- Basics
- About Knox
- Knox licenses
- Knox white paper
- Sign up for Samsung Knox
- Latest release notes
- General Knox FAQ
- General Knox KBAs
- Submit a support ticket
- User Acceptance Testing
- For IT admins
- Knox Admin Portal
- Knox Suite
- Knox Platform for Enterprise
- Introduction
- How-to videos
- Before you begin
- Get started with UEMs
- Introduction
- Blackberry UEM
- Citrix Endpoint Management
- FAMOC
- IBM MaaS360
- Microsoft Intune
- MobileIron Cloud
- MobileIron Core
- Samsung Knox Manage
- SOTI MobiControl
- VMware Workspace ONE UEM
- Knox Service Plugin
- Release notes
- Migrate to Android 11
- FAQs
- Troubleshoot
- KBAs
- Knox Mobile Enrollment
- Knox Configure
- Mobile
- Wearables
- Shared Device
- FAQ
- KBAs
- Knox Capture
- Introduction
- How it works
- How-to videos
- IT admins: Get started
- Getting started with Knox Capture
- Step 1: Launch Knox Capture
- Step 2: Create a scanning profile
- Step 3: Select apps and activities
- Step 4: Configure the scanner
- Step 5: Set keystroke output rules
- Step 6: Test apps in your configuration
- Step 7: Share your configuration
- Step 8: Deploy Knox Capture in Managed mode
- End users: Get started
- Features
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox Asset Intelligence
- Knox Manage
- Introduction
- How-to videos
- Get started
- Video: Getting started with Knox Manage
- Integration with Managed Service Provider
- Access Knox Manage
- Configure basic environments
- Create user accounts
- Create groups
- Create organization
- Set up devices and profiles
- Create a new profile
- Assign profiles to groups and organizations
- Enroll devices
- Shared Android device quickstart
- Non-shared Android device enrollment quickstart
- Android Management API device enrollment quickstart
- Apple User Enrollment quickstart
- View device information
- Apply profiles to organizations
- Set up Knox Manage deployment with a Knox Suite license
- Manage Chromebooks
- Manage Android devices with the Android Management API
- Manage Shared iPads
- Configure
- Licenses
- Organization
- Users
- Sync user information
- Groups
- Devices
- Content
- Applications
- Profile
- Knox E-FOTA
- Certificates
- Advanced settings
- Monitor
- Kiosk devices
- Knox Remote Support
- Active Directory
- Microsoft Exchange
- Mobile Admin
- Appendix
- Release notes
- Features
- FAQ
- KBAs
- Knox E-FOTA
- Introduction
- How-to videos
- Get started
- Features
- EMM integration
- Appendix
- Release notes
- FAQ
- KBAs
- Troubleshoot
- Knox E-FOTA On-Premises
- Legacy Knox E-FOTA products
- Knox Guard
- Introduction
- How-to video
- Get started
- Using Knox Guard
- Dashboard
- Manage devices
- Device management
- Accept or reject devices
- Upload devices
- Delete devices
- Complete device management
- Send notifications
- Enable or disable SIM control
- Download devices as CSV
- View device log
- View device deletion log
- Start and stop blinking reminder
- Lock and unlock devices
- Update lock message
- Send relock timestamp
- Turn on/off relock reminder
- Manage policies
- Manage licenses
- Manage resellers
- Manage admins and roles
- Activity log
- Knox Deployment App
- Release notes
- FAQ
- KBAs
- Support
- Knox Guard REST API
- Samsung Care+ for Business
- For Knox Partners
- Knox Deployment Program
- Knox MSP Program
Knox White Paper
Device users typically want their personal and work apps on the same device. This requirement presents a challenge for enterprises, which need to ensure that they fully protect their confidential corporate assets and don't run into any liability issues by accidentally interfering with a user’s personal privacy.
With Android 11, Google continues to protect user privacy, extending these protections to company-owned devices. Specifically, Google has replaced the device management mode called fully managed device with a work profile with work profile on company-owned device.
Here is a summary of different device management modes and their use cases:
Corporate Owned Business Only (COBO)
- Summary: An enterprise owns the device, and doesn't allow personal apps on the device.
