7 things you need to know about Samsung KNOX dual-persona Android

It's been a few weeks since Samsung KNOX was announced at Mobile World Congress, and during this time I've had a chance to talk to several KNOX partners and get a few questions answered by Samsung. Since they're in the news with last week's Galaxy S 4 announcement, this is a good time to go over everything that we know about KNOX.

It’s been a few weeks since Samsung KNOX was announced at Mobile World Congress, and during this time I’ve had a chance to talk to several KNOX partners and get a few questions answered by Samsung. Since they’re in the news with last week’s Galaxy S 4 announcement, this is a good time to go over everything that we know about KNOX.

If you’re not familiar with KNOX and the Android mobile app management space, you can read more about the background in my previous article. (If you are familiar, you can skip down to the list.) For now, here are the basics: KNOX is a modification to Samsung Android devices that allows corporate applications to be isolated from users' personal applications. Many vendors offer ways to do this at the app level, but building a dual-persona framework into the operating system offers deeper integration with the device and a better chance for interoperability between EMM vendors.

1. Samsung is setting up its own app store, and all the “work” apps have to be signed by Samsung.

All of the Android apps that run in the secure “work” persona will come from an app store that’s curated by Samsung. To distribute enterprise apps, you’ll have to give them to Samsung to be signed. Here’s the word on that process, directly from Samsung: “There is no need for use of an SDK to develop an APP for deploying into KNOX. We use a proprietary tool to make minor modification to the existing app to make it run inside the container. There is no modification of the source code and no loss/change of functionality as long as the app does not violate any security policy. This can be achieved by submitting the app to KNOX app store and then making it available for download into KNOX.” That’s pretty much all we know about the process right now. (Users will still be free to install any apps they want in the personal part of the phone.)

2. Using KNOX means that you don’t have to worry about MAM vendor compatibility.

Since all of the apps come from the same source and the management is implemented in the operating system, we don’t have to worry about interoperability between different mobile app management vendors. All EMM vendors that support KNOX will interface with the same management APIs, and there are no vendor-specific mobile app management hooks to worry about.

3. This won’t do anything to ease fragmentation woes or help with BYOD...

  • First, we still have to deal with all the different management capabilities in Motorola, HTC, and all the others.
  • Like SAFE, KNOX is just going to be in a few devices to begin with, so there’s fragmentation even within Samsung.
  • ISVs who want to market enterprise-ready mobile apps now have to worry about submitting to the Samsung app store, as well as Google Play and Apple, not to mention worrying about management SDKs from individual MAM vendors.
  • Even if you issue all of your employees Samsung KNOX devices (kind of like back in the BlackBerry days), your employees are still going to have iPads and iPhones and a ton of other devices that they’ll invariably want to use for work.

4. ...but considering Samsung’s dominance, maybe this doesn’t matter quite as much.

If your “work” phone is an awesome, top-of-the-line Samsung with great hardware and full access to all the Android apps you could want in the personal environment, then maybe you don’t care as much about trying to do work on any other devices? Still, if the last couple of years have taught us anything, it’s that the ship has sailed for any hopes of managing an environment of homogenous endpoints.

5. KNOX has nothing to do with mobile virtualization

During Mobile World Congress, Red Bend and General Dynamics both made announcements about partnering with Samsung to create Android phones that use virtual machines to create separate work and personal approaches. While these are in some ways similar to what KNOX does, they’re unrelated. KNOX was built entirely by Samsung, and does not use virtualization.

6. Hopefully this will spur Apple to add more enterprise features in iOS 7.

In case you haven’t noticed (and it’s hard not to, at least here in SF) Samsung has been doing huge amounts of advertising for SAFE. There’s a chance this could spur Apple to add better app management features to iOS—but really I don’t want to even pretend to know what Apple will do, and I’m not holding my breath. If anything happens, I’ll just be pleasantly surprised.

7. BlackBerry should be very, very scared.

One of the major features of the new BlackBerry 10 devices is BlackBerry Balance, a built-in framework to separate work and personal apps. (This has been around for a while, and BlackBerry deserves a lot of credit for it.) But then less than a month later Samsung introduced KNOX, and now you can get platform-enabled dual-persona on Android.

Without a doubt, Samsung is targeting the high-security market that was the last refuge for BlackBerry, and Samsung has the advantage of popular hardware and operating system. This is where KNOX could have the biggest impact, and BlackBerry should be very, very scared.

The bottom line

There are two ways of looking at KNOX: the first is to assume that it will be a niche player, replacing BlackBerrys in high-security and regulated environments. For most environments, especially those that have to support a wide variety of devices (and thanks to BYOD and the consumerization of IT, that’s just about all of them), the EMM industry will have to continue to provide app-level solutions to isolate and secure corporate resources.

On the other hand, considering Samsung's dominance, KNOX devices could become a de facto corporate standard, and then using dual-persona mobile app management for all the other devices would become the niche. The problem here—and this goes for any solution that relies on a single device platform—is that it will take some time for KNOX devices to filter into the enterprise. Until that happens, and even after that happens, IT still has to support all the other platforms and versions of Android out there.

Either way, KNOX is the most interesting enterprise mobility management news so far this year.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Man great article! I have two further questions:

For the apps that Samsung wraps with KNOX, those are the original source apps, not the downloaded apps from Google Play, right? Like it's the ISV who has to submit their app to Samsung, not the end customer?

Second, what do you think this means for VMware Horizon Mobile (the dual VM version) for Android on Samsung devices? I know VMware claims that it's "shipped" though you can't actually get it anywhere, but I think VMware's launch partner for that was Samsung, right? Do you see Samsung supporting both of these? Is there even an advantage to the dual-VM Horizon approach anymore or will KNOX be enough? (Actually maybe that's a whole separate article?)


