Knox
is Samsung's way to get past IT's legitimate concerns over Android's
generally weak security and join Apple's iOS and BlackBerry in the
golden circle of trustworthy mobile devices. iOS is a sandboxed
operating system, so it's natively designed to prevent interapplication
malware and data leaks; the BlackBerry 10 OS goes further, with an
explicit containerization technology called Balance that the company's proprietary management server can enable.Fast-forward nine months. Though Samsung regularly touts Knox, the U.S. Defense Dept. certified it for government use, several vendors tout their support of it, and there've been many stories in the technology press describing it as a here-and-now option, the truth is it doesn't fully exist. When it does finally become available later this fall, enterprises will discover an unpleasant fact: You have to pay to use it, on top of the subscription fees charged by your mobile device management vendor.
What you need to actually use KnoxTo use Knox, your device must support its virtualization technology at the hardware level, which restricts Knox to these Samsung devices: the Galaxy Note 3 "phablet," the Galaxy S III smartphone, the Galaxy S 4 smartphone, and the 2014 model of the Galaxy Note 10.1 tablet. Today, the Note 3 and S4 can run Knox, but only on some carriers' models: Sprint and Verizon for the S 4; AT&T and Verizon for the Note 3, if you install their Premier Suite updates. The Wi-Fi-only Note 10.1 also runs Knox.
Samsung says it will deliver updates to make Knox work on the S III and on other carriers' S 4 and Note 3 versions, but it also notes that each carrier decides when and if Knox compatibility is made available for the devices on its network. Not only do few devices support Knox, the carrier you use determines when or if those devices will actually be able to work with Knox. (Welcome to the fractured mess that is Android!)
You also need the Knox application and its included set of client apps, such as for email. That's only recently been made available in the Google Play store for download.
You need a Knox-compatible mobile management server, for which you pay a monthly fee per user to manage Android and iOS devices; the fee depends on the management features you select. You cannot manage Knox with Microsoft's Exchange ActiveSync (EAS) protocol, which supports a base set of MDM protocols used by Apple and Google and is thus the "free" approach to MDM.
Finally, you need to activate the Knox service on your device; otherwise, it won't work. The good news is that the MDM provider will activate the service for you. The bad news is you'll pay a monthly per-user surcharge to the MDM vendor to work with Knox, a fee charged by Samsung. The MDM vendors that will soon support Knox and be able to sell you Knox activation are Absolute, AirWatch, Centrify, Citrix Systems, Fixmo, MobileIron, SAP, and Soti. (Some of these vendors, such as Fixmo, have trial deployments in place.) Samsung declined to say how much it was charging each month for Knox access. Check with your MDM vendor on its expected availability and surcharge.
[ UPDATED 11/7/13: MobileIron Wednesday announced it was offering general availability for Knox activations; although it has not published its pricing, an executive told me it would be about $4 per month per device. Centrify also revealed it would charge $43.20 per device per year to activate Knox management. Others are sure to follow soon. ]
Today, almost no MDM vendors have an agreement in place to activate Knox, so most companies can't actually use Knox even if they have a compatible device, the Knox software, and a compatible MDM server. Several MDM vendors tell me they expect to work out the required licensing deals with Samsung in the coming days and weeks to enable general availability of Knox activations, so you should be able to finally use Knox this year on compatible devices -- if you're willing to pay.
How Knox relates to Samsung's SAFE security technologySamsung advertises Knox as a feature in its Samsung Approved for Enterprise (SAFE) technology suite. SAFE is essentially a supplemental set of APIs to the ones Google has in Android, allowing more security and management options to be managed by an MDM server. It also provides 256-bit encryption rather than stock Android's 128-bit.
Knox is placed in the SAFE umbrella by Samsung's marketing, but whereas most recent Samsung devices support the added SAFE APIs and higher encryption level, they do not support the Knox container or its extra management APIs. A Knox-compatible device supports all SAFE technologies, but a SAFE-compliant device does not necessarily support Knox.
Be careful when buying Samsung devices as to what security each actually supports, and decide whether you really want to pay extra for Knox, and if so for which users.
No comments:
Post a Comment