- Control scope: Through a UEM app, the enterprise serves as the device owner which has full control over the entire device.
- Use case: Enterprises use this model if they need strict control over the entire device and can't compromise corporate assets by allowing users to install their own apps.
Fully managed device with a work profile (FMDWP)
Deprecated in Android 11.
- Summary: An enterprise owns the device, allows users to install personal apps, and secures work apps in a work profile.
- Control scope: The enterprise uses one UEM app to serve as device owner which has control over the entire device, and a second UEM app to serve as profile owner which has control over the work profile.
- Use case: Enterprises used this model to give users freedom over the apps they installed, were able to fully view and manage personal as well as work apps.
Separated Apps
Exclusive to Samsung Knox devices, and set up only through the Knox Service Plugin (KSP).
- Summary: An enterprise owns the device, and allows users to install authorized third-party business apps (for example, airline, hotel, or ride-sharing apps) in a securely separated folder.
- Control scope: Through a UEM app, the enterprise serves as the device owner which has full control over the entire device. Through KSP, the enterprise can set up a Separated Apps folder and identify the apps allowed to be installed inside the folder.
- Use case: Enterprises use this model if they need strict control over the entire device, but want to enable staff productivity using a separate, lightly managed app folder.
For more detail about using this mode, see Separated Apps.
Work profile on company-owned device (WP-C)
New in Android 11.
- Summary: An enterprise owns the device, secures work apps in a work profile, and allows users to install personal apps.
- Control scope: The enterprise uses one UEM app to serve as profile owner with control over the work profile. If the enterprise deploys the work profile from the setup wizard using the provisioning tools added in Android 10, the device is recognized as company-owned and a wider range of asset management and device security policies is made available than that granted to personally-owned devices. Enterprises can still apply policies at the device level as long as they don't infringe on personal privacy; for details, see Android policies in the personal side and Knox policies in the personal side.
- Use case: Enterprises use this model if they want to give users freedom over the apps they use on company devices without infringing on their user privacy.
For more detail about using this mode, see Google's EMM migration guidelines (which requires a partner login) or Work profile on company owned devices.
Bring Your Own Device (BYOD)
- Summary: An employee owns the device, and installs work apps on their device to enable productivity.
- Control scope: The enterprise uses one UEM app to serve as profile owner with control over work apps in the work profile.
- Use case: Smaller enterprises might use this model to save on the capital costs associated with buying devices.
Knox-enhanced work profiles
The Android Enterprise work profile provides enterprises with a solution to securely isolate work apps and data on one device. The Knox Platform for Enterprise provides more granular management policies for work profiles on Samsung devices.
Data transfer
With the isolation of work and personal data, a device user has access to two separate spaces. To increase productivity in certain situations, it is often necessary to share data between spaces. For example, while using a phone app in the personal space, it may be necessary to call a work contact saved in the secure work space. With the Work profile, IT admins have granular management policies to manage the import and export of data to and from the Work profile. This data can include apps, files, clipboard data, call logs, contacts, calendar events, bookmarks, notifications, shortcuts, and SMS.
Container-only control
For liability and productivity purposes, IT admins can't apply effective policies on a device with both personal and work data. The Work profile provides IT admins the ability to configure and control critical functionality for the container only. An IT admin can enable or disable the following exclusively for the container:
- Bluetooth
- NFC
- USB access
- External storage
Container configuration
With the isolation of work and personal data, the device user has access to two separate spaces. This dual access presents some challenges to quickly identifying and accessing work data.
To enhance usability, the Work profile provides an IT admin the ability to add work shortcuts to personal spaces so device users can quickly access work data. The Work profile also provides an IT admin with the ability to set custom resources like work badges on app icons, helping users quickly identify company work apps.
Password policy
An IT admin must ensure only authorized people have access to work data inside a container. The Work profile supports advanced authentication mechanisms to meet all enterprise needs.
An IT admin can enforce and configure:
- Complex passwords or code schemes
- Two-factor authentication
- Active Directory authentication
Additionally, an IT admin can lock the container to restrict access. This restriction is necessary when a device is out of compliance, lost, or stolen.
