DualDAR with work profile on company-owned devices

Knox DualDAR today secures enterprise data with two independent layers of encryption. All data placed inside an Android Enterprise work profile is dually encrypted. As such, Knox DualDAR is supported on both work profile only and fully managed devices with work profile configurations.

In Android 11, the work profile is enhanced for company-owned devices. Existing deployments of fully managed devices with work profile are upgraded to the new work profile on company-owned devices. For more info, see Device management modes.

This impacts existing customers who have deployed DualDAR on fully managed devices with work profiles and new customers who are looking to deploy DualDAR on company-owned devices.

Here, we provide an overview of Android 11 migration for existing customers and new enrollments of DualDAR for new customers.

Existing deployments

During Android 11 FOTA deployments, a fully managed device with a work profile is migrated to the new Work profile on company-owned devices.

The DualDAR work profile will remain after the Android 11 FOTA. However, as the device is no longer fully managed, the IT admin will lose some controls at the device level (or user0 side).

New deployments

UEM providers today have two options to support DualDAR:

• Deep API integration using the Knox SDK
• Knox Mobile Enrollment (KME) and Knox Service Plugin (KSP)

Details are provided in DualDAR UEM integration.

Special consideration for third-party crypto library

The DualDAR architecture enables a plugin interface where a third-party ISV can provide their own second-layer encryption app. This app must be installed in user0 outside of the work profile.

However, in the new work profile on company-owned device, an IT admin can no longer install an app in user0. Starting with Android 11, Samsung will install the second-layer encryption app as part of enabling DualDAR. The precise steps depends on how a UEM provider supports DualDAR.

Option 1: Deep API integration

In this option, the UEM provider has integrated DualDAR APIs natively.

1. The customer provides their second-layer encryption app (apk) to the UEM provider.

2. The UEM provider stores the app on the device (external storage SD card area) during provisioning.

3. Samsung then installs the app in user0.

Here is how UEM providers use the DualDAR APIs to set the file path to the encryption app:

// Create Dual DAR with configuration bundle
PersistableBundle adminExtras =  new PersistableBundle();
adminExtras.putBoolean(DualDARPolicy.KEY_DUAL_DAR_CONFIG, true);
adminExtras.putString(DualDARPolicy.KEY_CONFIG_CLIENT_PACKAGE, DUALDAR_CLIENT_EXAMPLE_PACKAGE_NAME);
adminExtras.putString(DualDARPolicy.KEY_CONFIG_CLIENT_SIGNATURE, DUALDAR_CLIENT_EXAMPLE_PACKAGE_SHA256_SIGNATURE);

// Set the file path of the app location adding "file://" prefix.
String DUALDAR_CLIENT_PACKAGE_DOWNLOAD_LOCATION = getExternalFilesDir(null) + "/client_example_app.apk";
adminExtras.putString(DualDARPolicy.KEY_CONFIG_CLIENT_LOCATION, "file://" + DUALDAR_CLIENT_PACKAGE_DOWNLOAD_LOCATION);

// Param field in admin extras bundle passed as DevicePolicyManager.EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE
Intent intent = new Intent();
if (adminExtras !=null && adminExtras.size() > 0) {
  intent.putExtra(DevicePolicyManager.EXTRA_PROVISIONING_ADMIN_EXTRAS_BUNDLE, adminExtras);
}

// Return DevicePolicyManager.PROVISIONING_MODE_MANAGED_PROFILE in DevicePolicyManager.EXTRA_PROVISIONING_MODE as result.
intent.putExtra(DevicePolicyManager.EXTRA_PROVISIONING_MODE, DevicePolicyManager.PROVISIONING_MODE_MANAGED_PROFILE);

Option 2: KME and KSP

In this scenario, the UEM provider has not integrated DualDAR APIs.

1. The customer enables DualDAR in their KME profile, providing the URL where the third-party app is hosted.

2. During device provisioning, Samsung pulls the third-party app from the provided location and installs it in user0.