Menu

About containers

This topic describes different Knox Workspace container types and shows different ways to create a container on a device.

About Knox container types

There are several types of Knox containers:

  • knox-b2b: Choose this container type to create a Knox Workspace container that you experience as a completely separate launcher, home screen, and apps folder. This is known as a Launcher layout, which you can view inside the Knox container under Knox settings > Knox Layout. Pressing the home button returns you to the Knox Workspace home screen, not the device (personal) home screen. To return to personal mode, you must either tap the Personal home icon, or swipe down on the status bar and tap the Knox card in the notification area. This container type can also be presented as a Folder layout using Knox settings > Knox Layout > Folder, which gives a layout similar to knox-b2b-lwc.
  • knox-b2b-com : Choose this container type to create a Knox Workspace container-only mode (COM) container. This COM is a special use case for enterprise-owned devices, where you want to restrict access to the personal mode of the device. For example, a company purchases a Samsung Knox device specifically for business use and does not want users to have access to the personal side. Normally when you install a Knox container on a device, you get two spaces: a secure Knox container space with enterprise apps and a personal mode, which is the original device launcher where your personal apps and data reside. When you install a COM container on a device, the knox-b2b-com container is the only launcher, home screen, and apps folder that the user can access. The COM container looks the same as the knox-b2b container, but the user cannot switch to a personal mode, as access to the personal mode home screen, launcher, and apps is completely disabled, although the user does have access to the Phone and Messages apps.
  • knox-b2b-lwc : The original Knox container was designed for flagship devices with significant processing power and memory. That container provides a separate and secure environment on the device, complete with its own home screen, launcher, apps, and widgets. The launcher consumes resources that may be scarce on lower spec devices, so the lightweight container was created to give enterprises a secure Knox container on those resource-constrained devices. Choose the knox-b2b-lwc container type to create a Knox lightweight container (LWC.) This container presents itself as a folder on your personal home screen. There is no separate launcher or home screen, and apps inside the container appear as part of your personal home screen. This configuration is similar to the Folder layout of knox-b2b, but without the option to switch to a launcher layout. Apps in the container are presented as shortcut icons in the Knox folder in the personal mode, denoted by the yellow and black lock badge in the bottom-right of the app icon. You don’t need to enter a separate Knox Workspace to access apps. The lightweight container is a great choice when you want to provide users with a unified experience, or for devices that have limited resources.

How containers work

Containers use Intents that are filtered within the Knox and help prevent communication between apps inside the Workspace to those outside it and the other way around. In addition, intents to certain trusted components are allowed to pass outside of a Knox Workspace. System components, like Location, Bluetooth, and so on, are examples of trusted components. These components are not containerized; however, the apps within a Workspace have permissions to use them. In all other cases, if a particular intent is not handled inside the Workspace, then it is ignored and no action is taken by any component in the Android framework that is outside the Workspace.

Container data encryption

All data from the apps in the Knox Workspace are protected at-rest by applying encryption on both internal and external data paths of the container apps. 

Creating a container

  1. Create a container type knox-b2b:
try {
    mRequestid = KnoxContainerManager.createContainer("knox-b2b"); 
    if(mRequestid < 0) {
        switch(mRequestid) {
    	case KnoxContainerManager.ERROR_INTERNAL_ERROR: 
            ... (More cases)
        }
    } else {
    Log.d(TAG, "Container creation in progress with id:" + mRequestid);
    }     
} catch (SecurityException e) {
            ...
}
  1. This initiates a UI flow, which the user has to complete before they can create the actual Workspace container. The status of container creation is then notified through an intent INTENT_CONTAINER_CREATION_STATUS. If the return ID of createContainer matches to that of CONTAINER_CREATION_STATUS_CODE of intent INTENT_CONTAINER_CREATION_STATUS, only then can the intent be trusted. To listen to the Workspace container creation intent:
IntentFilter filter = new IntentFilter(); 
filter.addAction(KnoxContainerManager.INTENT_CONTAINER_CREATION_STATUS;
registerReceiver(mCreationStatusReceiver, filter);
  1. Always check if the intent received is the one you are interested in, by comparing the request ID, that you received during the createContainer() API call.
private BroadcastReceiver mCreationStatusReceiver = new BroadcastReceiver() {
    public void onReceive(Context context, Intent intent) {
        int requestid = -1;
        int statusCode = ERROR_INTERNAL_ERROR;
        Bundle extras = intent.getExtras();
        if (extras != null) {
            requestid = extras.getInt(CONTAINER_CREATION_REQUEST_ID);
		    statusCode = extras.getInt(CONTAINER_CREATION_STATUS_CODE);
        }
        if (mRequestid != requestId) {
            return; //Intent belongs to another MDM or a fake Intent.
        }
        if (statusCode >= 0) {
            showNoteWithToast("container created successfully.");
        } else {
            displayCreationErrorString(statusCode);
        }
        try {
            unregisterReceiver(mCreationStatusReceiver);
        } catch (IllegalArgumentException e) {
            e.printStackTrace();
        }
    }
}

Choosing the UI style

You can customize how the Knox Workspace container appears, as either a folder containing apps or as a desktop with app launcher icons. You can also disallow end users from changing this UI style through the Knox Settings menu.

To select the Knox Workspace appearance, call the API method setContainerLayout(int layoutType), which accepts the options CONTAINER_LAYOUT_TYPE_FOLDER or CONTAINER_LAYOUT_TYPE_CLASSIC. This API method works only when you clone the container type knox-b2b.

To disallow Knox Workspace container switching, call the API method allowLayoutSwitching(boolean allow).

Creating a container with apps

Here is a sample use case:

  • Create a Knox Workspace container
  • Set up email
  • Install three apps for enterprise use

To create the container and set up email:

KnoxContainerManager.createContainer("knox-b2b");
// When you create a container successfully, containerID is returned using intent. 
// Use this containerID in below API.
KnoxContainerManager kcm = EnterpriseKnoxManager.getInstance();
getKnoxContainerManager(Context, containerID);
EmailAccountPolicy  eap = kcm.getEmailAccountPolicy();
ApplicationPolicy  appPolicy = kcm.getApplicationPolicy();

To set up an email account and install three apps

eap.addNewAccount(new EmailAccount("testemail@gmail.com", "pop3", "pop.gmail.com", 995,"testemail@gmail.com", null, "smtp", "smtp.gmail.com",465,"testemail@gmail.com", null));
appPolicy.installApplication("/mnt/sdcard/testapp1.apk");
appPolicy.installApplication("/mnt/sdcard/testapp2.apk");
appPolicy.installApplication("/mnt/sdcard/testapp3.apk");

Removing a container

To remove a Knox Workspace container:

boolean status = EnterpriseContainerManager.removeContainer(containerId, new RemoteStatusCallback());
// RemoteStatusCallback extends EnterpriseContainerCallback