The complete guide to dual persona work/personal Android devices! (Including Samsung Knox)

You've probably heard about Samsung Knox or the VMware Horizon Mobile Virtualization Platform. These are the basis for specialized Android devices that have two user environments-one for all your work apps and data and one for your personal stuff.

You’ve probably heard about Samsung Knox or the VMware Horizon Mobile Virtualization Platform. These are the basis for specialized Android devices that have two user environments—one for all your work apps and data and one for your personal stuff. But it’s more than just Samsung and VMware that are working on this. In fact, there’s a whole handful of vendors talking about these “dual persona” devices.

Today’s article is your guide to why these exist, who the players are, and what the potential market is. To be clear, today we're only talking about the emerging market of highly specialized Android devices that have work/personal features built directly into the operating system, and not other solutions that work at the app level or enterprise mobility management in general.

Why dual persona?

We all know that mobile devices are very good at sharing data between applications. From an enterprise perspective, sharing equals leaking.  If you’re tasked with keeping corporate data out of users’ personal apps, there are two choices:

  • You can use specialized apps that give you control over how data is shared. You’ll be limited to just specific apps, but they can run on a wide variety of devices and it doesn’t matter whether or not the device is managed. I call this third-party mobile app management.
  • Or you can use a device that has ways of keeping work and personal apps and data separated built directly into the operating system. In this case you can have control over any app, but you’ll have to use a special device and MDM to get that control. I call this OS-enabled mobile app management.

Also keep in mind that by itself Android has only very basic MDM features, but since Android is very open, mobile device manufacturers can add extra management features, known as OEM MDM APIs. These are very useful, but they’re also a source of fragmentation from the enterprise perspective—you can’t just figure out how to manage “Android,” you have to figure out how to manage Samsung, HTC, LG, Motorola, and so on.

Dual persona devices are simply extending the OEM MDM API concept to a greater degree. Today most dual persona Android devices use the concept of providing two distinct user environments, almost like having two phones on one physical handset. The underlying technology can be a type-1 or type-2 hypervisor, it can leverage Android’s multi-user features, or it can take advantage of various techniques that allow multiple Android user spaces to run on a single shared Linux kernel. (Note that in most cases there’s still just one phone number for both environments.)

The solutions

As I mentioned, there are a lot of different companies interested in providing dual persona devices:

Samsung Knox First announced in early 2013, Knox has widespread support among EMM vendors. The first version required specially-prepared apps, but Knox 2.0 brings a new, much more flexible architecture. Considering the popularity of Samsung devices and their continual efforts to push into government and finance, Knox seems in the best market position today.

VMware Horizon Mobile After several years in development, VMware Horizon Mobile Virtualization Platform was released last year, and is actually available on several different devices from all the big Android OEMs. One problem is that currently it can only be managed using Horizon Workspace. It would be great if VMware could add that functionality to AirWatch as soon as possible.

Cellrox Cellrox’ technology actually allows for more than two user environments. They’ve announced an OEM relationship with the makers of the Yota Phone, a phone with two screens. You can read my full review here.

Red Bend True Red Bend is known for software that helps with over the air firmware updates for mobile and embedded devices, which means they already have relationships with OEMs and carriers. This could be an advantage when signing on partners for True, their dual persona product. They announced a beta release in partnership with Samsung, but that was over a year ago.

Intel Device Protection Technology At Mobile World Congress, Intel showed off their x86-compatible with extra management APIs called Intel Device Protection Technology (DPT), and said that DPT has some dual persona capabilities. AirWatch and Citrix announced support for Intel DPT, and OEM announcements are expected soon.

Graphite Software A recent entrant to the market, Graphite Software showed off their Secure Spaces dual-persona phones at Mobile World Congress. No OEM announcements have been made.

General Dynamics / Open Kernel Labs Open Kernel Labs provides mobile virtualization software that’s in widespread use by many manufactures—it’s just that it’s used at a lower level that’s not exposed to corporate management. They have talked about a virtualized dual persona product as well, but so far nothing is shipping.

The potential market

How much do we need these specialized devices? We definitely need OEM MDM APIs just to get a lot of the management basics done, including things like email client configuration, VPN support, certificate support, and silent enterprise app push and removal.

The next level—providing at least some sort of way to keep corporate deployed apps from sharing data with personal apps—is good smart to have, too. This is what iOS does with its “open in” restriction option. However, I haven’t heard of many people actually using it yet.

But devices with two complete user environments? These are most likely destined to be a niche product. Having two home screens can be confusing for users, and frankly most companies probably don’t need that level of separation.

The winning solution will be one that presents work and personal apps in a logical, concurrent way. That could be with shortcuts from one environment to the other, or it could be something that makes it so that users never have to see the home screen of the corporate environment (for an analogy, compare this to using seamless windows for remote desktop applications). An ideal solution would also allow the use contextually-aware policies to control different frameworks, like cut and paste, document sharing, screenshots, contacts, photo albums, and the like.

The most important thing to remember is that no matter what dual persona technique is used and how it’s implemented, it is not going to be for all use cases. We’re talking about special devices with special OSes, so unless all your employees think the same and buy the same phone, this is not for BYOD! This is for the times when security and manageability is so important that you’re still in the business of providing mobile devices, but you also want to give users the freedom to bring their own apps and data to the personal side of the phone. If you are supporting BYOD, you could take advantage of these devices when they do happen to arise, but otherwise you’ll have to be prepared to work with the lowest common denominator.

Which vendors will see big success? First off, I think this will be interesting to watch because there’s a real opportunity for vendors to innovate and get creative with how they implement dual persona.

Solutions that come from mobile device OEMs themselves are definitely at an advantage because they have fewer hoops to jump through to get their special features on devices—it’s just walking down the hall. Also, most of them have already taken the position of opening up their custom management APIs to multiple EMM vendors, so in most cases there’s already wide support there. Samsung is the top example of this.

On the other hand, third-party dual-persona OS makers have to do all the legwork of convincing OEMs to get on board, and that’s no easy task! Now in theory MDM fragmentation woes could be mitigated if one dual-persona framework were adopted by multiple OEMs, but even I’m not optimistic that could ever happen. A consortium called 3LM tried that with Android MDM APIs a few years ago, but it never came to pass.

Finally, Google could render this conversation moot by building a bunch of new management features into Android, but that’s not likely to happen. (Update, June 30, 2014: With the announcement of Android "L" I stand corrected.) For now we can just watch as the solutions evolve and the market sorts out winners and losers.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Knock Knock, did you forget Citrix XenMobile? What about BES 10? They already have everything what you are referring here.

Use any OS, be it Android or iOS but let the MDM taken care by XenMobile.

About data sharing between personal apps and work apps, XenMobile has Worxmail that doesn't let you upload  any personal file to any email and similarly you can't save attached document in your phone, it got to be saved on FileShare; that is another utility of XenMobile.

Using XenMobile SDK you can wrap you app as a third party vendor and upload it to Citrix Ready WroxApp gallery.


No, I didn't forget XenMobile. Today I'm just talking about Android devices that have dual persona features built in at the OS level.

A few other people mentioned similar comments, so I did a slight update to make sure this is clear in the article.



And why did you forget about BlackBerry Enterprise Service 10 (BES10)?

Security Space for both - Android & iOS.



BES 10's secure apps operate at the app level for Android. This article is about OS-level dual persona.

So BES 10 is not applicable here.