For submitting apps to Samsung, I don't think you could submit a Google Play app--it would have to come from the ISV, or customers could submit their in-house apps to be signed.

As for the relationship with Horizon Mobile and other virtualization products, this is a bit more unclear. Red Bend and General Dynamics (which also use virtualization for dual persona) both made announcements around Samsung devices... so apparently Samsung is open to both approaches. And remember that KNOX isn't going to be in all of their devices, so...pick the flavor that you want?

One big difference is that none of the mobile virtualization vendors have special requirements for signing or distributing apps into the work environment. Since IT is managing it, they can still prevent the user from installing random crap, but IT could install any apps they want—no dealing with Samsung's third-party app store.


IMO KNOX is a security container in the OS and management is still performed by others. I find it hard to imagine a large amount of enterprises any time soon using a KNOX store for their in-house signed apps. Lot's of walls to be broken down with in-house development teams.

I see nothing material that would suggest that KNOX is going to offer enterprise management capabilities beyond signing. Even if KNOX became very popular and third party apps developed versions that were KNOX signed etc. the management is still a separate issue. I think it's therefore foolish to lump security and EMM into the same bucket. See how to hack MDM solutions Blackhat notes: www.corelan.be/.../blackhateu2013-day1-practical-attacks-against-mdm-solutions

More core OS security is therefore helpful, but plenty to do on the management side. However I am still not convinced that there are a compelling number of ISV apps that are useful for work (hoping @gabe will put up a place where people can register their wish list), and hence MDM/MAM for many is still very tactical. Many of the enterprise people I talk to about their enterprise mobile strategy are starting to form small mobile development teams that are trying to determine which apps they will update to become mobile friendly. As @bmkatz puts it, they don't want "crapplications" managed, they want better mobile apps that are relevant to their business and user productivity. As they do that, they are thinking about security and management as separate but related problems.


From what I've heard, or deduced, Samsung's mobile strategy is to make their devices thought of as Samsung only without any connection to Android, etc. It's why they made no mention of Google or Android in their Galaxy S4 launch last week. I've also heard the company will try anything and everything to see what sticks -- whether that's offering five virtual phones, a consumer phone, and an enterprise-friendly version of said phone, a Tizen powered device, et al.

I suspect KNOX will become one of those cool things that gets enterprises talking about Samsung devices but it won't see much traction because unless Samsung is selling these KNOX devices directly to organizations, I can't fathom a normal person walking into the Verizon store and saying they need to buy a KNOX-enabled device to use at work. They'll just buy the Galaxy and tell IT to figure it out.

This is also the reason why I suspect BlackBerry -- easily mocked for being late to the party -- might have a chance to become that viable third platform. Most organizations already have BB deployments and would be willing to give the new platform a shot if decision makers think line of business will use them.

A lot of orgs have issues with Android because of perceived security problems and fragmentation. So, they support iOS for BYOD and then offer BB for corporate issued or something like that.

TL;DR: KNOX sounds great but is it even necessary at this point?



Few thoughts:

1) Anyone thinking of using Android as a "secure" solution clearly hasn't spent any time looking at mobile malware trends or they'd quickly slap themselves upside the head and reconsider their delirium.  

2) Yea!  YAMMP - Yet another mobile management platform.

3) Mobile App Wrapping - Great idea, horrible execution for a majority of the vendors.  The minute I need unsigned IPA/APKs I have two problems on my hands:

a) Many vendors won't play ball.  Go ahead and try to get Microsoft to give you an IPA for Lync for iOS.  Yeah, let me know how that goes.

b) If I go the SDK route, how many of these YAMPP SDKs do you really expect the average ISV to embrace?   Seriously!  The clear leaders in this space are going to be those who strike while the iron is hot.  Sad to say it but Good has a substantial lead in this space with Dynamics.  Everyone else is playing catch up and many of them are being quite slow at it....Lookin' at you Citrix!

c) Some of the vendors don't get it that publishing enterprise (self developed apps) is one angle for MAM, wrapping commercial off the shelf apps is another angle.  Then simply pushing public apps is a third angle.  Very few are doing all three.

My 1.5 cents.




Totally agree about YAMMP...

Do you have any thoughts on the NSA Secure Edition Android that KNOX uses? Will that make a difference at all?


@Jack -  There's absolutely nothing wrong with the NSA Secure Edition solution if your need is a custom Android, restricted app store and zero ability to be a consumer motivated BYOD device.  However, that is in exact opposite to the ongoing BYOD/consumerization trend.  Will Gov/Mil use a secure android offering that is completed locked down and will it maintain a level of security they are comfortable with (at least in meeting a written specification for sure), sure.  Will it be a BYOD user device that will satisfy an end users desire to chock their device full of meaningless games to play, probably not.  I am very excited to see a growing desire to implement TrustZone as it (along with Intel's counterparts) is one of the few ways to provide a real trusted platform through hardware attestation and secure execution enforcement.



Maybe I'm missing something but I do not get this containerisation stuff. As I understand it is largely a device level control. Say I have authorisation to use my companies email via Exchange ActiveSync. Yes I can set this up is a container based email app, but what is stopping me also setting up a non-containerised EAS client app to get to my email. Likewise, say someone uses a notes taking app like Evernote both for work and home, or something like a Box containerised version of the app to store some company data, and some personal data. What stops me setting up this apps outside the container or on another device downloading a version of these apps and syncing all that content to another device?  Humans will use services as they what too, either those 'approved' or FUIT - 'separation' of data can not be forced just by the use of a containerised device level control.