Samsung Bets Big On Knox BYOD Technology - InformationWeek
Mobile // Mobile Devices
08:51 AM
Connect Directly
Data Tells: Dissecting Every Day Data
May 31, 2017
Join us as the author of the book "Everydata: The Misinformation Hidden in the Little Data You Con ...Read More>>

Samsung Bets Big On Knox BYOD Technology

Dominant Android player Samsung promises IT-centric and end-user friendly ways to make devices safe and manageable.

Samsung Smartphone Running Knox
Samsung Smartphone Running Knox
You're forgiven if you've never heard of Samsung SAFE (Samsung For Enterprise), or if your impression of Android's place in the enterprise ranks right up there with opening random file attachments sent by seemingly well-intended Nigerian benefactors. Hoping to change that impression, Samsung bought six Oscar Awards television commercials starring SAFE, while announcing its new upgrade Knox, at Mobile World Congress in Barcelona this week.

Knox is eye-opening, not only because it promises significant IT-centric and end-user friendly ways to make Samsung devices safe and manageable, but also because Samsung is the dominant Android player (and Android is the dominant smartphone ecosystem, at 70% of the market by some estimates). At a time when IT's admiration for BlackBerry has waned, and Microsoft Windows Phone wobbles like a newborn foal, Samsung is seizing an enormous opportunity. The company claims it has sold 100 million Galaxy devices globally, for example.

But Knox is formidable in its own right. SAFE offered Microsoft ActiveSync support for email and calendaring, on-device encryption (256-bit), VPN support (Cisco's and Juniper's), and APIs for Mobile Device Management (MDM) products, supported by the likes of MobileIron, Sybase Afaria, Zenprise, SOTI and AirWatch. Those APIs enabled almost 340 IT policies, Samsung's Tim Wagner, VP and general manager of enterprise sales said. Many devices run SAFE, but Samsung has only certified the Samsung Galaxy SIII and Galaxy Note 2.

[ What is on Samsung's to-do list? Read Samsung Looks To Elbow Past BlackBerry In The Enterprise. ]

By way of contrast, BlackBerry's new BES 10 uses an AES256 encrypted tunnel between BES and BlackBerry devices, so things like email and browsing happen over this encrypted tunnel without having to provision a VPN session.

Knox offers even more APIs and even more MDM policies (Samsung wouldn't say how many). It supports VPN on a per-application basis, and it lets IT departments manage devices using Active Directory. It provides a container-based solution for separating work applications from personal applications, and supports single sign-on for accessing the container. Anything that is copied within a container, or downloaded within a container, can't be taken outside of that container. IT can't get into the personal container.

Not only does this provide IT with a safe way to say "yes" to employees bringing their own devices (provided they're Samsung devices), but it also lets them flush the work container without impacting personal applications and data if an employee leaves, a big bone of contention in many BYOD environments.

However, these containers don't necessarily expose data plan usage. Some CIOs I've talked to want to let employees bring their own devices, even pay the carrier bill, but don't want to pay for personal data usage charges. Wagner suggested that carriers will have to work that part out.

Containers are accessed via icons in the shortcut bar or on the screens, or via the menu bar. IT can force logins for the containers. When you're in the container, the screen's appearance changes.

BlackBerry, the so-called standard-bearer for enterprise mobility (at least until recently) offers BlackBerry Balance, which does essentially the same thing as Knox Containers. But the new BlackBerry Hub unifies applications, regardless of whether those applications run in work or personal profiles. A simple swipe down the middle of the screen separates those profile views.

The Knox security features are also noteworthy. For instance, Knox devices will provide secure boot. They will also run SE (security enhanced) Android, which is an implementation of SE Linux, developed by the NSA. And finally, Samsung runs TrustZone, a technology built into the ARM Cortex-A processor. Samsung has focused some of its efforts on the strict guidelines provided by the federal government, and especially the department of defense. These enhancements include SRG compliance (Defense Information Systems Agency's Security Requirements Guide), CAC capability (common access card, or really the ability to turn your phone into a secure thin client on a DOD network), FIPS compliance (both on the device and through the air) and root of trust (a customized secure boot image for the government).

Wagner said Samsung's goal is to make Knox available in Q2 2013, but he was a little vague on the specifics. Devices that Samsung deems "iconic" (like the Samsung Galaxy SIII smartphone) will get a maintenance release, but bare metal-oriented features like secure boot won't be supported. Samsung's Galaxy S IV is rumored to be coming out soon, which is likely another reason for Samsung's evasiveness about timing. Samsung announced the Note 8 tablet at Mobile World Congress, but Wagner said that Knox on tablets is still in development and won't be available on any tablets at launch. The Note 8 will be SAFE certified, and then will get Knox.

