App Isolation

App Isolation

The Knox Platform uses app isolation to prevent rogue apps from intentionally or inadvertently accessing unauthorized data. The Knox Platform provides several forms of app isolation to create a protected app container space on Samsung devices. Each option is based on the same core isolation technology called Security Enhancements for Android (SE for Android.) SE for Android is an integration of SELinux and Android, expanded to cover Android components and design paradigms. The Knox Platform offers these options:

 

  • Android Enterprise on Samsung devices:

Android Enterprise provides app isolation through Work Profiles, which provide basic isolation of enterprise apps from personal apps. When using Android Enterprise on Samsung devices, Knox provides features like Real-time Kernel Protection (RKP), secure enterprise apps, and hardware-backed storage of certificates and keys, making Android Enterprise even better on Samsung devices.

 

  • Knox Workspace:

The Knox Workspace builds on Android Enterprise by providing additional security and management enhancements. Specifically, the Knox Workspace benefits from hardware-backed integrity checks. These checks detect any tampering of the device or its security protections and lock down the Knox Workspace to protect confidential data. The Knox Workspace also supports Sensitive Data Protection (SDP), encrypting data during device runtime and decrypting only after the device user authenticates to unlock the Knox Workspace. Furthermore, the Knox Workspace provides more granular device management, for example, forced two-factor authentication for the Knox Workspace, the use of enterprise Active Directory credentials for authentication, and managed import and export of enterprise data in the Knox Workspace.

 

  • SE for Android Management Service (SEAMS):

With SEAMS, you can isolate a single app or small set of trusted apps, to lock down the apps in the same container. App containers created with SEAMS provide the same benefits of the Knox Workspace. Unlike the first two options, however, SEAMS containers have no special GUI. Apps in a┬áSEAMS container appear with the rest of the apps on the device, but are differentiated with a shield badge to show that they’re isolated and protected from apps not sharing their same container. You can create as many of these SEAMS containers as you want on-the-fly.

 

With the Knox Workspace, enterprises can deploy additional security and management policies to enforce requirements, such as those needed to work within highly regulated industries such as finance, healthcare, and government.