Release Notes. KNOX Premium SDK. Version 2.5

Release Notes

KNOX ^™

Premium SDK

Version 2.5

September 2015

Copyright Notice

Copyright © 2015 Samsung Electronics Co. Ltd. All rights reserved. Samsung is a registered trademark of Samsung Electronics Co. Ltd.

Samsung KNOX is a trademark of Samsung Electronics, Co., Ltd. in the United States and other countries. Specifications and designs are subject to change without notice. Non-metric weights and measurements are approximate. All data were deemed correct at time of creation.

Samsung is not liable for errors or omissions. Android and Google Play are trademarks of Google Inc. ARM and TrustZone are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. Bluetooth is a registered trademark of Bluetooth SIG, Inc.

worldwide. Cisco AnyConnect is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. F5 Big IP-Edge Client is a registered trademark of F5 Networks, Inc. in the U.S. and in certain other countries. iOS is a trademark of Apple Inc., registered in the U.S. and other countries. Junos Pulse is a trademark of Pulse Secure, LLC. KeyVPN Client is a trademark of Mocana Corporation. Microsoft Azure and Microsoft Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. NFC Forum and the NFC Forum logo are trademarks of the Near Field Communication Forum. OpenVPN is a registered trademark of OpenVPN Technologies Inc. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. strongSwan is an open source software under General Public License as published by the Free Software Foundation. Wi-Fi is a registered trademark of the Wi-Fi Alliance. All brands, products, service names and logos are trademarks and/or registered trademarks of their respective owners and are hereby recognized and acknowledged.

Samsung KNOX Premium SDK Information Version: 2.5

Supported Target Platform Android 5.0 (Lollipop)

Document History Date SDK

Version Doc

Version Description of changes 12/27/12 1.0 1.0.0 Base document version

7/10/13 1.0.1 1.0.1 Added new KNOX 1.0.1 polices. Removed KNOX Takeover APIs 10/21/13 1.1.0 1.1.0 Added new KNOX 1.1.0 and 1.0.2

3/4/14 2.0 2.0.0 Added new KNOX 2.0 (includes KNOX 1.2 APIs) Separated Smart Card (SC) SDK 7/8/14 2.1 2.1.0 Added new KNOX 2.1 polices. Update on released KNOX 2.0 polices.

9/25/14 2.2 2.2.0 Updated all existing policies & features till KNOX 2.1. Added new KNOX 2.2 polices.

12/5/14 2.3 2.3.0 Updated all existing policies & features till KNOX 2.2. Added new KNOX 2.3 polices.

3/4/15 2.4 2.4.0 Updated all existing policies & features till KNOX 2.3. Added new KNOX 2.4 polices.

9/3/15 2.5 2.5.0 Added new KNOX 2.5 polices. Note: No changes in KNOX 2.4.1.

Contact Information Samsung Electronics Co., Ltd 416, Maetan-3dong, Yeongtong-gu Suwon-City Gyeonggi-do, 443-742

Samsung Research America, Ltd

665 Clyde Avenue, Mountain View, CA 94043 United States of America

Contents

1 Introduction ... iv

Additional documentation ... iv

2 Installation and configuration ... 5

3 Supported features... 6

Previous version KNOX 2.4 Release history ... 6

Previous version KNOX 2.3 Release history ... 8

Policies implemented up to KNOX 2.2 ... 9

4 New features and enhancements ... 14

New KNOX 2.5 feature descriptions ... 14

New KNOX 2.5 feature enhancement descriptions ... 14

New KNOX 2.5 policies ... 14

5 Issues fixed ... 17

6 Known issues ... 18

1 Introduction

This release contains the policies released as part of the Enterprise Device Management KNOX Project.

The Enterprise Device Management project is part of a broader on-going effort to make Samsung Android Smart phones & Tablets enterprise friendly.

These policies are intended to be used by any Device Management client to enforce organization specific policies on employee devices. MDM clients developed by Samsung Partners are intended to make use of these policies to satisfy their and their customer’s requirements.

