It’s been awhile since I’ve delved specifically into Samsung Knox MDM, but these days it covers a wide variety of features, and Knox-enabled devices are popping up everywhere. Samsung is hosting a developer conference here in San Francisco next week, so now is a good time to catch up on Knox and see how its position in the EMM space has evolved.
We know how the buildup to Knox went: For the first several years, Android didn’t have the best management APIs, so it was up to individual OEMs to add in their own. Samsung took an early lead with their SAFE program, and then in 2013 introduced Knox, with work and personal data separation features. Knox 1.0 required apps to be wrapped, but this changed in 2014 when Knox 2.0 made the platform more flexible.
Recently, the baseline of Android has been catching up, with much more extensive MDM APIs, managed Google Play, and just last month, zero touch provisioning. However, devices are still differentiated by their specifications, hardware-based security, certifications, and additional EMM capabilities. For many use cases (which I’ll get to later), companies are still thinking about devices on an OEM basis, and Samsung clearly has a strong position.
What’s in Samsung Knox MDM today?
It’s common knowledge that there are a lot of Samsung Knox MDM controls, and that they ride on top of the hardware-based security that Samsung builds into Galaxy phones and tablets. These devices can make sure that only trusted, unmodified firmware is used; use ARM TrustZone; make sure apps and process don’t access things they shouldn’t; enable MDM do remote attestation; have a fuse-like mechanism to make sure rooted devices aren’t used; and so on. They also have certifications, including Common Criteria, FIPS 140-2, and U.S. Department of Defense approval; plus they support SmartCards.
But on top of all this, there are some other Knox programs and features to know about. (You can see their full list, as well as developer documentation.) Samsung offers a lot of ways to customize devices, for example by removing bloatware; remapping keys; setting up a single app, kiosk, or shared device mode; pushing apps and wallpaper; and more. They also offer custom binaries.
The out-of-box-experience concept has been getting a lot of attention recently (think Apple Device Enrollment Program, Windows AutoPilot, and Android zero-touch); this is the idea that when a corporate-owned device is powered on for the very first time, it gets enrolled in MDM and configured automatically as part of the setup process, ensuring that it can’t be used in an unmanaged state. This requires connections between the manufacturer, an EMM provider, and the reseller/carrier; Samsung offers Knox Mobile Enrollment and Knox Configure services to do this.
We’re not done yet—Knox has their own MDM offering (though they’re not competing with EMM partners); ISVs can use Knox to essentially create a container for their individual apps, even without MDM in place; and then of course there's DeX, the phone/desktop hybrid mode, which I wrote about earlier this year.
Another notable thing that Samsung is rolling out right now is called enterprise firmware over-the-air (E-FOTA). E-FOTA will let administrators have complete control, via EMM, of device operating system updates. Most EMM vendors will be rolling out their support soon. Remember, most flagship Android devices are pretty good about getting Android security updates these days, too.
This is starting to sound like a commercial for Samsung Knox MDM features. I’m impressed with the work they’ve done, but of course that’s not my point. On one level, I think everybody will agree that Samsung has gone after the enterprise aggressively, and the effort is paying off. And since Samsung works with all the top EMM vendors, we have to keep up with what they’re doing, just like with Google, Apple, and Microsoft. On a higher level, it shows the overall maturity and reach of the entire enterprise mobility space.
What’s interesting is that back when Knox first came out, a lot of us—myself included—were focused on the BYOD-centric, support-anything-that-walks-in-the-door mindset. What one hardware maker was doing was less interesting than operating system and EMM advances that could address the whole industry. But corporate-issued devices haven’t gone away, and while I don’t have any numbers on hand, it’s safe to say that they’re likely growing.
There’s been a huge increase in mobile devices being used as embedded and single-purpose devices—just think of all the tablet point of sale terminals you see, tablets in the back of taxis and in airports, and frontline employees in all industries carrying around mobile devices of all shapes and sizes.
There’s been a lot of work to address federal and regulated organizations, too. To address these, Samsung had to go in with EMM partnerships so they could offer a packaged stack, and figure out things like call and SMS recording.
Again, my point here is to note how far enterprise mobility has come in the last five years, and catch up on some of the details that Samsung has been working on. I’ll be at their developer conference next week, so if there are any interesting details, plans, or case studies, I’ll write them up.