Corporate Partners

Google details Knox-inspired enterprise ‘managed profiles’ for Android L

Google and Samsung have clarified that Knox features destined for Android L won’t include the best parts of the Korean company’s enterprise security features for Android.

Google has detailed what Samsung Knox features will land in Android L, via a set of application programming interfaces (APIs) which the search company hopes will make Android more appealing for the enterprise. 

Google announced during its annual I/O conference that it had teamed up with its biggest Android hardware partner to deliver new Knox-infused security features that would improve the chance of all devices running the newest version of Android to gain a foothold in business. But, as IDG’s CITE noted at the time, given Samsung’s rivalry with Google — not to mention that Knox differentiates Samsung from its Android rivals — questions remained over exactly what Knox features would end up in Android L.

On Monday the two companies cleared up the question, confirming that Android L will not include Knox’s most valuable features — namely, security that is dependent on hardware.   

Samsung introduced Knox as a security feature unique to its hardware that, among other things, offers a way to keep personal and enterprise apps and data separate. The Knox ‘container’ has its own apps, homescreen, launcher and widgets, offering a secure space for business work-related functions. Knox itself however offers many more desirable features to the enterprise that are hardware-based, including secure boot, protections for the Android kernel and device and container data encryption.

Those hardware features have helped the Korean company gain a tick of approval by the US Department of Defense, the UK’s Communications and Electronic Security Group and the Australian Department of Defence. And they won’t be available to the entire Android ecosystem.

A Google Android project manager explained that the “key Knox functionality” destined for Android L  was built around three concepts: device and data security; support for IT policies and restrictions; and mobile application management.

Android users in the consumer space will be familiar with the concept of logging into different “profiles” to manage multiple users of a single device — as opposed to the controls iOS users can implement in the instance another user has access to their device. Android L builds on this understanding in Android to separate data by enabling personal and corporate applications to run as two separate Android L users.

Android L will use “block-level disk encryption as well as verified boot technology” to keep data safe and compartmentalised. It’s not the same as Knox but thanks to new APIs in the Android software developer kit, admins will be able to create a “managed profile” that mimic Knox’s container to “add a co-present but separate managed profile to a device, if the user has an existing personal account”.

Google’s Android L preview page, explains that users will see apps that are associated with managed profiles “alongside non-managed apps in the user’s Launcher, Recent apps screen, and notifications.”

To support device restrictions, new backend APIs will let admins to set policy including “system settings and certificate provisioning to application-specific (e.g. Chrome) configurations and restrictions.”

Other backend APIs that were adapted from Knox will “allow IT admins to curate the corporate application catalog and to remotely deploy applications to the managed profile on the employees’ devices.” 

Taking a leaf from Knox, other APIs will “allow IT admins to enforce a wide set of policies, ranging from system settings and certificate provisioning to application-specific (e.g. Chrome) configurations and restrictions”, according to Google.

Google plans to announce additional features in the future.

While the new features may help all Android OEMs meet the baseline enterprise requirements, Samsung is keeping to itself the “advanced” hardware-dependent Knox capabilities that helped it gain acceptance among regulated sectors.

And, keeping in mind the slow transition of Android devices to the latest OS, Samsung will keep a “superset” of enterprise APIs for all Samsung devices that come with KNOX, giving Samsung devices an edge when it comes to Knox developers that want to move their apps to L devices.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

____________________________________________________________________________________

Join the CSO newsletter!

Error: Please check your email address.

Tags Android LSamsung KnoxsamsungGooglemanaged appssecuritydisk-encryption

More about CSODepartment of DefenceEnex TestLabGoogleIDGSamsung

Market Place