Additional documentation

The following documentation is also available for additional information regarding the Samsung KNOX Standard and KNOX Premium SDKs:

 Samsung KNOX™ Premium SDK Developer Guide—Describes the Samsung KNOX

Premium and Standard SDK APIs and explains how to use them to develop Android™ app containers and other mobile enterprise features that can be implemented in Enterprise- managed Samsung KNOX-enabled mobile devices. This guide includes Java device and container use case examples.

You should consult this guide if you want to implement an agent APK that calls KNOX SDK APIs and communicates with the partner’s management server. The partner agent APK must be installed on the device by the user or IT admin, typically through Google Play or side loading. The advantage of this approach is that this is the traditional model that supports pre-KNOX 2.0 versions of the SDK.

 Samsung KNOX™ Quality Criteria for MDM Solutions—Describes the quality criteria for Samsung KNOX that each MDM partner should implement with their mobile device management solution.

2 Installation and configuration

The KNOX Premium SDK policies are currently developed on Android Lollipop.

The required MDM client should be installed on this device and the new policies can be exercised.

3 Supported features

Previous version KNOX 2.4 Release history

The following table includes the policies which have been developed in KNOX 2.4:

Policy Group Policy KNOX

Version Advanced Restriction Policy

Group

CC Mode State:

AdvancedRestrictionPolicy.getCCModeState()

KNOX 2.4

KNOX Container

Configuration Policy group

Container Configuration:

KNOXConfigurationType.setEnterpriseIdentityAuthentication() KNOXConfigurationType.getEnterpriseIdentityAuthentication() KNOXConfigurationType. setGenericSSOConfig()

KNOXConfigurationType. getGenericSSOConfig()

KNOXConfigurationType.setKeyguardDisabledFeatures() KNOXConfigurationType.getKeyguardDisabledFeatures()

KNOX 2.4

KNOX Container Management

Container Management:

ContainerConfigurationPolicy.enableBluetooth() ContainerConfigurationPolicy.isBluetoothEnabled() ContainerConfigurationPolicy.enableNFC() ContainerConfigurationPolicy.isNFCEnabled()

KNOX 2.4

The following table lists helper classes which have been developed in KNOX 2.4:

Class Comments MDM

Version

KnoxVpnErrorValues New error code class KNOX 2.4

The following table includes the constants which have been developed in KNOX 2.4:

Class Constant KNOX

Version

AdvancedRestrictionPolicy

CCMODE_STATE_NOT_SUPPORTED CCMODE_STATE_NONE

CCMODE_STATE_DISABLED CCMODE_STATE_READY CCMODE_STATE_ENFORCING CCMODE_STATE_ENABLED

KNOX 2.4

The following table includes the list of policies which have been deprecated in KNOX 2.4:

Policy Group Policy KNOX

Version Advanced Restriction Policy Group AdvancedRestrictionPolicy.isCCModeEnabled(boolean

showMsg)

KNOX 2.0

The following table includes the list of constansts have been deprecated in KNOX 2.4:

Class Member KNOX

Version

EnterpriseSSOPolicy SSO_SAMSUNG_SERVICE_PACKAGE_PATH KNOX 2.0

The following table includes the list of constansts have been deprecated and not supported since KNOX 2.4:

Class Member KNOX

Version

SmartCardAccessPolicy BT_SECURE_MODE_DISABLED KNOX 2.0

The following table lists the policies which have not been supported since KNOX 2.4:

Policy Group Policy KNOX

Version Enterprise ISL Group EnterpriseISLPolicy class

IntegrityResultSubscriber class KNOX 1.0

Previous version KNOX 2.3 Release history

The following table lists the policies which were developed in KNOX 2.3:

Policy Group Policy KNOX

Version

KNOX Container Configuration Policy group

Container Configuration:

KNOXConfigurationType.setBiometricAuthenticationEnable d(int bioAuth, boolean enable)

