Last week at Mobile World Congress in Barcelona, Samsung made news in the enterprise mobility management space by announcing KNOX, a dual-persona framework for Android devices. And by now you’ve probably noticed all of the ads for Samsung SAFE (Samsung Approved for Enterprise), Samsung’s custom Android mobile device management APIs. Today we’re going to take a look SAFE and KNOX and see how they fit in the mobile device management landscape. First, we need to step back and look at Android MDM in general.
Understanding Android MDM
Mobile device management for Android is not as simple as it is for iOS. While iOS provides configuration profiles as a fixed and well-defined method for interacting with management APIs, there are no MDM profiles in Android. Instead, vendors have to build their own apps to interact with the device.
The problem is that management APIs in Android vary widely from one device to another. When Android was created, it was intended to be just a basic starting point that mobile device OEMs could easily customise. At first, the core version of Android didn’t have any management APIs—it was assumed that OEMs would add them. Version 2.2 of brought basic management features to the core version of Android, including password policy, remote lock, and remote wiping; version 3.0 added encryption, and 4.0 included the ability to turn off the camera. These are known as the Device Administration APIs.
But the Device Administration API only converse the basics. If you build an Android MDM app that only interacts with the core version of Android, it will actually be fairly limited in what it can do. To get more advanced management features, you have to interact with APIs that are added by the device OEM.
So of course Samsung, Motorola, HTC, and others all have slightly different MDM capabilities despite the fact that they all run the same OS—and here you can see why Android fragmentation exists, and why it’s unlikely to ever go away. It’s the challenge of MDM vendors to be able to make their apps work as consistently as possible across all these different devices. That’s a tall order, and it also goes to show why Android MDM is much more difficult than iOS MDM.
Where does Samsung SAFE fit in? Among the various sets of OEM MDM APIs (sorry about the alphabet soup) Samsung is special for a few reasons: they’re the world’s largest mobile phone maker with the most popular phones, they have been doing a ton of advertising for SAFE recently, and SAFE has more MDM features than any manufacturer’s version of Android.
Samsung doesn’t publicly disclose everything that’s in SAFE, but remember that to use any of the features, you need an MDM app and service that’s written to the APIs. So it really doesn’t matter what all is in there, what matters is the features supported by MDM vendors. I took a quick look at the websites of Zenprise, AirWatch, MobileIron, SOTI, and MaaS360 to get an overview of the top features supported. This list is just the most common ones:
- Restrict roaming, data usage
- Silent app removal and installation
- AES 256 encryption on device and external storage
- Certificates for wifi, VPN, and email
- Configure Exchange credentials
- Restrict calls, SMS, MMS
- Restrict use of built-in apps like Google Play, YouTube, browser
- Restrict camera, NFC, wifi, microphone, clipboard, screenshot, tethering
- Kiosk mode
- Remote control screen sharing
Some of these controls are pretty interesting, and they definitely match and surpass the amount of control you get on iOS. However, there’s not really anything in there around separating corporate and personal apps and data the way that mobile app management vendors have been talking about—but all that changed last week with the KNOX announcement.
Last Monday at Mobile World Congress in Barcelona, Samsung announced KNOX, which includes app-level controls built into the operating system, creating separate environments for work and personal application. Samsung also said “KNOX enables existing Android eco-system applications to automatically gain enterprise integration and validated, robust security with zero change to the application source code.”
This also sounds pretty exciting, but when I reached out to Samsung for confirmation they told me that apps have to be specially modified to be installed in the KNOX environment, and public apps from Google Play can’t be installed. I’m still waiting for waiting for additional information about how this all works, but so what if it requires specially modified apps? I’m okay with that—it’s the same as any other MAM product.
In that case, what we have here is something like any other dual-persona mobile app management solution, except that it’s implemented in the operating system, instead of by a third-party vendor. But KNOX is still special for two reasons: first, there’s potential for tighter integration between the OS and applications, and second, instead of a third-party EMM vendor pushing a dual-persona solution, we have Samsung pushing it. KNOX and the idea of dual-persona devices in general got a lot of coverage in more mainstream press.
So what’s the potential here? If KNOX were to become widely popular, there’s a chance that it could turn into a de-facto standard for Android mobile app management. Or it could remain in a smaller niche as a high-security product as a replacement for BlackBerrys. That would be a huge win for Samsung and users that want to use Android.
There are still a lot of details to be uncovered on how KNOX works and will be implemented. I’m still waiting to hear back on some more questions from Samsung, and AirWatch announced that they’ll be supporting KNOX, so I’ll be getting more information from them soon, too. Stay tuned!