Manage Workspace
This section provides information on how to manage Knox Workspace configurations.
Create a Workspace
Knox Platform for Enterprise is a superset of Android Enterprise. When you apply a license to an Android Work profile, it is upgraded to a Knox Workspace. It is supported in the following upgrade paths.
- Work Profile > (Knox License) > Workspace
- Fully managed with Work Profile > (Knox License) > Workspace on fully managed device.
A Knox Workspace is typically created with an MDM agent. When you create a Workspace there are a variety of settings available to choose. Note that only one enterprise container and one personal container can be created on the device at one time – it is not possible to have two Workspaces exist simultaneously. For example:
- A device can have one Knox Workspace and one Secure Folder.
- A device cannot have both Workspace and Work Profile.
Here is an example of how to create a Workspace with Knox Manage. It is as simple as selecting the desired policies, hitting save, and pushing the container to a device.
Next – for extra security – we used some policies to restrict the device user's use of certain features. For example, the following image below shows that screen capture, among other actions, are not allowed in the Workspace.
Once the Workspace is pushed to a device, a device user access it through the app drawer tab labeled Workspace, as shown in the following image below. Notice how there is a Personal and Workspace tab. Simply tapping each tab instantly switches between the Workspace and Personal mode. Authentication is required to access the Workspace and is determined by the settings set up by the device user or the IT Admin.
If you see the following badges, rest assured that you are protected by Knox Workspace.
- Secured by Knox: The Knox Workspace app drawer has a "Secured by Knox" in the bottom right corner.
- Blue shield on app icon: Knox Workplace apps have a blue shield in the bottom right corner.
Delete Workspace
You delete a Workspace by simply removing it with the appropriate MDM command. Once complete, any data within the container is permanently erased. This data is not recoverable. Typically a device user can't delete a Workspace without IT admin intervention, unless the device is specifically set up to allow container deletion through IT admin policies.
Reset unlock method or password
Unlock methods or passwords are reset with the appropriate MDM command. For security reasons, there is no way to reset the password on the device or inside the Workspace without using an MDM.
For example, in the following image, we are using the MDM command Reset Password.
Remotely control Knox Workspace
IT Admins can remotely control a Knox Workspace to help troubleshoot and solve IT issues. Read more about the benefits of remote control in the Knox White paper.
Remote Lock Workspace
This feature allows IT admins to remotely lock out a device, for example, when the device is out of compliance. Once the device is locked, only an IT admin can unlock it with through an MDM console (and not a device user.)
The following screenshot shows an example of what an device user would see if an IT admin locks the Workspace remotely.
Billing
By default, the data and voice used in the Knox Workspace container are merged into one billing including the data and voice used in the personal space. However, data used in the container can be tracked and billed separately using a feature called Enterprise Billing.
In order to enable this feature, split billing must be supported by the MDM you are using. A separate discussion is needed with the respective operator so that the customer could get two separate bills from the operator.
There is no separate billing available for voice calls made in the container.
Enterprise billing
Enterprise Billing separates enterprise and personal data usage. In Bring Your Own Device (BYOD) deployment, Enterprise Billing allows proper compensation of the device user's data costs generated from work-related app usage. In a Corporate Liable (CL) deployment, Enterprise Billing allows employers to only pay for data usage incurred for work purposes. Through MDM policies, you set up Enterprise Billing for the following:
- All data traffic from the Workspace.
- All data traffic from the MD angent, including web apps, apps deployed with the MDM on the personal side, or inside the Knox Workspace.
You enable dual APN by creating two APN profiles and routing the respective traffic thorough each them. For example, a default APN is used to route data from personal apps and a second APN to record enterprise data usage. You can get this information from your cellphone carrier, assuming they support this feature.
The following example shows a hypothetical APN profile used to route internal traffic through the Knox Workspace.
Enterprise roaming
Enterprise roaming allows an organization to control what apps are allowed to use data when they roam. This restriction can reduce billing costs, especially when an employee travels frequently. Here are some common use cases that you can use for.
- Restrict data for the whole Workspace.
- Restrict data for a single app in the Workspace.
- Restrict data for a single app on the personal side.
Virtual Private Networks (VPN)
You can use Workspace to manage VPN connections, but only for user accounts you control. This typically includes the default user and any Workspaces you activate. VPN connections for apps installed in user accounts you don't control, such as those created for Android for Work managed profiles, must be managed separately.
Container-wide VPN
This is used by all apps in the Knox container:
- Download the Knox VPN services client from the Knox web portal.
- Deploy the Knox VPN services client to your enterprise device with an MDM. This process may vary depending on your MDM vendor. For more information contact their support.
- Configure the VPN profiles for your device in your MDM. You will need the server IP address, IKE version and pre-shared key information. If you are using a certificate for connection, ensure you also have that configured.
- You can now choose the apps that you want to pass through the VPN. This process may vary depending on which MDM you are using.
For more information, contact your MDM for support.
Password policy enforcement
As of Knox 3.0, the Knox framework does not enforce a password requirement by default for new Workspaces. To set a container password, use a MDM to specify a password policy for the container. Make sure you deploy the password policy before the user creates a container.
Important:
When setting a password policy, you must specify both the length and the quality of the password (numeric, password, pattern, etc.). Otherwise, the MDM does not prompt the device user to set a container password.
Connections
USB
For security reasons USB can't be used to transfer files inside or outside of the container. However, there are still some USB modes that can be enabled for limited functionality. These USB modes are listed in the following table.
|
Workspace |
Personal | |
|
Accessory (printer/mouse, scanner) |
Disabled by default but controllable |
Enabled |
|
Storage |
Disabled by default, but allowed |
Enabled |
|
ADB |
Disabled by default but controllable |
Disabled if Knox is activated Controllable |
|
MTP |
Disabled (only shows personal space) Not Controllable |
Enabled |
NFC
NFC is enabled by default when a Workspace is created. IT policies can disable this feature off if needed.
Bluetooth
Bluetooth is enabled by default when a Workspace is created. IT policies can disable this feature off if needed. Activating Bluetooth inside the Workspace allows you to connect to peripherals such as Smart Card readers or wireless headphones.
Share content with Bluetooth
This feature can also be turned off with an IT policy.
- Browse to the item you want to share – such as a gallery photo.
- Tap Share.
- Select Bluetooth
Allow Knox phone book access via Bluetooth
With a supported MDM you can enable Phonebook Access (PBA) using Bluetooth. This allows users to access Knox contacts via Bluetooth peripherals. For example, users may want to see caller ID information for Knox contacts when their devices are connected to a car’s hands-free Bluetooth headset.
To use this feature, enable the Phonebook Access (PBA) policy inside the Knox container.
- Settings – PBA settings automatically override the user’s contact sharing settings. For example, if an IT admin disables PBA, users won’t be able to access Knox contacts with Bluetooth peripherals, even if they’ve enabled the Show Knox caller ID setting.
- Browse for contacts – If IT admins enable this feature, users can browse for both personal and Knox contacts using the car’s dashboard UI. If this feature has been disabled, users will only see personal contacts.
- Caller ID – If enabled, caller ID information from Knox contacts is displayed on the car dashboard UI if users receive a phone call while connected to the vehicle’s hands-free calling device. If this feature is disabled, only the Knox contact’s phone number is displayed.
- View call logs – If enabled, when users view the call logs through the car’s dashboard UI, Knox contacts will be displayed. If disabled, the Knox contact’s phone number are displayed, but other information, such as the name and email address, is hidden.