Mayo 16, 2022

Enhancing data separation with Android and Samsung Knox

Valentine Igbokwe

samsung s22 ultra

Android smartphones and tablets have always been ahead of the curve when it comes to using the same device for both work and personal functions. It’s far easier to just carry one device (as opposed to both a work, and personal one), and Android developers have long provided a secure way to partition a single device to maintain privacy and keep enterprise data safe.

 Android’s work/home model has changed over time, both as device capabilities have increased and as Android’s active user community has refined its view of what features are needed. With Android 11 and 12, “Work Profile” is the latest idea in how to separate home and work on the same device.


Using ‘Work Profile’ on Android

"Work Profile” provides a full separation between the work side of the device and the personal side. In general, when a work profile is created and linked to an enterprise mobile device management (MDM/EMM/UEM) tool, the company has full and complete control over what’s inside of the work profile — but cannot touch anything on the personal side. Exactly how this works varies, depending on who owns the smartphone or tablet. If it’s an employee-owned device, what we call a BYOD (Bring Your Own Device) configuration, then the organization can only see data and control settings within the Work Profile part of the device. However, if it’s an organization-owned device, what we call a COPE (Company Owned, Personally Enabled) configuration, the organization has considerably more control over the non-Work Profile part of the device.

Both the BYOD and COPE configurations allow the end user to have a true dual-use device: one with a private and isolated work space and a separate private personal space, and some technological guarantees that the company can’t invade the personal space. However, not every organization is compatible with BYOD or COPE models — sometimes it’s just too risky to go for the dual-use case because of the type of organization, the sensitivity of the data or the regulatory environment.

For these types of organizations that don’t want private use of the company smartphone, the standard Android answer is to go for a “COBO” configuration: Company Owned, Business Only. With COBO, the device isn’t partitioned; it’s fully dedicated to company applications and the organization’s MDM/EMM/UEM has full control of every part of the device.


Managing untrusted apps

But there’s still another issue: what about work applications that are not really trusted? Let’s look at a healthcare organization which has super-strict privacy requirements for patient data. Employees will want to take their company smartphone during a business trip, and they might need to use the Delta Airlines app, the Intercontinental hotels app, and the Uber ride sharing app, all as part of their official travel. Those are work applications, but that doesn’t mean that the healthcare organization can really trust the apps or the app developers, and they may not want those apps on their company-owned smartphone. With standard Android, the only option is to ask the user to bring in a second smartphone.

Or, our healthcare organization could choose Samsung smartphones, and take advantage of Separated Apps, a Samsung-exclusive feature. With Separated Apps, the IT team can select applications that are allowed to be installed on company-owned business-only phones, but place those third-party apps into a sandboxed folder. The apps cannot see any confidential work data or communicate to other work apps outside the sandbox. These aren’t private — the company MDM/EMM/UEM has full visibility and control of these applications and the data in them. But they are separated from the rest of the operating system, delivering a user experience somewhere between the COBO (business only) and COPE (personally enabled) styles.

Separated Apps are automatically available in all major MDM/EMM/UEM tools thanks to the Knox Service Plugin (KSP), a part of Samsung Knox Platform for Enterprise. KSP is Samsung’s OEMConfig plugin that delivers constantly updated device-specific configuration and control without requiring the MDM/EMM/UEM vendor to make any changes to their product. Knox Platform for Enterprises licenses are available to all customers without charge.

This potent combination of Android’s standard separation modes, combined with the extra capabilities of Knox Platform for Enterprise provides IT managers with the tools they need to address virtually every mobile usage policy. All that’s left for you to do is decide exactly what’s right for your team, and to implement everything accordingly.

Browse Samsung’s versatile range of business devices built on the Samsung Knox security and management platform.


[Ícono] cerrar

Comenzar con Samsung Knox

[Ícono] maletín
¿Es un distribuidor, un proveedor de soluciones o un proveedor de servicios?

Conviértase en socio de Knox y haga crecer su empresa hoy mismo.

[Ícono] información

Seleccione un producto Knox para comenzar:

Paquete todo en uno
Knox Suite
Cambios de marca y personalización
Knox Configure
Protección contra el fraude y el robo
Knox Guard
Plan de protección de dispositivos
Samsung Care+ for Business
Otros productos y servicios

Comience con

[Imagen] Knox Suite

Paquete de soluciones todo en uno para ofrecer movilidad empresarial.

  • Obtenga una prueba gratuita de 90 días para hasta 30 dispositivos.
  • Un conjunto completo de herramientas para proteger, implementar, administrar y analizar los dispositivos corporativos.
  • Pruebe funciones potentes incluidas en el paquete de Knox Suite.

Knox Suite incluye lo siguiente:

Knox Mobile Enrollment Gratuita
Knox Manage
Knox Asset Intelligence
Knox Platform for Enterprise Gratuita
Soporte remoto de Knox
Knox Capture
Knox Authentication Manager

Comience con

[Imagen] Logotipo de Knox Configure

Personalice sus dispositivos Samsung y cámbieles la marca.

  • Obtenga una prueba gratuita de 90 días para hasta 30 dispositivos.
  • Configure de forma remota los dispositivos Samsung en masa y personalícelos según las necesidades específicas, desde el primer momento.
  • Configure sus dispositivos para una implementación de una sola vez o actualícelos cuantas veces quiera.

Comience con

[Ícono] Logotipo de Knox Guard

Protección contra el fraude y el robo para dispositivos Samsung.

  • Obtenga una prueba gratuita de 90 días para hasta 30 dispositivos.
  • Reduzca los riesgos financieros y proteja los activos mediante el control remoto de dispositivos Samsung.
  • Pruebe todas las funciones de Knox Guard, incluidos el control de SIM y el bloqueo de dispositivos.

Comience con

[Imagen] Logotipo de Samsung Care Plus For Business

Planes de protección de dispositivos para dispositivos Samsung.

  • Limite las interrupciones empresariales con reparaciones y reemplazos de dispositivos rápidos. Comuníquese con el equipo de ventas de Samsung para comenzar.
  • Vea toda la cobertura para dispositivos e información de reclamaciones en un solo lugar.
  • ¿Ya compró Samsung Care+ for Business? Cree una cuenta y active su plan en la consola Samsung Care+ for Business.

Otros productos y servicios

[Imagen] Otros logotipos

Soluciones modernas para abordar sus necesidades únicas.

  • Obtenga soporte técnico eficiente de un administrador de cuentas dedicado con el Soporte técnico empresarial.
  • Cree dispositivos a medida para su empresa mediante Samsung Software Customization Service.