It’s been a few weeks since Samsung KNOX was announced at Mobile World Congress, and during this time I’ve had a chance to talk to several KNOX partners and get a few questions answered by Samsung. Since they’re in the news with last week’s Galaxy S 4 announcement, this is a good time to go over everything that we know about KNOX.
If you’re not familiar with KNOX and the Android mobile app management space, you can read more about the background in my previous article. (If you are familiar, you can skip down to the list.) For now, here are the basics: KNOX is a modification to Samsung Android devices that allows corporate applications to be isolated from users' personal applications. Many vendors offer ways to do this at the app level, but building a dual-persona framework into the operating system offers deeper integration with the device and a better chance for interoperability between EMM vendors.
1. Samsung is setting up its own app store, and all the “work” apps have to be signed by Samsung.
All of the Android apps that run in the secure “work” persona will come from an app store that’s curated by Samsung. To distribute enterprise apps, you’ll have to give them to Samsung to be signed. Here’s the word on that process, directly from Samsung: “There is no need for use of an SDK to develop an APP for deploying into KNOX. We use a proprietary tool to make minor modification to the existing app to make it run inside the container. There is no modification of the source code and no loss/change of functionality as long as the app does not violate any security policy. This can be achieved by submitting the app to KNOX app store and then making it available for download into KNOX.” That’s pretty much all we know about the process right now. (Users will still be free to install any apps they want in the personal part of the phone.)
2. Using KNOX means that you don’t have to worry about MAM vendor compatibility.
Since all of the apps come from the same source and the management is implemented in the operating system, we don’t have to worry about interoperability between different mobile app management vendors. All EMM vendors that support KNOX will interface with the same management APIs, and there are no vendor-specific mobile app management hooks to worry about.
3. This won’t do anything to ease fragmentation woes or help with BYOD...
- First, we still have to deal with all the different management capabilities in Motorola, HTC, and all the others.
- Like SAFE, KNOX is just going to be in a few devices to begin with, so there’s fragmentation even within Samsung.
- ISVs who want to market enterprise-ready mobile apps now have to worry about submitting to the Samsung app store, as well as Google Play and Apple, not to mention worrying about management SDKs from individual MAM vendors.
- Even if you issue all of your employees Samsung KNOX devices (kind of like back in the BlackBerry days), your employees are still going to have iPads and iPhones and a ton of other devices that they’ll invariably want to use for work.
4. ...but considering Samsung’s dominance, maybe this doesn’t matter quite as much.
If your “work” phone is an awesome, top-of-the-line Samsung with great hardware and full access to all the Android apps you could want in the personal environment, then maybe you don’t care as much about trying to do work on any other devices? Still, if the last couple of years have taught us anything, it’s that the ship has sailed for any hopes of managing an environment of homogenous endpoints.
5. KNOX has nothing to do with mobile virtualization
During Mobile World Congress, Red Bend and General Dynamics both made announcements about partnering with Samsung to create Android phones that use virtual machines to create separate work and personal approaches. While these are in some ways similar to what KNOX does, they’re unrelated. KNOX was built entirely by Samsung, and does not use virtualization.
6. Hopefully this will spur Apple to add more enterprise features in iOS 7.
In case you haven’t noticed (and it’s hard not to, at least here in SF) Samsung has been doing huge amounts of advertising for SAFE. There’s a chance this could spur Apple to add better app management features to iOS—but really I don’t want to even pretend to know what Apple will do, and I’m not holding my breath. If anything happens, I’ll just be pleasantly surprised.
7. BlackBerry should be very, very scared.
One of the major features of the new BlackBerry 10 devices is BlackBerry Balance, a built-in framework to separate work and personal apps. (This has been around for a while, and BlackBerry deserves a lot of credit for it.) But then less than a month later Samsung introduced KNOX, and now you can get platform-enabled dual-persona on Android.
Without a doubt, Samsung is targeting the high-security market that was the last refuge for BlackBerry, and Samsung has the advantage of popular hardware and operating system. This is where KNOX could have the biggest impact, and BlackBerry should be very, very scared.
The bottom line
There are two ways of looking at KNOX: the first is to assume that it will be a niche player, replacing BlackBerrys in high-security and regulated environments. For most environments, especially those that have to support a wide variety of devices (and thanks to BYOD and the consumerization of IT, that’s just about all of them), the EMM industry will have to continue to provide app-level solutions to isolate and secure corporate resources.
On the other hand, considering Samsung's dominance, KNOX devices could become a de facto corporate standard, and then using dual-persona mobile app management for all the other devices would become the niche. The problem here—and this goes for any solution that relies on a single device platform—is that it will take some time for KNOX devices to filter into the enterprise. Until that happens, and even after that happens, IT still has to support all the other platforms and versions of Android out there.
Either way, KNOX is the most interesting enterprise mobility management news so far this year.