Mobile security: Samsung Knox 2.4 vs. Android for Work

Knox 2.4 is a much more capable security system than Google's Android for Work, but it's not good for BYOD scenarios

android work smartphone mobile

When Samsung's Galaxy S6 and S6 Edge smartphones ship on April 10, they'll come with the newest version of Samsung's mobile security technology, Knox 2.4, already installed. But they'll also support Google's new security technology, Android for Work. Which should you use?

The answer depends on your approach to mobile technology deployments.

BYOD versus company-issued mobile strategy

Knox 2.4 has more advanced capabilities than Android for Work, but Knox 2.4 works only with higher-end Samsung smartphones and tablets running Android 5.0 Lollipop.

The exact models remain unclear. Samsung confirms the Galaxy S6 and S6 Edge as compatible with Knox 2.4, and it says "any device that ships with Lollipop or gets a Lollipop update is highly likely to get a Knox 2.4 update, but the specifics are dependent on carriers and regions as well as on timing of other updates that are already in the pipeline." In other words, you'll need to carefully research which devices are compatible and when they become compatible.

By contrast, Android for Work runs on both Lollipop and Android 4.0 Ice Cream Sandwich and later, so you don't have to investigate which is compatible as Knox 2.4 requires. (In pre-Lollipop devices, only specially wrapped apps can be installed in the secure container, limiting what you can use in it.)

This means Samsung Knox makes sense only in organizations that provision smartphones and tablets to their staff, so there is a known, compatible set of devices (all from Samsung) to be managed. If you support multiple Android devices, whether company-provisioned or BYOD, you need to look at using Android for Work instead.

Of course, you can use both: Knox to manage devices issued to your users who access sensitive data, and Android for Work to manage users (BYOD or not) who don't have access to sensitive information.

These mobile management providers support both Knox and Android for Work: Citrix Systems, IBM, MobileIron, SAP, Soti, and VMware AirWatch. Note that Knox support typically requires an extra cost per user per month on top of the provider's standard MDM charges.

Separating work and personal aspects of the mobile experience

Knox 2.4 both secures the devices and allows users to have personal information and apps on them. The business apps and data are stored in a secured workspace, aka mobile container that IT manages. That keeps users from causing issues in the corporate workspace, and it keeps IT out of the users' personal workspace.

The latter is important for maintaining user privacy. It also means IT can wipe the Knox container without affecting the user's own data -- which is important considering Android has no real backup mechanism like iOS does in the forms of iTunes backup.

Knox can also be configured to have only the secured corporate workspace, with no personal workspace at all. That makes the device a truly work-only device.

Android for Work also provides separate personal and workspaces, so at first blush Knox 2.4 and Android for Work seem equivalent. They're not. Knox 2.4 has several differences that may matter greatly to your organization:

Per-app VPNs. Apps in the secure Knox container can be configured to use specific VPNs (both SSL and IPSec), so you can manage the VPN traffic on a per-app basis if desired. In Android for Work, the entire container uses the same VPN connection.

In both cases, the personal workspace can be excluded from using the corporate VPN, so personal data doesn't travel over your internal network, affording greater user privacy and reducing your network loads.

Active Directory integration. The Knox management platform -- whether you use Samsung's own server or the Knox capabilities in a third-party mobile device management (MDM) server -- can integrate with your Active Directory credentials, so users have to use those corporate credentials to access the secure container. That provides IT more control over access enforcement and provides users the convenience of one fewer password to remember.

Android for Work uses an independent, user-generated password for its container, though you can set expiration and complexity policies for it.

Wearable authentication. If a person has a compatible Samsung smartwatch, its presence (via Bluetooth) can, if enabled, extend the lockout period for the container, since the Knox knows the user is still there. (Unfortunately, the Knox development team couldn't tell me which Samsung Gear wearable models are compatible with Knox 2.4.)

Once the wearable is no longer detected, the Knox container automatically locks, even if the timeout period has not yet been reached. (Users still have to sign in to the container; the wearable does not act as a password.)

Samsung tells me it will have APIs that let hardware developers build Knox compatibility into non-Samsung wearables, from smartwatches to key fobs. But until there's a clear and compelling list of compatible wearables, this feature doesn't feel baked enough to rely on.

Data usage tracking. Knox tracks only data usage from apps and services running in the secure container versus those running on the personal workspace. Although Samsung calls the feature split-billing, there's no direct billing involved, and phone usage is not tracked (because there's no way to tell a personal call from a business one).

The data generated is sent to the IT organization or to a third party, such as a telecom expense management provider or carrier, based on the company's telecom relationships. How the data is used depends on the company: It could help calculate reimbursements to employees, though it's rare that company-provisioned phones don't also have company-provisioned cellular service. More likely, it will track heavy users of personal data for managers to address.

Samsung is the first major provider to offer such a capability, though BlackBerry is working on a similar system.

Independent connectivity enablement. Knox can also manage the availability of Bluetooth, near-field communications (NFC), and SD cards in the secure workspace. Thus, IT can disable either or both of these radio connections, and/or any external SD card storage, within the workspace while not affecting the personal workspace's access to them.

Bulk device enrollment

Because Knox is aimed at companies that provision their own mobile devices, Samsung created a tool to pre-enroll devices using their network ID (aka IMEI) or other hardware serial number.

When someone turns on their new Knox 2.4-equipped Galaxy and connects to the carrier's cellular network, that device's ID is checked to see if it belongs to a specific IT organization. If it is, the IT policies are automatically applied to that device and any company-provisioned apps are installed.

Google has no equivalent feature for bulk enrollment of Android devices.

Secure boot and integrity checks

Android KitKat and Lollipop have a secure boot feature that manufacturers can enable -- only some devices use it -- to check the bootloader integrity to detect rooted or malware-infected devices.

That detection is enabled on all Knox-equipped Samsung devices, Samsung says. Knox-equipped devices have better detection of compromised boot loaders because Samsung has created secure hooks to its own hardware (similar to what BlackBerry does).

Samsung also says Knox devices can check the integrity of the kernel and core file system to detect malware and rooting. And Knox's remote-attestation capability lets IT track device integrity at each boot, for compliance validation.

Copyright © 2015 IDG Communications, Inc.