KNOXConfigurationType.isBiometricAuthenticationEnabled(

int bioAuth)

KNOX 2.3

KNOX Container Management

Container Management:

ContainerConfigurationPolicy.setSettingsOptionEnabled(Str ing option, boolean enable)

ContainerConfigurationPolicy.isSettingsOptionEnabled(Stri ng option)

KNOX 2.3

The following table lists the constants which were developed in KNOX 2.3:

Class Constant KNOX

Version

ContainerConfigurationPolicy OPTION_CALLER_INFO KNOX 2.3

The following table lists the policies which have been deprecated in KNOX 2.3:

Policy Group Policy KNOX

Version

Enterprise ISL Group

EnterpriseISLPolicy class IntegrityResultSubscriber class

EnterpriseKNOXManager.getEnterpriseISLPolicy()

KNOX 1.0

Policies implemented up to KNOX 2.2

The following table includes the list of policies which have been developed up to KNOX 2.2:

Policy Group Policy KNOX

Version Audit Log

Enable/Disable Audit Log Service KNOX 1.0

Manage/Monitor Audit Log Feature Parameters KNOX 1.0

Dump Audit Log Information KNOX 1.0

Additional Audit Log Features KNOX 1.0

Container Application Policy group

Container Package management KNOX 1.0

Start/Stop an Application KNOX 1.0

Enable/Disable Application KNOX 1.0

Write data in application home directory. KNOX 1.0 Add/Get/Check/Remove the packages in the intall white

list.

KNOX 1.0

Home shortcut KNOX 1.0

Prevent user from clear data certain application KNOX 1.0 Prevent user from clear cache certain application KNOX 1.0

Container Firewall Policy group

Application inside container based Firewall KNOX 1.0

Get active IPTABLES rules KNOX 1.0

Web Filtering / Reporting KNOX 1.0

Redirect Exceptions KNOX 1.0

Kernel routing table information KNOX 1.0

Container Restriction Policy Group Allow/Disallow Camera KNOX 1.0

Allow/Disallow Share List KNOX 1.0

Allow/Disallow Use Secure Keyboard KNOX 1.0

Certificate Management

Manage trusted CA restriction list KNOX 1.0 Notify MDM admin of certificate failure events KNOX 1.0 Notify user of certificate failure events KNOX 1.0 Display to the user the identity of the entity that signed an

application upon user request

KNOX 1.0 Manage untrusted certificate restriction list KNOX 1.0 Certificates Revocation Status Check KNOX 1.0 Certificate Validation at install time KNOX 1.0 Container VPN Policy group Add/Remove Per App VPN in Container KNOX 1.0

List packages with VPN profile KNOX 1.0

Add/Remove VPN profile in Container KNOX 1.0

Enterprise Container Management Policy group

Container Creation policy KNOX 1.0

Container removal policy KNOX 1.0

Container Information Policy KNOX 1.0

Container Activation/Deactivation policy KNOX 1.0 Container Activation/Deactivation policy KNOX 1.0

Container Password Policy Group

Password Age IT policy rule KNOX 1.0

Maximum Password History IT policy rule KNOX 1.0 Minimum number of complex characters KNOX 1.0

Password Policy Delay KNOX 1.0

Password Change enforcement KNOX 1.0 Maximum password attempts for Container disable KNOX 1.0 Password Maximum Repeated Characters KNOX 1.0 Password Maximum Repeated Numerics KNOX 1.0

Password Forbidden Personal Data KNOX 1.0

Maximum Sequence of Characters KNOX 1.0

Minimum change in Password Characters KNOX 1.0 Enable / Disable Make password visible option KNOX 1.0

Password sufficient. KNOX 1.0

Enterprise Single-Sign-On (Added late binding support)

