Google details Knox-inspired enterprise ‘managed profiles’ for Android L

Google and Samsung have clarified that Knox features destined for Android L won’t include the best parts of the Korean company’s enterprise security features for Android.

Google has detailed what Samsung Knox features will land in Android L, via a set of application programming interfaces (APIs) which the search company hopes will make Android more appealing for the enterprise. 

Google announced during its annual I/O conference that it had teamed up with its biggest Android hardware partner to deliver new Knox-infused security features that would improve the chance of all devices running the newest version of Android to gain a foothold in business. But, as IDG’s CITE noted at the time, given Samsung’s rivalry with Google — not to mention that Knox differentiates Samsung from its Android rivals — questions remained over exactly what Knox features would end up in Android L.

On Monday the two companies cleared up the question, confirming that Android L will not include Knox’s most valuable features — namely, security that is dependent on hardware.   

Samsung introduced Knox as a security feature unique to its hardware that, among other things, offers a way to keep personal and enterprise apps and data separate. The Knox ‘container’ has its own apps, homescreen, launcher and widgets, offering a secure space for business work-related functions. Knox itself however offers many more desirable features to the enterprise that are hardware-based, including secure boot, protections for the Android kernel and device and container data encryption.

Those hardware features have helped the Korean company gain a tick of approval by the US Department of Defense, the UK’s Communications and Electronic Security Group and the Australian Department of Defence. And they won’t be available to the entire Android ecosystem.

A Google Android project manager explained that the “key Knox functionality” destined for Android L  was built around three concepts: device and data security; support for IT policies and restrictions; and mobile application management.

Android users in the consumer space will be familiar with the concept of logging into different “profiles” to manage multiple users of a single device — as opposed to the controls iOS users can implement in the instance another user has access to their device. Android L builds on this understanding in Android to separate data by enabling personal and corporate applications to run as two separate Android L users.

Android L will use “block-level disk encryption as well as verified boot technology” to keep data safe and compartmentalised. It’s not the same as Knox but thanks to new APIs in the Android software developer kit, admins will be able to create a “managed profile” that mimic Knox’s container to “add a co-present but separate managed profile to a device, if the user has an existing personal account”.

Google’s Android L preview page, explains that users will see apps that are associated with managed profiles “alongside non-managed apps in the user’s Launcher, Recent apps screen, and notifications.”

To support device restrictions, new backend APIs will let admins to set policy including “system settings and certificate provisioning to application-specific (e.g. Chrome) configurations and restrictions.”

Other backend APIs that were adapted from Knox will “allow IT admins to curate the corporate application catalog and to remotely deploy applications to the managed profile on the employees’ devices.” 

Taking a leaf from Knox, other APIs will “allow IT admins to enforce a wide set of policies, ranging from system settings and certificate provisioning to application-specific (e.g. Chrome) configurations and restrictions”, according to Google.

Google plans to announce additional features in the future.

While the new features may help all Android OEMs meet the baseline enterprise requirements, Samsung is keeping to itself the “advanced” hardware-dependent Knox capabilities that helped it gain acceptance among regulated sectors.

And, keeping in mind the slow transition of Android devices to the latest OS, Samsung will keep a “superset” of enterprise APIs for all Samsung devices that come with KNOX, giving Samsung devices an edge when it comes to Knox developers that want to move their apps to L devices.

This article is brought to you by Enex TestLab, content directors for CSO Australia.


Join the CSO newsletter!

Error: Please check your email address.

Tags Samsung KnoxAndroid Lsamsungmanaged appsGooglesecuritydisk-encryption

More about CSODepartment of DefenceEnex TestLabGoogleIDGSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place