Knox and Android Enterprise Unification

Up to now, admins has the choice of two global containers on Samsung devices: KNOX or Android Enterprise (formerly Android for Work). Starting with Android Oreo on Samsung devices, administrators no longer have to make a decision, because both solutions have been combined into one solution.

From Android Oreo onwards, the API sets of Android Enterprise and KNOX can be addressed together in one activation. You can activate Android Enterprise Work Profile and Work Managed Device Modes with a Samsung license. One of the most interesting new features of the merger will be the use of Android Work Profile for Samsung KNOX COPE devices. When the device is set up, KNOX is first activated and the FRP (Factory Reset Protection) is added to the KNOX account via Android Work Profile. Users can then set up a private Google account.

There are APIs that address the same actions/functions from both solutions. Therefore, certain APIs will be removed in the future if the solution is supported by EMM vendors.

Additional information from Samsung:

Impacted Samsung Knox APIs

Unification enables EMM agent to apply both Android and Samsung Knox APIs on one solution. Certain Samsung Knox APIs provide either exact same or similar functionality as Android APIs. As a result, there are Samsung Knox APIs that are impacted due to Unification. These ‘Impacted’ Samsung Knox APIs are marked in the SDK and are candidates for future deprecation once the unified solution is adopted and supported by EMM partners.

Samsung Knox Workspace Modes Prior to Android O

Samsung Knox Workspace provides the following modes prior to Android O:

Corporate Liable (CL)/B2B mode allows IT admins to manage the entire device while also providing a container to separate enterprise data from personal data. An EMM agent becomes the device admin along with the admin of the container thus allowing IT admins to apply polices for both the entire device and container.

Container Only Mode (COM) allows IT admins to lock the user to the container so the user is not allowed to access the rest of the device. This configuration is for organizations with high security requirements that want to protect enterprise data on mobile devices.

BYOD mode is a container that allows IT admins to separate enterprise data from personal data on an end user’s personal device. An EMM agent becomes the container admin and allows IT admins to manage and apply policies for the container only. This configuration is for BYOD scenarios, where the enterprise allows data on an end user’s personal device.

Samsung Knox Workspace modes of CL, COM will continue to be available and supported in Android O. Eventually once unified solution is adopted and supported by EMM partners, Samsung will look into moving away from the existing CL, COM modes.

Discuss in our forum.