Get SSO error code

KNOX 1.0.1

Get EnterpriseSSOPolicy object KNOX

1.0.1

Enterprise ISL Group

Perform Prebaseline scan KNOX 1.0

First time device approval using MDM KNOX 1.0

Perform Integrity scan KNOX 1.0

Clear integrity baseline KNOX 1.0

Add 3rd party package to baseline KNOX 1.0

Remove3rd party package from baseline KNOX 1.0

Update the current baseline KNOX 1.0

Register callback with integrity service KNOX 1.0 Request binding to integrity service agent KNOX 1.0 Check if integrity service agent is ready KNOX 1.0 start the runtime Integrity monitoring KNOX 1.0 stop the runtime Integrity monitoring KNOX 1.0

get the List of ISA KNOX 2.0

Attestation

Start attestation KNOX

1.0.1

Start attestation with nonce KNOX

1.0.1

Set the attestation server URL KNOX

1.0.1

Get device KNOX id KNOX

1.0.1 KNOX Enterprise License

Management

Activate KNOX Enterprise License KNOX

1.0.1

Enterprise Premium VPN Policy Group

Connect/Disconnect Per app VPN KNOX 1.0

Set/Get certificates for authentication KNOX 1.0

Set/Get VPN Connections KNOX 1.0

Set/Get VPN mode KNOX 1.0

Enable/Disable Route and setting. KNOX 1.0

Remove VPN Connection KNOX 1.0

SEAndroid Policy Enforcement

Update SEAndroid Policy KNOX 1.0

Update Mapping of File Paths to Security Labels KNOX 1.0 Update Mapping of Android Properties to Security Labels KNOX 1.0 Update Mapping of Java Applications to Security Contexts KNOX 1.0

Revoke SEAndroid policies KNOX 1.0

Get the SEAndroid Agent owner KNOX 1.0

Get the status of the SELinux property KNOX 1.0

Get AMS Enforce State KNOX 1.0

Get AMS Log Level KNOX 1.0

Set SELinux Enforcing KNOX 1.0

SmartCard Policy group Enable/Disable SmartCard credentials for Email KNOX 1.0 Enable/Disable SmartCard Authentication for Browser KNOX 1.0

Enterprise Single-Sign-On

Set/get customer ID KNOX 1.0

Set Application whitelist KNOX 1.0

Delete Application whitelist KNOX 1.0

Delete Application whitelist state KNOX 1.0

Set Customer Information KNOX 1.0

Force user to re-authenticate KNOX 1.0

Unenroll user from SSO service KNOX 1.0

Enterprise KNOX Manager Get KNOX Version KNOX 1.0

Get KNOXified State KNOX 1.0

Enterprise Container Management Policy group

Container Activation/Deactivation Policy KNOX 1.0.2 Container Activation/Deactivation Policy KNOX

1.0.2

Generic VPN Policy Group

Connect/Disconnect Per app VPN KNOX

1.1.0 Set/Get Certificates for authentication KNOX

1.1.0

Set/Get VPN Connections KNOX

1.1.0

Set/Get VPN mode KNOX

1.1.0

Enhanced VPN Functionality KNOX

1.1.0

Remove VPN Connection KNOX

1.1.0 Get state/Error-status of the profile KNOX

1.1.0

SEAndroid Policy Enforcement

Get SELinux Mode KNOX

1.0.2

Get the SEInfo from PackageName KNOX

1.0.2

Get the SEInfo from Certificate KNOX

1.0.2

Get Domain from PackageName KNOX

1.0.2

Get Domain from SEInfo, PackageName KNOX

1.0.2

Get DataType from PackageName KNOX 1.0.2 Get DataType from SEInfo, PackageName KNOX

1.0.2

Update MAC Permission KNOX

1.0.2

KNOX Enterprise License Manager De-Activate license KNOX 1.2

Container Remote content provider policy group

Data sync management policy KNOX 2.0

Container Remote content provider policy group

File moving policy KNOX 2.0

Container Remote content provider policy group

Application moving policy KNOX 2.0

Certificate Management Prevent removal of certificates / resetingkeystore KNOX 2.0 Certificate Management Permit an application to read private keys KNOX 2.0 KNOX Container Management

