This section provides information on how to manage Knox Workspace configurations.
Knox Platform for Enterprise is a superset of Android Enterprise. When you apply a license to an Android Work profile, it is upgraded to a Knox Workspace. It is supported in the following upgrade paths.
A Knox Workspace is typically created with an MDM agent. When you create a Workspace there are a variety of settings available to choose. Note that only one enterprise container and one personal container can be created on the device at one time – it is not possible to have two Workspaces exist simultaneously. For example:
Here is an example of how to create a Workspace with Knox Manage. It is as simple as selecting the desired policies, hitting save, and pushing the container to a device.
Next – for extra security – we used some policies to restrict the device user's use of certain features. For example, the following image below shows that screen capture, among other actions, are not allowed in the Workspace.
Once the Workspace is pushed to a device, a device user access it through the app drawer tab labeled Workspace, as shown in the following image below. Notice how there is a Personal and Workspace tab. Simply tapping each tab instantly switches between the Workspace and Personal mode. Authentication is required to access the Workspace and is determined by the settings set up by the device user or the IT Admin.
If you see the following badges, rest assured that you are protected by Knox Workspace.
You delete a Workspace by simply removing it with the appropriate MDM command. Once complete, any data within the container is permanently erased. This data is not recoverable. Typically a device user can't delete a Workspace without IT admin intervention, unless the device is specifically set up to allow container deletion through IT admin policies.
Unlock methods or passwords are reset with the appropriate MDM command. For security reasons, there is no way to reset the password on the device or inside the Workspace without using an MDM.
For example, in the following image, we are using the MDM command Reset Password.
IT Admins can remotely control a Knox Workspace to help troubleshoot and solve IT issues. Read more about the benefits of remote control in the Knox White paper.
This feature allows IT admins to remotely lock out a device, for example, when the device is out of compliance. Once the device is locked, only an IT admin can unlock it with through an MDM console (and not a device user.)
The following screenshot shows an example of what an device user would see if an IT admin locks the Workspace remotely.
By default, the data and voice used in the Knox Workspace container are merged into one billing including the data and voice used in the personal space. However, data used in the container can be tracked and billed separately using a feature called Enterprise Billing.
In order to enable this feature, split billing must be supported by the MDM you are using. A separate discussion is needed with the respective operator so that the customer could get two separate bills from the operator.
There is no separate billing available for voice calls made in the container.
Enterprise Billing separates enterprise and personal data usage. In Bring Your Own Device (BYOD) deployment, Enterprise Billing allows proper compensation of the device user's data costs generated from work-related app usage. In a Corporate Liable (CL) deployment, Enterprise Billing allows employers to only pay for data usage incurred for work purposes. Through MDM policies, you set up Enterprise Billing for the following:
You enable dual APN by creating two APN profiles and routing the respective traffic thorough each them. For example, a default APN is used to route data from personal apps and a second APN to record enterprise data usage. You can get this information from your cellphone carrier, assuming they support this feature.
The following example shows a hypothetical APN profile used to route internal traffic through the Knox Workspace.
Enterprise roaming allows an organization to control what apps are allowed to use data when they roam. This restriction can reduce billing costs, especially when an employee travels frequently. Here are some common use cases that you can use for.
You can use Workspace to manage VPN connections, but only for user accounts you control. This typically includes the default user and any Workspaces you activate. VPN connections for apps installed in user accounts you don't control, such as those created for Android for Work managed profiles, must be managed separately.
This is used by all apps in the Knox container:
For more information, contact your MDM for support.
As of Knox 3.0, the Knox framework does not enforce a password requirement by default for new Workspaces. To set a container password, use a MDM to specify a password policy for the container. Make sure you deploy the password policy before the user creates a container.
Important:
When setting a password policy, you must specify both the length and the quality of the password (numeric, password, pattern, etc.). Otherwise, the MDM does not prompt the device user to set a container password.
For security reasons USB can't be used to transfer files inside or outside of the container. However, there are still some USB modes that can be enabled for limited functionality. These USB modes are listed in the following table.
Workspace |
Personal | |
Accessory (printer/mouse, scanner) |
Disabled by default but controllable |
Enabled |
Storage |
Disabled by default, but allowed |
Enabled |
ADB |
Disabled by default but controllable |
Disabled if Knox is activated Controllable |
MTP |
Disabled (only shows personal space) Not Controllable |
Enabled |
NFC is enabled by default when a Workspace is created. IT policies can disable this feature off if needed.
Bluetooth is enabled by default when a Workspace is created. IT policies can disable this feature off if needed. Activating Bluetooth inside the Workspace allows you to connect to peripherals such as Smart Card readers or wireless headphones.
Share content with Bluetooth
This feature can also be turned off with an IT policy.
Allow Knox phone book access via Bluetooth
With a supported MDM you can enable Phonebook Access (PBA) using Bluetooth. This allows users to access Knox contacts via Bluetooth peripherals. For example, users may want to see caller ID information for Knox contacts when their devices are connected to a car’s hands-free Bluetooth headset.
To use this feature, enable the Phonebook Access (PBA) policy inside the Knox container.