Demystifying: Apple, Android for Enterprise, and Samsung Knox for Your Enterprise

Apple offers several tools for organizations, both enterprises and schools, to seamlessly deploy and configure iOS (smartphone) and iPadOS (tablet) devices, secure them, and later provision them. 

Supervised mode 

Introduced with iOS 5, Supervision mode is a special mode that provides administrators with advanced device management capacity for corporate-owned devices, with 80+ enforceable restrictions for iOS/iPadOS like disabling the App Store, restricting app usage (define approved/disapproved apps), or forcing Wi-Fi on. It is not enabled by default and can only be used when setting up a new device (e.g., after a full device reset or at first time use), either wirelessly, using Apple Business Manager web portal, or wired using Apple Configurator 2 software (macOS computer required).  

Apple Business Manager is a free web portal that combines Apple Device Enrollment Program (DEP) and Apple Volume Purchase Program (VPP), formerly two separate programs, into a unified offering. 

On one hand, Apple Device Enrollment Program (DEP) allows corporations to simplify the deployment of corporate-owned Apple devices (including iOS, iPadOS, macOS, or tvOS). 

Devices already pre-enrolled under DEP portal are automatically pre-configured then enrolled with a defined UEM software the first time they are powered, straight out of the box, with few to no user interaction; supervised mode could also be enrolled wirelessly during device pre-configuration. 

Devices purchased from Apple, an Apple Authorized Reseller, or a carrier/network operator would automatically be added to DEP portal; devices purchased from consumer store/retailer would not, but could however be enrolled manually later using Apple Configurator 2 tools (macOS computer required). 

On the other hand, Apple Volume Purchase Program (VPP) allows enterprises and schools to purchase, distribute, and manage apps and books in bulk using a UEM software. Users would no longer need to use their own Apple ID to download free work apps or purchased paid work apps from the Apple Store, but instead a license, purchased by the enterprise, would be associated to it. Additionally, on supervised devices, apps could be silently deployed (installed, updated, removed) without any user intervention. 

User Enrollment 

Introduced with iOS 13, User Enrollment is an enrollment option providing device management features for the enterprise while preserving user privacy by separating work and private data and apps on the device. It is targeting the Bring Your Own Device (BYOD) program when end-users use their own personal device to access corporate apps and services. With the release of iOS 15, enrollment processes have been simplified with a new onboarding flow: no UEM agent/software needs to be downloaded anymore, but instead users simply need to authenticate using their Managed Apple ID provided by the company, using the “Sign in to Work or School Account” option located under the VPN & Device Management section. 

One of the challenges in term of enterprise management with Android devices is the fragmentation, with multiple hardware manufacturers, thousands of Operating System (OS) versions or “flavors,” all unique and different, making it very difficult to offer a similar experience to all employees, as well as enforcing similar policies and/or deploying work apps – an administrative nightmare. A framework was necessary to offer common mobile device management (MDM) capacities, no matter the brand. 

Android Enterprise (AE) 

Android Enterprise is a free, Google-led initiative to ease the use of Android devices and apps in the workplace. First, it simplifies enrollment of both personal-owned devices (BYOD) or corporate-owned devices, running Android 5.0 or later, and creates a dedicated workspace for corporate apps and data to be stored securely and separately from the rest of the device data. Second, it allows deploying and managing both public and private/in-house apps on those devices, using a dedicated marketplace called Managed Google Play, where administrators can decide whether or not work apps can be installed in the workspace, and how they are deployed, either manually (user action required) or silently. Android Enterprise is enabled on Android devices during enrollment, using a UEM software. 

Google Zero Touch (ZT) 

Similar to Apple Business Manager, Google Zero Touch is a free web portal that allows organizations to simplify the deployment of corporate-owned Android Enterprise devices running Android 8.0 or later. Devices previously registered under Zero Touch portal are automatically enrolled with a defined UEM software the first time they are powered, straight out of the box, with few to no user interaction. Eligible devices need to be purchased directly from an enterprise reseller or Google partner, not a consumer store; Samsung Knox devices are not supported (see Samsung KME).  

Samsung Knox is a proprietary, security framework, leveraging native hardware encryption capacities available on top-shelf Samsung devices, to provide organizations with an extra set of tools for managing and most importantly securing work devices.  

Samsung Knox Suite includes several products to seamlessly deploy, configure, and secure enterprise devices; note these can also be used purchased/used separately. 

Knox Mobile Enrollment (KME) 

Similar to Apple Business Manager or Google Zero Touch, Samsung KME is a web portal that allows corporations to simplify the deployment of corporate-owned Samsung Knox devices. Devices previously registered under KME portal are automatically enrolled with a defined UEM software the first time they are powered, straight out of the box, with few to no user interaction. Eligible devices need to be purchased directly from Samsung or an authorized reseller, not a consumer store.   

Unlike Google Zero Touch enrollment limitation, Samsung does offer the possibility to manually enroll devices purchased from a consumer store/retailer.  

Knox Platform for Enterprise (KPE) 

Similar to Apple Supervised Mode. When coupled with Android Enterprise, Knox Platform for Enterprise brings government-grade security management features by providing an extra set of policies, restrictions, and security features. 

Knox Manage (KM) 

Knox Manage is an alternative, cloud-based, cross-platform Enterprise Mobile Management (EMM) platform providing multi-layered defense-grade security and management features for Android Enterprise, Samsung Knox, iOS, and Windows 10 devices. It is specially designed to take full advantage of Knox devices’ extra management and security capacities. It is also natively integrated with other Knox cloud services like Knox Mobile Enrollment (KME) and Knox E-FOTA, maximizing efficiency for Knox devices deployments. Paid subscription licenses are required. 

Knox E-FOTA 

Knox Enterprise Firmware-Over-The-Air (E-FOTA) is a cloud-based service for enterprises to control Operating System (OS) versions across a whole Samsung Knox mobile devices fleet, ensuring the right version is deployed to every device at the right time. This will help maximize cost efficiency by both ensuring that the latest security patches are deployed on schedule, while also allowing to test any new OS update (e.g., compatibility with in-house apps) before deploying it. Updates can be pushed on scheduled, without user interaction; incompatible or untested versions can be (temporarily) locked to prevent deploying until validated. It is a licensed product that can be configured and managed directly from a supported UEM software. 

Knox Asset Intelligence (KAI) 

Cloud-based service, available for a selected number of Samsung Knox devices, providing enterprise with data-driven intelligence analytics to improve management, productivity, and lifecycle of work devices. Things like intelligent device battery management (monitor/predict battery lifecycle), deep insights into app usage (get an accurate view of overall application usage status), and asset location and connectivity (analyze abnormal Wi-Fi disconnections, GPS-based location tracking). 

This is a small glimpse into what is possible with Apple, Android Enterprise, and Samsung Knox. The team at ISEC7 can help you navigate these resources through consultation, providing devices, and comprehensive trainings. ISEC7 also offers workshops on the fundamentals of Apple Enterprise Mobility, Android Enterprise, and Samsung Knox and how to integrate them with major UEM solutions such as BlackBerry, MobileIron, and Workspace ONE. Please contact us with any questions and the team at ISEC7 can better help you understand what’s needed for your specific environment. 

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group