Samsung Bets Big On Knox BYOD Technology

Samsung Smartphone Running Knox

You're forgiven if you've never heard of Samsung SAFE (Samsung For Enterprise), or if your impression of Android's place in the enterprise ranks right up there with opening random file attachments sent by seemingly well-intended Nigerian benefactors. Hoping to change that impression, Samsung bought six Oscar Awards television commercials starring SAFE, while announcing its new upgrade Knox, at Mobile World Congress in Barcelona this week.

Knox is eye-opening, not only because it promises significant IT-centric and end-user friendly ways to make Samsung devices safe and manageable, but also because Samsung is the dominant Android player (and Android is the dominant smartphone ecosystem, at 70% of the market by some estimates). At a time when IT's admiration for BlackBerry has waned, and Microsoft Windows Phone wobbles like a newborn foal, Samsung is seizing an enormous opportunity. The company claims it has sold 100 million Galaxy devices globally, for example.

But Knox is formidable in its own right. SAFE offered Microsoft ActiveSync support for email and calendaring, on-device encryption (256-bit), VPN support (Cisco's and Juniper's), and APIs for Mobile Device Management (MDM) products, supported by the likes of MobileIron, Sybase Afaria, Zenprise, SOTI and AirWatch. Those APIs enabled almost 340 IT policies, Samsung's Tim Wagner, VP and general manager of enterprise sales said. Many devices run SAFE, but Samsung has only certified the Samsung Galaxy SIII and Galaxy Note 2.

[ What is on Samsung's to-do list? Read Samsung Looks To Elbow Past BlackBerry In The Enterprise. ]

By way of contrast, BlackBerry's new BES 10 uses an AES256 encrypted tunnel between BES and BlackBerry devices, so things like email and browsing happen over this encrypted tunnel without having to provision a VPN session.

Knox offers even more APIs and even more MDM policies (Samsung wouldn't say how many). It supports VPN on a per-application basis, and it lets IT departments manage devices using Active Directory. It provides a container-based solution for separating work applications from personal applications, and supports single sign-on for accessing the container. Anything that is copied within a container, or downloaded within a container, can't be taken outside of that container. IT can't get into the personal container.

Not only does this provide IT with a safe way to say "yes" to employees bringing their own devices (provided they're Samsung devices), but it also lets them flush the work container without impacting personal applications and data if an employee leaves, a big bone of contention in many BYOD environments.

However, these containers don't necessarily expose data plan usage. Some CIOs I've talked to want to let employees bring their own devices, even pay the carrier bill, but don't want to pay for personal data usage charges. Wagner suggested that carriers will have to work that part out.

Containers are accessed via icons in the shortcut bar or on the screens, or via the menu bar. IT can force logins for the containers. When you're in the container, the screen's appearance changes.

BlackBerry, the so-called standard-bearer for enterprise mobility (at least until recently) offers BlackBerry Balance, which does essentially the same thing as Knox Containers. But the new BlackBerry Hub unifies applications, regardless of whether those applications run in work or personal profiles. A simple swipe down the middle of the screen separates those profile views.

The Knox security features are also noteworthy. For instance, Knox devices will provide secure boot. They will also run SE (security enhanced) Android, which is an implementation of SE Linux, developed by the NSA. And finally, Samsung runs TrustZone, a technology built into the ARM Cortex-A processor. Samsung has focused some of its efforts on the strict guidelines provided by the federal government, and especially the department of defense. These enhancements include SRG compliance (Defense Information Systems Agency's Security Requirements Guide), CAC capability (common access card, or really the ability to turn your phone into a secure thin client on a DOD network), FIPS compliance (both on the device and through the air) and root of trust (a customized secure boot image for the government).

Wagner said Samsung's goal is to make Knox available in Q2 2013, but he was a little vague on the specifics. Devices that Samsung deems "iconic" (like the Samsung Galaxy SIII smartphone) will get a maintenance release, but bare metal-oriented features like secure boot won't be supported. Samsung's Galaxy S IV is rumored to be coming out soon, which is likely another reason for Samsung's evasiveness about timing. Samsung announced the Note 8 tablet at Mobile World Congress, but Wagner said that Knox on tablets is still in development and won't be available on any tablets at launch. The Note 8 will be SAFE certified, and then will get Knox.

Samsung's move here is smart: educate end users (via mass market messages, through retail channels, through carriers), and provide enterprise-class features that IT will love -- features that rival what BlackBerry has provided with BES. What better way to support consumer desires than to have IT endorse Samsung -- better for Samsung, that is.

But in fact it would be smart for BES to use Samsung's APIs (if Samsung allowed it; the company wouldn't comment on the subject) as a way to offer better support for Android. BlackBerry Fusion, which extends mobile device management to iOS and Android, is now integrated into the BES management console, but has largely been viewed as a me-too response to what third-party MDM products provide.

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!