Back to top
Home / Samsung Knox / Samsung Knox white paper / Samsung Knox for Android / Core Platform Security /

App Security

Last updated February 20th, 2024

Device users typically want their personal and work apps on the same device. This requirement presents a challenge for enterprises, which need to ensure that they fully protect their confidential corporate assets and don’t run into any liability issues by accidentally interfering with a user’s personal privacy.

With Android 11, Google continues to protect user privacy, extending these protections to company-owned devices. Specifically, Google has replaced the device management mode called fully managed device with a work profile work profile on company-owned device.

Battery data screen

Here is a summary of different device management modes and their use cases:

Corporate Owned Business Only (COBO)

Summary: An enterprise owns the device, and doesn’t allow personal apps on the device.

Control scope: Through a UEM app, the enterprise serves as the device owner which has full control over the entire device.

Use case: Enterprises use this model if they need strict control over the entire device and can’t compromise corporate assets by allowing users to install their own apps.

Fully managed device with a work profile (FMDWP)

Deprecated in Android 11.

Summary: An enterprise owns the device, allows users to install personal apps, and secures work apps in a work profile.

Control scope: The enterprise uses one UEM app to serve as device owner which has control over the entire device, and a second UEM app to serve as profile owner which has control over the work profile.

Use case: Enterprises used this model to give users freedom over the apps they installed, were able to fully view and manage personal as well as work apps.

Separated Apps

Exclusive to Samsung Knox devices, and set up only through the Knox Service Plugin (KSP).

Summary: An enterprise owns the device, and allows users to install authorized third-party business apps (for example, airline, hotel, or ride-sharing apps) in a securely separated folder.

Control scope: Through a UEM app, the enterprise serves as the device owner which has full control over the entire device. Through KSP, the enterprise can set up a Separated Apps folder and identify the apps allowed to be installed inside the folder.

Use case: Enterprises use this model if they need strict control over the entire device, but want to enable staff productivity using a separate, lightly managed app folder.

For more detail about using this mode, see Separated Apps.

Work profile on company-owned device (WP-C)

New in Android 11.

Summary: An enterprise owns the device, secures work apps in a work profile, and allows users to install personal apps.

Control scope: The enterprise uses one UEM app to serve as profile owner with control over the work profile. If the enterprise deploys the work profile from the setup wizard using the provisioning tools added in Android 10<, the device is recognized as company-owned and a wider range of asset management and device security policies is made available than that granted to personally-owned devices. Enterprises can still apply policies at the device level as long as they don’t infringe on personal privacy; for details, see Android policies in the personal side and Knox policies in the personal side

Use case: Enterprises use this model if they want to give users freedom over the apps they use on company devices without infringing on their user privacy.

For more detail about using this mode, see Google’s EMM migration guidelines" target="_blank (which requires a partner login) or Work profile on company owned devices.

Bring Your Own Device (BYOD)

  • Summary: An employee owns the device, and installs work apps on their device to enable productivity.
  • Control scope: The enterprise uses one UEM app to serve as profile owner with control over work apps in the work profile.
  • Use case: Smaller enterprises might use this model to save on the capital costs associated with buying devices.

Google deprecated the legacy device admin (DA) management mode in Android 10. By November 2, 2020, Google requires app updates to target API level 29 or Android 10. From this date onwards, app updates start throwing exceptions if they call the four deprecated DA policies. For more info, see Device admin deprecation.

Knox Workspace containers were deprecated with Knox 3.4.1 on Android 10, which debuted with the Note 10. However, older devices like the S10 that are upgraded to Knox 3.4.1 or higher still support the Knox Workspace containers until EOL. To take advantage of all the latest Android Enterprise and Knox features, we strongly recommend that you use work profiles instead of Knox Workspace containers.

Knox-enhanced work profiles

The Android Enterprise work profile provides enterprises with a solution to securely isolate work apps and data on one device. The Knox Platform for Enterprise provides more granular management policies for work profiles on Samsung devices.

Data transfer

With the isolation of work and personal data, a device user has access to two separate spaces. To increase productivity in certain situations, it is often necessary to share data between spaces. For example, while using a phone app in the personal space, it may be necessary to call a work contact saved in the secure work space. With the Work profile, IT admins have granular management policies to manage the import and export of data to and from the Work profile. This data can include apps, files, clipboard data, call logs, contacts, calendar events, bookmarks, notifications, shortcuts, and SMS.

Container-only control

For liability and productivity purposes, IT admins can’t apply effective policies on a device with both personal and work data. The provides IT admins the ability to configure and control critical functionality for the container only. An IT admin can enable or disable the following exclusively for the container:

  • Bluetooth
  • NFC
  • USB access
  • External storage

Container configuration

With the isolation of work and personal data, the device user has access to two separate spaces. This dual access presents some challenges to quickly identifying and accessing work data.

To enhance usability, the Work profile provides an IT admin the ability to add work shortcuts to personal spaces so device users can quickly access work data. The Work profile also provides an IT admin with the ability to set custom resources like work badges on app icons, helping users quickly identify company work apps.

Password policy

An IT admin must ensure only authorized people have access to work data inside a container. The Work profile supports advanced authentication mechanisms to meet all enterprise needs.

An IT admin can enforce and configure:

  • Complex passwords or code schemes
  • Two-factor authentication
  • Active Directory authentication

Additionally, an IT admin can lock the container to restrict access. This restriction is necessary when a device is out of compliance, lost, or stolen.

On this page

Is this page helpful?