Policy group

Container Creation policy KNOX 2.0

KNOX Container Management Policy group

Container removal policy KNOX 2.0

KNOX Container Management Policy group

Container Information Policy KNOX 2.0

KNOX Container Management Policy group

Container configuration policy KNOX 2.0

KNOX Container Management

Policy group Container Activation/Deactivation policy. KNOX 2.0

KNOX Container Management Policy group

Self Uninstall Policy KNOX 2.0

KNOX Enterprise License Manager Activate license(non-admin) KNOX 2.0 KNOX Enterprise License Manager De-Activate license (non-admin) KNOX 2.0 SmartCard Policy group Enforce certificate alias name used for SmartCard

credentials for S/MIME Email

KNOX 2.0 SmartCard Policy group Bluetooth Secure Access to Card reader KNOX 2.0 SmartCard Policy group Select certificate alias name for SmartCard Authentication

with Browser

KNOX 2.0 KNOX VPN Management Group Connect/Disconnect Per app Vpn. KNOX 2.0 Enterprise KNOX Client Certificate

Manager Policy Group

Manage Client Certificates KNOX 2.0

Enterprise KNOX TIMA Keystore Policy Group

Manage TIMA Keystore KNOX 2.0

SEAMS Manage SEAMs APIs KNOX 2.0

Advanced Restriction Policy Manage Firmware Auto update KNOX 2.0

Advanced Restriction Policy Manage CC Mode KNOX 2.0

Advanced Restriction Policy Exclusive admin support KNOX 2.0

Advanced Restriction Policy ODE Trusted Boot verification KNOX 2.0 Container Smartcard Access policy Enable smartcard access policies inside container KNOX 2.0 Container Configuration policy Add/Get/Check/Remove the packages in the install white

list.

KNOX 2.0 Container Configuration policy Allow/Disallow secure keypad usage IT policy rule KNOX 2.0 Container Configuration policy Container Activation/Deactivation policy KNOX 2.0 Container Configuration policy Resetting container password KNOX 2.0

Enterprise Single-Sign-On Push data to SSO service KNOX 2.0

Enterprise Single-Sign-On Request setup SSO service KNOX 2.0

Enterprise Single-Sign-On Check if EnterpriseSSOPolicy service is ready KNOX 2.0 Enterprise KNOX Client Certificate

Manager Policy Group Manage Client Certificates KNOX 2.1

Enterprise KNOX Certificate Enroll Policy Group

Certificate enrollment, renewal and deletion operations with different protocols like SCEP, CMC, CMP

KNOX 2.1

SEAMs Manage SEAMs APIs KNOX 2.1

Advanced Restriction Policy API whether CC mode supported or not KNOX 2.1

Container Configuration policy Reset container on reboot KNOX 2.1

Container Configuraton

Management Policy Group Password pattern restriction KNOX 2.1

Container Configuraton Management Policy Group

Light Weight Container (LWC) configuration KNOX 2.1 Container Configuraton

Management Policy Group Container Only Mode (COM) configuration KNOX 2.1 Certificate Policy Group Allow/Block installation of self signed applications KNOX 2.2 Enterprise Billing Policy Group APN based Enterprise split billing KNOX 2.2 Container Management Policy

Group

Remove Configuration Type KNOX 2.2

Container Management Policy Group

Create Container(Creation Param) KNOX 2.2

Container Configuration policy

group. Reset container password KNOX 2.2

Container Configuration Policy Group

Manage Hibernation Timeout KNOX 2.2

Container Configuration Policy Group

Manage Wi-Fi network SSID KNOX 2.2

Container Configuration Policy Group

Enable external sdcard. KNOX 2.2

Container Configuration Policy Group

Manage External Storage White and Black List KNOX 2.2 Container Configuration Policy

Group Manage Remote Control KNOX 2.2

KNOX Configuration Type MultiFactor Authentication KNOX 2.2

4 New features and enhancements

This chapter details the new KNOX 2.5 features and enhancements in the following sections:

 New feature descriptions

 New feature enhancement descriptions

 Policies

New KNOX 2.5 feature descriptions

The following table details the new features for KNOX 2.5:

Feature Description

KNOX Container Launch Layout You can now set the container layout that users see when accessing a KNOX container: folder (as used by the lightweight container) or classic (with separate launcher). Folder type is set by default.

