On this page

Android apps are able to store digital credentials securely on Samsung Android devices using a hardware-backed keystore. Some use cases require external storage, such as a smartcard or micro SD card to store credentials. Unfortunately, each type of credential storage comes with its own proprietary APIs. Using these APIs as a direct interface complicates app development, debugging, and maintenance because the app must be customized for each vendor’s interface. This means that when a deployed app needs to access a new type of storage, or even the same type of storage but from a different vendor, the app needs a patch to call the new APIs.

The Universal Credential Management (UCM) framework reduces this complexity by enabling apps to access all credential storage devices through the same set of interfaces, regardless of the underlying storage type. The following sections explains the UCM framework, how apps use the UCM APIs to access credentials, and how storage providers can integrate their solutions with theUCM framework.

About the Knox UCM framework

Samsung’s Knox SDK provides a future-proof plug-and-play framework to ease the management of credentials across a variety of different possible storage media. The SDK uses a common set of APIs to manage credentials on many possible current and future storage options, hiding the implementation details of individual storage providers so that mobile app developers can write code once and not worry about continual app updates. In the simplest sense, the UCM framework provides the following piece to the puzzle of apps, interfaces, and storage types:

In a more complete sense, the Knox UCM framework presents a single interface to the independent parties who are sharing the mobile device environment and resources as shown below:

The UCM framework provides APIs for accessing the Smartcard facility, and supports calls with the Java Cryptography Extension(JCE) API to access each Smartcard. Ultimately, the streamlined interface of UCM helps independent parties accomplish their tasks while bypassing the complexity of custom APIs.

Who does UCM help?

Application developers:

  • No need to program with a specific implementations for each credential storage.
  • Take advantage of many different types of credential storages with minor or no code changes.

Storage providers:

  • Make credential storage solutions accessible to existing apps (including Samsung native apps).
  • Take advantage of extra functionality provided by UCM services layer.
  • Easily integrate the Samsung UCM plugin on top of your existing Android app service.

Enterprise customers:

  • Enterprise systems that are already issuing Smartcards and user credentials can increase the level of security for users wanting to use mobile services such as secure email, enterprise VPNs, and enterprise web sites.

Advanced UCM features


An app can access the UCM features through the UCM plugin and can add it using standard JCE APIs. The app can then obtain instances of the JCE classes (KeyStore, SecureRandom, KeyPairGenerator, and Cipher) to perform cryptographic operation based on a Smartcard. The UCM framework routes JCE calls to the correct UCM provider and credential storage of the plugin. The UCM framework is also integrated into the Android KeyChain, so the app can view and choose the certificate stored on the Smartcard.


Android keyguard authenticates users based on their pattern, PIN, and password. The UCM framework is integrated into Keyguard, so users can use smartcard as an option for authentication. UCM keyguard is based on PIN authentication. If PIN authentication is successful, the UCM framework will retrieve the password that is generated inside smartcard, and use it as the device password.

With Knox 3.3, Knox UCM Keyguard policy enhancements now include:

  1. Support for work profiles on fully managed devices
  2. Bug fixes
  3. Custom Settings to:
    • Prevent the user from changing the lock type to Knox Workspace
    • Disable the One Lock option
    • Disable the Biometric authentication option
    • Disable the Auto factory reset option
    • Disable the Secure Start up option
    • Prevent access Knox workspace when Personal Unlocking Key (PUK) PIN input limit is exceeded
    • Note: Disabled options will have the icon dimmed from the settings and will not be searchable on the search bar.

Note that upon removing the UCM Keyguard policy from a profile, users will be able to access disabled options and will be able to change the lock type from their device.

On Device Encryption (ODE)

When ODE is enabled, the entire data partition is encrypted using the DEK (Device Encryption Key), which is generated on the device. Using UCM ODE, devices can be encrypted with a Smartcard-generated DEK as well.