Between Samsung Knox and the upcoming Android for Work advancements, phones with built-in separation for work and personal apps are getting a lot of attention right now. Graphite Software is one of several other companies that are also working on multi-persona phones, and recently I spent a few weeks testing their solution, called Secure Spaces.
Graphite Secure Spaces has some unique features, but before we get to the actual review, we have to take a step back and look at the whole Android enterprise phone market in general. Let’s go!
If you want to manage corporate apps and data separately from personal apps and data, essentially there are two ways to go about it: You can build management hooks into special apps, or you can use a device that has features to separate work and personal apps built into the operating system. For an in-depth look at these concepts, read Win any argument about enterprise mobility management with these two points.
Since Android can be freely modified, many different parties have been working on special versions that include these types of work and personal management features. Sometimes it’s the phone makers themselves, like with Samsung Knox, and sometimes it’s third-party software vendors like Graphite, VMware, Cellrox, and others. This can all get pretty complicated—the third-party vendors have to figure out how to partner with manufacturers and carriers in order to get their products to market, and in general the enterprise Android space ends up being fragmented. For more on all this, read The complete guide to dual persona work/personal Android devices.
This mess has been the status quo for years, but all that will change with the next version of Android, which includes vastly-improved management and work/personal separation capabilities. As a result, the role of third-party modifications to Android will change significantly. For a deeper look at this, check out How will Android’s new “Work” features affect enterprise mobility management?
Even though Android will have work and personal features built in, there will still be space for third-party vendors to differentiate by building even more functionality on top. And with that, we’re finally back to talking about Graphite.
Graphite takes the work and personal separation concept and runs with it. Besides having a user environment for work and a user environment for all your personal stuff, you can add more environments for guests, to isolate apps, or for marketing purposes. The easiest way to explain this is to just take you on a tour.
(By the way, you might be aware that Android has actually had multi-user capabilities since version 4.2. Currently Google will only certify it for usage on tablets, since tablets are more likely to be multi-user anyway. There’s also a lot that has to be done to make it work smoothly on phones, and that’s where companies like Graphite come in—Secure Spaces is actually based on Android’s multi-user framework. Other companies working on multi-persona Android have used different technologies like hypervisors or other Linux-based techniques.)
The hardware for this trial was a Google Nexus 5, since you need a Developer Edition phone to install different versions of Android.
This is a screenshot of the owner space, which you can set up just like any other phone and use to administer the other spaces. For my trial I installed a few apps, changed the wallpaper, synced the space to my Gmail account, set a passcode, and was ready to go.
Next is the work space. For my trial it was set up and managed by the folks at Graphite, but ordinarily this would be done by your corporate IT. They installed some apps, set a passcode, and set the wallpaper. (Don't worry, I don’t usually have pictures of myself for my wallpaper :) They also configured some management policies for the environment, too: Google Play was disabled, I couldn’t sideload apps, and I couldn’t disable their agent. This space was synced to my work Exchange account.
From the owner space I created and managed a separate, open space. The idea is that you can use this for guests, for your kids, or as a way to quarantine questionable apps or keep apps away from accessing personal data in the owner space.
This screenshot is an example: even though I had been browsing in Chrome in the owner space, my history doesn’t show up in the open space, since I wasn't signed in in that space, and the device doesn’t sync the history over, either. This is a good thing when you’re concerned about privacy.
Another option is have workspaces that are managed by third-party organizations, with the intent that they can be used for marketing purposes. For my trial Graphite pre-loaded a BriForum-themed mockup. It had all sorts of social media widgets following BriForum content, the conference schedule, and some other BriForum-related apps. I actually think it was pretty fun—it was like instead of just downloading an app (which incidentally BriForum didn’t have a conference app this year), you get a full immersive experience.
Switching between spaces
There are a few ways to get around between the spaces. First, you can just tap the appropriate icon on the lockscreen (shown in this screenshot). You can also use the Spaces Navigator app or the notification menu (next screenshot below), which both have the set of navigation icons.
If you’re switching to a space that required password, you’ll be taken to the lockscreen of that space first. (Your password timeout policy could affect this, too.)
You’ll notice that all the icons for the spaces have number badges on them—those represent the number of notifications in that space. Unfortunately, to actually read the content of the notifications, you have to go to the space. You also only get sound notifications for the space that you were in most recently. Fortunately, Graphite has more notification options on their product road map.
As the device owner, you have the ability to remove any space from the device at any time. IT can only inventory or remote wipe the workspace—not the whole device. For the spaces that you personally provision and manage, you can control which apps are available in which spaces. For example, I installed Facebook in the owner space, but I could chose to not make it available in the open space.
The value of devices with built-in work and personal separation is widely recognized, but the trend seems to be that people want a more converged, simpler experience. Even after writing about these devices for years, I found that I still wasn’t completely smooth in navigating around the spaces. I think it would help to at least have the spaces arranged in a more hierarchical way, rather than a mostly flat navigation experience like on this device. Another major problem for me was the lack of real cross-space notifications.
But remember, all of this is getting taken care of in the next version of Android—it'll have the work and personal separation capabilities, but with just one home screen and a much more converged experience. (Also note that iOS’s built-in work/personal features are completely converged, too.) So this means that we can really just consider Graphite in terms of what else it adds on top of Android.
Having a separate workspace for privacy, to quarantine apps, or to keep sketchy apps out of personal data may seem extreme to some, but really that this exists is a sign that privacy controls in Android are still defective (especially compared to the fine-grained, per-app privacy settings in iOS). In other words, it’s too bad that it’s come to this, but it’s good to have Graphite to solve the problem. On the lighter side, having a dedicated space for your kids makes a lot of sense.
Then there’s the marketing space feature. Like I said, I think this could be pretty useful and fun. Think about other efforts to take over the whole phone and home screen experience, like Facebook Home. It flopped, but if you could do things like that just part of the time (in their own space, provided by Graphite), and not have then take over all of the phone, that could be a winning combination. (For this part remember I’m just talking as a consumer, responding to consumer-oriented features.)
The caveat is that these features will most likely rely on manufacturer and carrier partnerships. That’s always a big hurdle, but Graphite hinted that they have announcements about that coming in the next couple of months.
Ultimately, it turns out that once the dust settles around the next version of Android, most of what Graphite does will be more consumer-oriented—we’ll be getting the enterprise Android management features no matter what.