App separation

Enterprises that have deployed Android Enterprise (AE) Fully Managed devices need to separate non-work approved apps from work apps. For example, an IT admin is not comfortable allowing Uber and Work email to be installed side by side. They are concerned sensitive work data may end up in Uber third-party servers. The IT admin defines non-work approved apps as those apps users need for productivity, but are not fully trusted and vetted by the IT admin.

Example of such non-work approved apps:

  • Taxi (Uber, Lyft, etc.)
  • Airlines (United, Delta, Southwest, etc.)
  • Hotel (Marriott, Hilton, etc.)
  • Relaxation (Kindle, Calm, etc.)

For customers such as the one described above, leaving the fully managed mode and using other AE modes is not an option since the enterprise is wholly responsible for their corporate assets, and as such the IT admin strongly needs the device to be fully managed.

To address the above need, Samsung is launching a solution called Knox App separation in Android 11. App separation securely separates and isolates apps on a fully managed device. With App separation, an admin can separate non-work approved apps from work apps. Separated apps cannot access work data. Keep in mind, App separation does not provide privacy guarantees for separated apps. As such, it is not intended for personal apps and data.

Knox App Separation is enabled via KSP using the following steps:

  1. Log in to your EMM console.
  2. Navigate to KSP.
  3. Within KSP, navigate to App Separation Policies.
  4. Select Enable from the Enable App Separation Policies drop-down menu.

Once enabled, specify the apps to separate. Refer to the following to provide a list of work apps:

  1. Enable App separation as described above.
  2. Provide app package names within the List of Apps to Separate section.
  3. Set the Location for Separate Apps installation to Outside.

The above configuration ensures any apps the user installs that are not part of the provided list are separated in a different user space.

Once the policy is set, it is pushed to end user devices with KSP. When the device user begins installing apps the Knox framework separates the apps based on the policy set by the IT admin.

Separated apps can be viewed by device user in a separate folder.

For information on using KSP to set an App separation policy, go to Advanced policies and navigate to the App separation policies section.







Is this article helpful?

✔ Yes✘ No