Environment 

• Knox Platform for Enterprise (KPE)

• Device administrator (DA)-based devices running Android O and later

Overview

Due to some changes to how password implementation is handled in Android O, IT administrators may be prevented from resetting device passwords from the UEM console. A factory reset may be required for previously activated devices to restore this functionality.

Cause

The DevicePolicyManager.resetPassword API was deprecated in Android O, preventing apps running as a DA from resetting the lock screen password. If a user forgets the password after upgrading to Android P, an app using the deprecated DA management model cannot activate the token, requiring a factory reset of the device.

As a workaround, the Knox SDK provides the wrapper BasePasswordPolicy.resetPasswordWithToken(). MDM providers must implement this API method call to ensure that the reset password token is set correctly.

Resolution

The fix for the password implementation issue requires both a device firmware update and support from the UEM:

Device firmware update

Firmware updates have been released for the following device models:

If your impacted device is with another carrier not mentioned in the above table, please log in to Samsung Knox to create a support ticket from your dashboard, referencing this article ID.

UEM support

Please consult with your UEM provider to confirm that the appropriate changes were made as per the Knox SDK guidelines.

To restore password reset functionality for previously activated devices, a factory reset may be required if the user previously set a screen lock password, then locked and unlocked the device before device enrollment. The unlocking process causes a loss of escrow data, which cannot be recovered upon enrollment into a UEM.