceAdmin, 10);