Sunday, March 15, 2015

Samsung's security twist: Protect yourself from IT

If you're worried about your personal information being accessible to your company's IT staff, you may have an unlikely defense in the form of mobile workspaces, aka containers, which separate work and personal data (and apps) on your smartphone or tablet. IT organizations like the idea because it lets them wall off their stuff from yours.

Although most containers are imposed on you by IT to secure work data, Samsung has an interesting twist on the concept: user-installed containers to protect your personal information from IT's reach.
I'm not a fan of mobile containers -- most are awkward to use. They typically make users jump between two contexts, access unfamiliar apps for basic functions like email and document editing, and separate activities that should be integrated, like your day's calendar or what new messages have been received.
Sure, you can point to good aspects in, say, BlackBerry Balance, Android for Work(the former Divide product), or any of the mobile device management (MDM) vendors' secured workspace apps. But on balance, they're a pain to use.

The ins and outs of using My Knox

Samsung's My Knox container app is not as painful as some others, thanks to its option to present the safeguarded apps within a folder (if you prefer) or in the more traditional separate environment, where you switch between your personal home screens to your work ones as needed. (You're still required to enter your password to use business apps, though.)
My Knox folder layout
If you prefer not to switch between completely separate home screens, you can have My Knox use the Folders layout to make business apps visible from your personal workspace. (You still need to sign into the business workspace to use its apps.)
Most interesting, you can download My Knox from the Google Play app store and separate your personal and business workspaces yourself, relegating IT-managed content like your work email to a business workspace. If you set My Knox to switch between fully separate workspaces, rather than use the Folders layout, you navigate to the My Knox workspace by opening the My Knox app; when in the My Knox workspace, you get back to your personal workspace by tapping the Personal Home app.
You can also tell My Knox to share contacts and/or calendar information between the two workspaces. My Knox lets you set up sharing in either or both directions. For example, you could choose to share personal contacts with your business workspace, for use by, say, the Email app there. But you could choose not to share contacts in your business workspace with your personal workspace, so you couldn't look up, for instance, a business contact's email address from the Email in your personal workspace.
If you're concerned about snooping by IT staffers or other corporate folks on your devices, using a container like My Knox effectively locks them out of your personal data. That's not necessarily the case if you have an Android device you've connected to your company's Exchange server or non-container-oriented MDM tool. (iOS has a very different application security model, oriented to managing apps directly rather than in separate workspaces, and its app sandboxes block everything but that app from seeing an app's content.)
Like all containers, My Knox lists what you can do inside it and what apps you can run. That's because apps need to support the policy restrictions used by the container's management server.

Android lets you run multiple copies of the same app, so you can have, say, Email in both your personal and business workspaces, each accessing different email accounts. Of course, that means you won't get the badge for new work emails on the Email app in your personal workspace.
My Knox notifications
The My Knox container displays new emails and so on from both your personal and business workspaces in the Notifications tray, if you enable that feature.
But you will see all your email in the Notifications tray, with a lock icon representing those in the My Knox container -- if you enable the Quick Mode Change option in the Knox Settings app. If you tap a notification for an item in the workspace you're not currently using, you're switched to that workspace, and a password is requested if you haven't used that container in a while (you define that period in preferences). 
The newest version of My Knox (released on Feb. 20) is open to running at Play Store apps, and when you install it you can choose to move already installed apps into the container. You can also install apps from Samsung's own app store. The previous version of My Knox supported a much smaller selection of apps.

The gotchas of using My Knox

The My Knox app runs in only a handful of Android devices, all from Samsung: the Galaxy S6, S6 Edge, S5, Note 4, A5, A3, and E5, as well as the forthcoming Galaxy A7 and E7. (The A and E series are aimed mainly at Asian markets, but can be had in some Western countries as well.) Even if you like the idea of My Knox, you probably can't use it.
Because My Knox is a container, it restricts what you can do in that container, not only contain IT's reach within it. For example, you can't copy or cut text to paste into your personal workspace's apps. You can't even take a screenshot of anything in the work container.

Also, there are no tools for setting the policies imposed by My Knox -- not even from the My Knox management website. (That website, by the way, isn't designed for use on smartphones, a bizarre omission for a smartphone maker.) Samsung says it has no plans to let users configure My Knox policies.
If your company uses Samsung's Knox EMM mobile management server or has an MDM server that supports Knox (very few do, though most major MDM providers have been saying since last year that they intend to do so in the future), don't plan on connecting My Knox to that IT-managed server. It very likely won't work.
I tried to use Knox EMM to manage the My Knox workspace on a Galaxy Note 4, but the enrollment only partially completed. The reason, according to Samsung: "My Knox was already installed and Knox EMM is a separate product, so there are issues with coexistence." I can attest to that.
Unfortunately, this means that if you use My Knox to keep IT out of your personal workspace, you may have to uninstall it if your company gets around to making you use its container, even a Knox one.
Still, when the notion of workspaces comes up, it's almost entirely from the perspective of IT. My Knox shows another side to the "keep my data protected" coin.

This story, "Samsung's security twist: Protect yourself from IT" was originally published by InfoWorld.

No comments:

Post a Comment