DOC RABE Media - Fotolia
While Samsung has been working on Knox -- an enterprise-grade mobile security platform that's built into its Galaxy phones and tablets -- the mobile device landscape has changed. The forces of BYOD and consumerization mean that many companies no longer standardize on a single device model or brand. Nevertheless, emerging uses mean that the market for enterprise mobile devices is still growing.
Today, Knox supports a wide variety of features and uses. But to understand Knox security, it helps to look at the underlying Android landscape in the enterprise.
Google's Android operating system was always intended to be a flexible starting point that other parties could modify to suit their needs. For years, it had only basic device management capabilities, and many device manufacturers added custom management APIs. Samsung's original effort in this area was called Samsung For Enterprise. In 2013, Samsung launched Knox, which added a new framework for separating work and personal data.
In 2014, Google finally enhanced Android's core enterprise capabilities with Android for Work. There is now less of a need for individual device manufactures to create custom management APIs.
What does Knox include?
Still, manufacturers such as Samsung can differentiate their products by adding even more specialized management APIs -- and more importantly, their own hardware-based security features.
In this area, Knox provides a hardware root of trust, secure boot, trusted boot and ARM Trustzone. These are all hardware-based security checks that Knox performs at the point of login to ensure the integrity of the device and the OS. Knox devices also support remote attestation, a capability that allows administrators to check on a device at any time and to get notifications when users make changes. Plus, they include a fuse-like mechanism that ensures that no one can use a hacked or rooted device.
Knox has its own mobile device management (MDM) APIs as well as work and personal profile separation features called Knox Workspace. But Knox devices also support the Android for Work management frameworks, and Android for Work can take advantage of Knox security for hardware.
Other Knox programs include the following:
- Customization, for companies that want to modify devices used as kiosks or for other specialized uses;
- Mobile Enrollment for bulk deployment and MDM configuration;
- Shared Device, which enables a multi-user mode; and
- Enabled Apps for developers to create individual apps that take advantage of all the Knox security features without enrolling a device in MDM.
The Knox brand also encompasses several services, including cloud-based cross-platform MDM, identity management and consumer security that puts users in the driver's seat.
Why use Knox?
Samsung first marketed the persona separation features in Knox as a solution to BYOD. True BYOD means dealing with Apple iOS, other Android devices and whatever else comes in the door, however. Therefore, the uses for Knox are more specialized and generally involve only corporate-owned devices.
For companies that issue corporate phones to employees, Knox Workspace can ensure that employees can safely personalize their devices without compromising business data. Organizations that support field workers, public kiosks or point-of-sale terminals make for other strong use cases.
Knox devices have competition in these areas, but Samsung has some advantages.
Knox can be expensive, and there are cheaper devices that use Android for Work. Samsung Galaxy phones and tablets are upmarket flagship devices, and Knox Workspace requires a $3.60 license fee per user per month. Still, Knox has the advantage of its hardware-based security and multiple government certifications, including Common Criteria, Federal Information Processing Standard 140-2 and approval from the U.S. Department of Defense.
In addition, Knox faces competition from iOS devices, which also have support for a degree of dual work and personal profiles, a kiosk mode and management features tailored to corporate-owned devices. Here, Knox has the advantage of having more management options and greater customization capabilities.
This article originally appeared in the October issue of the Modern Mobility e-zine.
Samsung Knox security is NSA-approved
Samsung retools Knox security features
Android for Work left out Knox
- Enterprise Mobile Security by the Numbers –SearchSecurity.com
- Discover the Risks and Rewards Behind a Mobile Workforce –SearchSecurity.com
- Top 5 Enterprise Mobile Security Issues –SearchSecurity.com
- Essential Enterprise Mobile Security Controls –SearchSecurity.com
Dig Deeper on Enterprise mobile security
The essential enterprise mobility management (EMM) resources, version 1912
Samsung Knox will support OEMConfig, and is eyeing more IoT support
Google announces Android Enterprise Recommended program for EMM vendors
Explore options for automatic device enrollment