Maggio 16, 2022

Enhancing data separation with Android and Samsung Knox

Valentine Igbokwe

samsung s22 ultra

Android smartphones and tablets have always been ahead of the curve when it comes to using the same device for both work and personal functions. It’s far easier to just carry one device (as opposed to both a work, and personal one), and Android developers have long provided a secure way to partition a single device to maintain privacy and keep enterprise data safe.

 Android’s work/home model has changed over time, both as device capabilities have increased and as Android’s active user community has refined its view of what features are needed. With Android 11 and 12, “Work Profile” is the latest idea in how to separate home and work on the same device.


Using ‘Work Profile’ on Android

"Work Profile” provides a full separation between the work side of the device and the personal side. In general, when a work profile is created and linked to an enterprise mobile device management (MDM/EMM/UEM) tool, the company has full and complete control over what’s inside of the work profile — but cannot touch anything on the personal side. Exactly how this works varies, depending on who owns the smartphone or tablet. If it’s an employee-owned device, what we call a BYOD (Bring Your Own Device) configuration, then the organization can only see data and control settings within the Work Profile part of the device. However, if it’s an organization-owned device, what we call a COPE (Company Owned, Personally Enabled) configuration, the organization has considerably more control over the non-Work Profile part of the device.

Both the BYOD and COPE configurations allow the end user to have a true dual-use device: one with a private and isolated work space and a separate private personal space, and some technological guarantees that the company can’t invade the personal space. However, not every organization is compatible with BYOD or COPE models — sometimes it’s just too risky to go for the dual-use case because of the type of organization, the sensitivity of the data or the regulatory environment.

For these types of organizations that don’t want private use of the company smartphone, the standard Android answer is to go for a “COBO” configuration: Company Owned, Business Only. With COBO, the device isn’t partitioned; it’s fully dedicated to company applications and the organization’s MDM/EMM/UEM has full control of every part of the device.


Managing untrusted apps

But there’s still another issue: what about work applications that are not really trusted? Let’s look at a healthcare organization which has super-strict privacy requirements for patient data. Employees will want to take their company smartphone during a business trip, and they might need to use the Delta Airlines app, the Intercontinental hotels app, and the Uber ride sharing app, all as part of their official travel. Those are work applications, but that doesn’t mean that the healthcare organization can really trust the apps or the app developers, and they may not want those apps on their company-owned smartphone. With standard Android, the only option is to ask the user to bring in a second smartphone.

Or, our healthcare organization could choose Samsung smartphones, and take advantage of Separated Apps, a Samsung-exclusive feature. With Separated Apps, the IT team can select applications that are allowed to be installed on company-owned business-only phones, but place those third-party apps into a sandboxed folder. The apps cannot see any confidential work data or communicate to other work apps outside the sandbox. These aren’t private — the company MDM/EMM/UEM has full visibility and control of these applications and the data in them. But they are separated from the rest of the operating system, delivering a user experience somewhere between the COBO (business only) and COPE (personally enabled) styles.

Separated Apps are automatically available in all major MDM/EMM/UEM tools thanks to the Knox Service Plugin (KSP), a part of Samsung Knox Platform for Enterprise. KSP is Samsung’s OEMConfig plugin that delivers constantly updated device-specific configuration and control without requiring the MDM/EMM/UEM vendor to make any changes to their product. Knox Platform for Enterprises licenses are available to all customers without charge.

This potent combination of Android’s standard separation modes, combined with the extra capabilities of Knox Platform for Enterprise provides IT managers with the tools they need to address virtually every mobile usage policy. All that’s left for you to do is decide exactly what’s right for your team, and to implement everything accordingly.

Browse Samsung’s versatile range of business devices built on the Samsung Knox security and management platform.


[Icon] chiudi

Comincia a utilizzare Samsung Knox

[Icona] valigia
Sei un rivenditore, un provider di soluzioni o un provider di servizi?

Diventa un partner Knox e fai crescere la tua azienda oggi.

[Icon] info

Seleziona un prodotto Knox per iniziare:

Soluzione completa
Knox Suite
Rebranding e personalizzazione
Knox Configure
Protezione da frodi e furti
Knox Guard
Piano di protezione dei dispositivi
Samsung Care+ for Business
Altri prodotti e servizi

Inizia a utilizzare

[Image] Knox Suite

Una soluzione completa in bundle, appositamente concepita per la mobilità aziendale.

  • Ottieni una prova gratuira di 90 giorni per un massimo di 30 dispositivi.
  • Un set di strumenti completo per proteggere, distribuire, gestire e analizzare i dispositivi della tua azienda.
  • Prova le straordinarie funzionalità di Knox Suite

Knox Suite comprende:

Knox Mobile Enrollment Gratuito
Knox Manage
Knox Asset Intelligence
Knox Platform for Enterprise Gratuito
Supporto remoto Knox
Knox Capture
Knox Authentication Manager

Inizia a utilizzare

[Image] Logo Knox Configure

Consenti il rebranding e la personalizzazione dei tuoi dispositivi Samsung.

  • Ottieni una prova gratuira di 90 giorni per un massimo di 30 dispositivi.
  • Configura da remoto i dispositivi Samsung in blocco e personalizzali in base alle tue esigenze specifiche per un uso immediato.
  • Configura i tuoi dispositivi per la singola distribuzione o aggiornali tutte le volte che vuoi.

Inizia a utilizzare

[Icon] Logo Knox Guard

Protezione da frodi e furti per i dispositivi Samsung.

  • Ottieni una prova gratuira di 90 giorni per un massimo di 30 dispositivi.
  • Riduci i rischi finanziari e proteggi gli asset controllando in remoto i dispositivi Samsung.
  • Prova tutte le funzionalità di Knox Guard, inclusi controllo della SIM e blocco del dispositivo.

Inizia a utilizzare

[Image] Logo Samsung Care Plus For Business

Piano di protezione per i dispositivi Samsung.

  • Limita le interruzioni delle attività con riparazioni e sostituzioni rapide dei dispositivi. Contatta l'ufficio vendite Samsung per iniziare.
  • Visualizza tutte le informazioni sulla copertura del tuo dispositivo e sul reclamo in un unico luogo.
  • Hai già acquistato Samsung Care+ for Business? Crea un account e attiva il piano nella console Samsung Care+ for Business.

Altri prodotti e servizi

[Image] Logo di altri prodotti

Soluzioni moderne per soddisfare le tue esigenze specifiche.

  • Ricevi supporto tecnico efficiente da parte di un account manager dedicato con Enterprise Tech Support.
  • Crea dispositivi su misura per la tua azienda utilizzando Samsung Software Customization Service.