Enhancing data separation with Android and Samsung Knox

Valentine Igbokwe
Maio 16, 2022

samsung s22 ultra

Android smartphones and tablets have always been ahead of the curve when it comes to using the same device for both work and personal functions. It’s far easier to just carry one device (as opposed to both a work, and personal one), and Android developers have long provided a secure way to partition a single device to maintain privacy and keep enterprise data safe.

 Android’s work/home model has changed over time, both as device capabilities have increased and as Android’s active user community has refined its view of what features are needed. With Android 11 and 12, “Work Profile” is the latest idea in how to separate home and work on the same device.

 

Using ‘Work Profile’ on Android

"Work Profile” provides a full separation between the work side of the device and the personal side. In general, when a work profile is created and linked to an enterprise mobile device management (MDM/EMM/UEM) tool, the company has full and complete control over what’s inside of the work profile — but cannot touch anything on the personal side. Exactly how this works varies, depending on who owns the smartphone or tablet. If it’s an employee-owned device, what we call a BYOD (Bring Your Own Device) configuration, then the organization can only see data and control settings within the Work Profile part of the device. However, if it’s an organization-owned device, what we call a COPE (Company Owned, Personally Enabled) configuration, the organization has considerably more control over the non-Work Profile part of the device.

Both the BYOD and COPE configurations allow the end user to have a true dual-use device: one with a private and isolated work space and a separate private personal space, and some technological guarantees that the company can’t invade the personal space. However, not every organization is compatible with BYOD or COPE models — sometimes it’s just too risky to go for the dual-use case because of the type of organization, the sensitivity of the data or the regulatory environment.

For these types of organizations that don’t want private use of the company smartphone, the standard Android answer is to go for a “COBO” configuration: Company Owned, Business Only. With COBO, the device isn’t partitioned; it’s fully dedicated to company applications and the organization’s MDM/EMM/UEM has full control of every part of the device.

 

Managing untrusted apps

But there’s still another issue: what about work applications that are not really trusted? Let’s look at a healthcare organization which has super-strict privacy requirements for patient data. Employees will want to take their company smartphone during a business trip, and they might need to use the Delta Airlines app, the Intercontinental hotels app, and the Uber ride sharing app, all as part of their official travel. Those are work applications, but that doesn’t mean that the healthcare organization can really trust the apps or the app developers, and they may not want those apps on their company-owned smartphone. With standard Android, the only option is to ask the user to bring in a second smartphone.

Or, our healthcare organization could choose Samsung smartphones, and take advantage of Separated Apps, a Samsung-exclusive feature. With Separated Apps, the IT team can select applications that are allowed to be installed on company-owned business-only phones, but place those third-party apps into a sandboxed folder. The apps cannot see any confidential work data or communicate to other work apps outside the sandbox. These aren’t private — the company MDM/EMM/UEM has full visibility and control of these applications and the data in them. But they are separated from the rest of the operating system, delivering a user experience somewhere between the COBO (business only) and COPE (personally enabled) styles.

Separated Apps are automatically available in all major MDM/EMM/UEM tools thanks to the Knox Service Plugin (KSP), a part of Samsung Knox Platform for Enterprise. KSP is Samsung’s OEMConfig plugin that delivers constantly updated device-specific configuration and control without requiring the MDM/EMM/UEM vendor to make any changes to their product. Knox Platform for Enterprises licenses are available to all customers without charge.

This potent combination of Android’s standard separation modes, combined with the extra capabilities of Knox Platform for Enterprise provides IT managers with the tools they need to address virtually every mobile usage policy. All that’s left for you to do is decide exactly what’s right for your team, and to implement everything accordingly.

Browse Samsung’s versatile range of business devices built on the Samsung Knox security and management platform.

 

Entre em contato com um especialista em vendas para empresas

Nossa equipe de vendas do Knox está pronta para colaborar com você para enfrentar seus maiores desafios de negócios. Forneça seus detalhes de contato para falar de um projeto com a nossa equipe de vendas.

Voltar ao início