A little over six years ago Samsung set out on journey to solve two critical issues facing our customers who wished to adopt Android devices as they updated their mobility strategies to modern platforms. On the one hand, we embedded a security platform into our mobile devices to address the concerns that our customers had about the safety of Android; and on the other, we began developing feature management controls so that our enterprise and government customers could configure, deploy, and manage Samsung devices exactly the way they wanted to.
Over the years, Knox has evolved into the industry’s leading embedded security platform and an accompanying modular, optional suite of services designed to follow the lifecycle of a mobile device throughout its enterprise journey – from setup to enrollment into your management infrastructure to OS version control and security patching (Knox IT Solutions).
Why did we do this? We knew that the power and flexibility of Android, coupled with Samsung’s innovation and capabilities as the world’s largest component and hardware manufacturer would give our customers the tools necessary for them to realize their dreams, to transform their businesses, and to serve their customers and employees in ways that hadn’t been conceived of yet. But there was a mistrust of Android in those earlier days. The same power and flexibility that has led it to become the world’s operating system market share leader (surpassing Windows in 2017) could more easily be turned against the user in the early days of Android. The fact that Android is an open source project, as well as its architecture, exposed it to more attack vectors and made it more vulnerable.
That’s why we embedded our own security platform into Samsung devices, anchored in the chipset and spanning up through the firmware as a series of overlapping defense and security mechanisms designed to ensure the integrity of the device itself, and from there the applications, services, and data being transacted on the device. Note also that Samsung devices are manufactured in Samsung factories primarily using Samsung components, thus ensuring a secure supply chain – another unique attribute of Samsung’s. We built the Knox platform as a more secure implementation of Android and we are proud that today Samsung devices are recognized as the most secure in the world.
About two and half years after Samsung first launched the Knox platform, our colleagues at Google set out to address the same core concerns of security and manageability for Android devices in the enterprise that we first did. As Android evolved it began to encompass many of the security and management features that had previously only been available in the Knox platform. Features such as hardware-backed encryption, secure booting mechanisms, isolation of work data from personal data, and more were initially core features of Samsung devices that have now found their way to the Android ecosystem at large as part of what is today called Android Enterprise.
So is there a purpose to the Knox platform anymore? The answer is yes. Has it gone away (or will it) in favor of Android Enterprise? The answer to that is no, it won’t go away. Allow me to explain why. It’s actually very simple. As some of the core security and management features that used to be exclusive to the Knox platform have gradually over the past two or three years become part of the core Android OS under the name Android Enterprise, an overlap has developed between the two.
However, the Knox platform still includes more granular as well as unique security and management features that are not in Android Enterprise. That’s why there’s still a purpose to the Knox platform, and why it isn’t going away: because as the industry’s leading mobile device manufacturer Samsung has the ability (and I would argue the responsibility) to do more than other manufacturers. Knox Platform for Enterprise is the embodiment of that ethos. It represents thousands of person years and hundreds of millions of dollars of security research and development, and it goes beyond Android Enterprise today and will continue to be an extension of it in the future.
That word – “extension” – is critical to how people should understand the Knox platform today. Whereas Samsung originally developed Knox as a unique security and management platform to meet enterprise and government needs, the growth of Android itself to incorporate some of the same features has led us to collaborate extensively with our colleagues at Google to remove the overlap between the Knox platform and Android Enterprise. By removing features from the Knox platform that now exist in Android Enterprise, the Knox platform is now effectively an extension of Android Enterprise in that it adds more granular or unique security and management features that do not exist in Android while it also relies on Android Enterprise (AE) to now provide those security and management features that have been deprecated.
Where AE provides the core security and management features, Knox adds advanced capabilities on top of it for Samsung devices. As AE grows and incorporates features that today might be unique to Knox Platform for Enterprise (KPE), Samsung will remove those features from KPE at the OS level if they provide no additional value for our customers in favor of using core AE features. However, we will simultaneously be adding our own new security, management, and analytics features to KPE. Therefore Knox will always be growing and will always be leading the industry (see the Knox vision statement from February 2019 here).
A description of features that KPE adds to AE today can be found in our white paper at
These include:
- Enhanced hardware backed integrity and protection
- Real-time Kernel Protection to ensure the integrity of the device beyond boot verification during runtime
- Sensitive Data Protection for data encryption while the device is running, not just at rest
- Dual Data at Rest encryption
- Enhanced VPN controls
- Enhanced certificate management
- And more
As I mentioned earlier, the Samsung Knox and Android Enterprise teams collaborate extensively to ensure that the AE and Knox platforms work seamlessly with one another. This has led to cooperation in adjacent areas:
- We have jointly developed a common integration library for our Knox Mobile Enrollment and Android zero-touch enrollment services (see blog post here); and
- Samsung was the first Android partner to use OEMConfig as a mechanism to better deliver ubiquitous and zero-day access to Knox Platform for Enterprise features to our UEM partners and customers.
Stay tuned for further developments in the future.
— Nick Dawson, Director of Knox Strategy & Business