KNOX Container USB access You can enable or disable USB access for apps inside the KNOX container.

New KNOX 2.5 feature enhancement descriptions

The following table details the feature enhancements for KNOX 2.5:

Feature Description

Audit log You can now specify the types of messages that get saved to the Audit Log to analyze device events and troubleshoot problems. You can select events based on their severity, success or fail status, module group (security, system, network, events, and application), and whether they originated from the kernel

New KNOX 2.5 policies

The following table lists the policies which have been developed in KNOX 2.5:

Policy Group Policy KNOX

Version

KNOX Container Configuration Policy group

Container Configuration:

KNOXConfigurationType.setContainerLayout() KNOXConfigurationType.getContainerLayout() KNOXConfigurationType.allowLayoutSwitching() KNOXConfigurationType.isLayoutSwitchingAllowed()

KNOX 2.5

KNOX Container Management Policy group

Get policy instance:

KnoxContainerManager.getFirewall()

Container Management:

ContainerConfigurationPolicy.enableUsbAccess() ContainerConfigurationPolicy.isUsbAccessEnabled()

KNOX 2.5

AuditLog Policy Group AuditLog:

AuditLog.setAuditLogRules() AuditLog.getAuditLogRules()

Note: Changed multiuser scope for all APIs from “Global” to

“User”

KNOX 2.5

SEAMS Manage SEAMs:

SEAMS.activateDomain()

KNOX 2.5

The following table lists helper classes which have been developed in KNOX 2.5:

Class Comments

Version

AuditLogRulesInfo Configure AuditLog rules KNOX 2.5

The following table includes the constants which have been developed in KNOX 2.5:

Class Constant KNOX

Version

KnoxContainerManager

CONTAINER_LAYOUT_TYPE_FOLDER CONTAINER_LAYOUT_TYPE_CLASSIC

CONTAINER_CREATION_FAILED_SPECIFIC_ERROR_TYPE ERROR_CREATION_FAILED_INVALID_PARAM

ERROR_CREATION_FAILED_SUB_USER

ERROR_CREATION_FAILED_RESERVED_CONFIGURATION_TYPE_USED ERROR_CREATION_FAILED_INVALID_PARAM_LIST

ERROR_CREATION_FAILED_INVALID_KNOX_CONFIGURATION_TYPE ERROR_CREATION_FAILED_EMERGENCY_MODE

ERROR_CREATION_FAILED_INVALID_USER_INFO ERROR_CREATION_FAILED_TIMA_PWD_KEY ERROR_CREATION_FAILED_GENERATE_CMK

KNOX 2.5

KnoxVpnErrorValues

ERROR_PROXY_FEATURE_NOT_SUPPORTED ERROR_STORING_PROXY_USERNAME ERROR_STORING_PROXY_PASSWORD

KNOX 2.5

AuditLog AUDIT_LOG_SEVERITY_ALERT

AUDIT_LOG_SEVERITY_CRITICAL

KNOX 2.5

AUDIT_LOG_SEVERITY_ERROR AUDIT_LOG_SEVERITY_WARNING AUDIT_LOG_SEVERITY_NOTICE

The following table includes the list of constansts have been deprecated since KNOX 2.5:

Class Member KNOX

Version

CCMProfile Enum AccessControlMethod.PASSWORD KNOX 2.1

CCMProfile String accessControlPassword KNOX 2.1

5 Issues fixed

Not applicable at time of release.

6 Known issues

Not applicable at time of release.