Samsung's move here is smart: educate end users (via mass market messages, through retail channels, through carriers), and provide enterprise-class features that IT will love -- features that rival what BlackBerry has provided with BES. What better way to support consumer desires than to have IT endorse Samsung -- better for Samsung, that is.

But in fact it would be smart for BES to use Samsung's APIs (if Samsung allowed it; the company wouldn't comment on the subject) as a way to offer better support for Android. BlackBerry Fusion, which extends mobile device management to iOS and Android, is now integrated into the BES management console, but has largely been viewed as a me-too response to what third-party MDM products provide.

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/27/2013 | 6:00:58 AM
re: Samsung Bets Big On Knox BYOD Technology
You're exactly right -- and I would also say that many organizations would love to eliminate the expense of an MDM solution as well, so while the use of ActiveSync and Active Directory as mechanisms to manage and control Knox/SAFE devices is promising, once again you're limited to Samsung-certified devices (ie, their own, and really just their flagship products at this point). I think that it's fairly inevitable that organizations will have to have an MDM solution if they're going the BYOD route (most people I talk to have stopped resisting). The beauty of the Samsung approach is that it is all enabled through the major MDM players (Mobile Iron, SOTI, Airwatch, etc -- I know the ones I leave out of this list are going to send me e-mails, but I don't have the list in front of me). Those MDM players will offer some semblance of a.) support for other devices, including other platforms b.) use of the Knox/SAFE APIs (I'm not sure whether any are using even half of the 700 or so Samsung touts). So for shops that want to allow all platforms (whatever their employees want to bring), most of those will be supported by MDM, and then IT can say "we encourage using Samsung devices that are Knox certified." And it's not like they're asking employees to cripple themselves because Samsung has some of the best smartphone technology anywhere -- it's likely we'll see something pretty exciting on March 14 with the Galaxy SIV.
User Rank: Apprentice
2/27/2013 | 5:54:07 AM
re: Samsung Bets Big On Knox BYOD Technology
Samsung's container is probably more equivalent to what VMWare has, and with it the user chooses what IT can/can't see. How secure those containers (work vs personal) are from one another remains to be seen, and one would hope that each runs in its own sandbox. Most of the other items will have to be examined by security experts, but Samsung is seeking FIPS compliance, and thus the blessing of government agencies like the DOD, so I would imagine things are pretty secure. Samsung isn't providing things like an enterprise app store, which can help on the Android malware front, but they are allowing the ability to blacklist and whitelist applications, and that there will be more on this front.

None of these things will prevent users from doing stupid things, like clicking on malicious links. I talked to one company at Mobile World Congress this week (Cloudmark) that is in the business of secure SMS and I hadn't realized what a problem malware and even botnets have been using SMS -- I guess people still haven't learned, and it seems these things will get worse and more insidious.
SF MIke,
User Rank: Apprentice
2/26/2013 | 4:46:30 PM
re: Samsung Bets Big On Knox BYOD Technology
Fritz, Even though Android/Samsung has the lion's share; there will always be the outlyers/execs/salesfolks who insist on their iPhone or Win8 phone (it is BYOD after all). So the issue remains of having to utilize multiple tools or have support for non Samsung devices in the tool... How do you see this playing out, since IT isn't looking for MORE tools, just ONE great MDM solution for all their BYOD (within reason).
David Berlind
David Berlind,
User Rank: Apprentice
2/26/2013 | 4:41:10 PM
re: Samsung Bets Big On Knox BYOD Technology
Fritz.. When I met with Tim Wagner at CES, he alluded to how the company was about to launch a major campaign around the SAFE APIs. Not that we would normally give coverage to advertising moves like that. But the approach Samsung is taking is reminiscent of the hugely successful and long running Intel Inside campaign. To me, this is significant because it's making Samsung look as though it's completely unchallenged on MDM API (on Android) front. Even our own CIO admitted to me that he liked the comfort of knowing that some number of our BYODers had SAFE-compliant phones (compared to those that are barely manageable, relatively speaking, via ActiveSync).

I'm curious to know how the TrustZone technology works in comparison to virtual machine technology of the sort that VMware and Cellrox have shown.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of Data and Analytics
Today's companies are differentiating themselves using data analytics, but the journey requires adjustments to people, processes, technology, and culture. 
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll