March 2, 2016

Android for Work on Knox devices

Samsung Knox News

Android for Work is a device management solution for enterprises. When it's deployed on Samsung Knox devices, it benefits from a number of platform and hardware-level security features.

To enhance the security of Android for Work Manage profiles, Samsung has modified the default behavior for a number of device features.

Security benefits

Device Integrity

Users can only access the AfW Managed Profile if the device is uncompromised. AfW won’t open if the Warranty Bit of the device has been burned.

Sensitive Data Protection (SDP)

SDP allows data to remain encrypted until the device powers on and the user has unlocked the AfW Managed Profile. As of Knox 2.6, the default Email app inside the AfW Managed Profile supports SDP. Developers for AfW apps can enable this feature through integrating their app with the Knox ISV SDK.

Data remains encrypted and protected when the AfW profile is locked.


Knox devices use a TrustZone-based keystore as their default certificate storage location.


Real-time Kernel Protection (RKP) and Periodic Kernel Measurements (PKM)

RKP actively prevents code modifications during the operation of the kernel.  PKM periodically measures the kernel to ensure that no malicious software can compromise the kernel.


DM (Device Mapper)-Verity checks the device for malware that can launch after the device has been restarted. DM-Verity uses a hash tree to check if the underlying storage layer of the file system is configured as expected. For more information, see Verified Boot.

Trusted Boot

Trusted Boot secures the boot loader process by telling the OS everything that has run prior to start up.


Use cases

Here are two examples of how enterprises can benefit from using a combination of Knox Workspace and Android for Work.

Financial institutions and banks: Deploying Knox to employees, Android for Work to contractors

Enterprises may adopt both Bring Your Own Device (BYOD) and Corporate Owned, Personally Enabled (COPE) device management models. For example, employees may have COPE devices while contractors use BYOD devices. For COPE deployments, enterprises supply the devices, so they can ensure that these devices are Knox-enabled. Contractors may bring in a wide range of devices, some of which may not support Knox.

To support both COPE and BYOD devices, an enterprise can deploy Knox to employees to benefit from the Knox platform and Samsung's hardware-based security features, and manage contractors’ devices with AfW, which is supported on non-Knox devices.

Hospital: Knox to doctors, Android for Work to patients

In addition to use cases where employees could be using different device models, Knox and AfW could also be deployed to users with different access permission requirements.

For example, doctors who work in a hospital may be issued devices to access patient records and other information. Patients may also need to access their health records on their personal mobile devices.

Doctors may require more robust device security features to comply with patient privacy concerns. Hospitals can issue Knox devices and deploy Knox Workspace to those devices to ensure that patient records are secured.

Since patients use their own devices to access their medical records, it's likely that some of these devices may not support Knox. In this case, the hospital can allow patients to access their own information using an Android for Work Managed Profile.

For more information