Credit: Alexander Shirokov
It was February 2013 when Samsung announced Knox, its containerization technology for higher-end Samsung Android devices. Knox is meant to create a virtual partition on Android devices that would insulate corporate-managed apps and data from attack, an approach pioneered by smaller companies such as Divide but not generally used in mainstream companies.
Knox is Samsung's way to get past IT's legitimate concerns over Android's generally weak security and join Apple's iOS and BlackBerry in the golden circle of trustworthy mobile devices. iOS is a sandboxed operating system, so it's natively designed to prevent interapplication malware and data leaks; the BlackBerry 10 OS goes further, with an explicit containerization technology called Balance that the company's proprietary management server can enable.
[ Mobile security: iOS vs. Android vs. Samsung SAFE vs. BlackBerry vs. Windows Phone. | Keep up on key mobile developments and insights via Twitter and with the Mobilize newsletter. ]
Fast-forward nine months. Though Samsung regularly touts Knox, the U.S. Defense Dept. certified it for government use, several vendors tout their support of it, and there've been many stories in the technology press describing it as a here-and-now option, the truth is it doesn't fully exist. When it does finally become available later this fall, enterprises will discover an unpleasant fact: You have to pay to use it, on top of the subscription fees charged by your mobile device management vendor.
What you need to actually use Knox
To use Knox, your device must support its virtualization technology at the hardware level, which restricts Knox to these Samsung devices: the Galaxy Note 3 "phablet," the Galaxy S III smartphone, the Galaxy S 4 smartphone, and the 2014 model of the Galaxy Note 10.1 tablet. Today, the Note 3 and S4 can run Knox, but only on some carriers' models: Sprint and Verizon for the S 4; AT&T and Verizon for the Note 3, if you install their Premier Suite updates. The Wi-Fi-only Note 10.1 also runs Knox.
Samsung says it will deliver updates to make Knox work on the S III and on other carriers' S 4 and Note 3 versions, but it also notes that each carrier decides when and if Knox compatibility is made available for the devices on its network. Not only do few devices support Knox, the carrier you use determines when or if those devices will actually be able to work with Knox. (Welcome to the fractured mess that is Android!)
You also need the Knox application and its included set of client apps, such as for email. That's only recently been made available in the Google Play store for download.
You need a Knox-compatible mobile management server, for which you pay a monthly fee per user to manage Android and iOS devices; the fee depends on the management features you select. You cannot manage Knox with Microsoft's Exchange ActiveSync (EAS) protocol, which supports a base set of MDM protocols used by Apple and Google and is thus the "free" approach to MDM.