Share

Separated Apps

Companies that provide corporate-enabled devices for personal use generally must separate official work apps from third-party business apps installed by employees, for example,

  • airline apps (united, delta, etc.)
  • hotel apps (marriott, hilton, etc.)
  • ride sharing apps (uber, lyft , etc)

An IT administrator may not be comfortable with a third-party application that needs access to contacts, email addresses, or phone numbers. there may be concerns that sensitive work data may end up on third-party servers. third-party apps are necessary for productivity, but are not trusted or scrutinized by the IT administrator. In this scenario, the company is fully responsible for its corporate assets and needs full control of its devices.

Separated Apps

as described in device management modes, android 11 replaced the fully managed device with work profile with a new work profile on company-owned devices. the goal is to protect the privacy of personal activities on company devices and to provide administrators with adequate control over the personal side of the device. For businesses that still need full control over a device while enabling authorized third-party commercial apps, Samsung exclusively offers an additional option called separate apps.

separate apps isolate third-party apps in a sandbox folder. third-party apps cannot intercommunicate with work apps or access sensitive work data. Please note that separate apps do not provide the same privacy guarantees as the new work profile on company-owned devices. as such, it is not designed for applications and personal data.

how it works

separate applications are installed in a separate folder safely:

Separated Apps

an enterprise IT administrator uses:

  • a uem system to install work apps on the fully managed device, for complete access and control
  • the knox service plugin to enable separate apps and identify apps to install on the folder
See Also:  Can I Some How Do I Block Someone On Tinder : 5 Langkah (Dengan Gambar)

By default, the following applications are available within the separate applications folder, but do not have launch icons. however, they can be started by other applications. for example, if you open an attached image in an email application, the gallery displays the image.

  • google chrome
  • microsoft office (depends on model)
  • samsung calendar
  • samsung camera
  • contacts from samsung
  • samsung gallery
  • my samsung files
  • samsung video

The device user can:

  • configure an application shortcut from the device level, to launch an application within the separate applications folder
  • configure the following settings within the separate applications folder: applications , notifications, data usage, certificates, and keyboard and input.

configure separate apps

  1. In your UEM console, navigate to the Knox Service Plugin.
  2. Within KSP, navigate to Separated Apps policies.
  3. From the Enable Separated Apps policies drop-down menu, select Enable. If you later select Disable, this removes all apps inside the Separated Apps folder.Separated Apps
  4. For the List of Apps to Separate, provide app package names, for example, com.united.mobile.android, com.marriott.mrt, com.ubercab.
    • Since UEM apps must be outside the Separated Apps folder, they are ignored in the app list.
    • Adding or removing packages will update the device the next time the policy is downloaded. If the new policy conflicts with the current configuration on the device (for example, an app is installed in the group and has now been removed from the list), the change will cause the apps to be installed or uninstalled as appropriate (for example, the app in the example would be removed from the group).
    • inside (default): to install the list of applications inside the separate application folder. this works as an allow list, to identify an exclusive list of authorized applications, which are installed in the separate applications folder.
    • out – to install the list of applications outside from the separate apps folder this works as a block list, to identify work apps like email and messaging, which should be installed at the device level and not within the separate apps folder. all other apps that are not in the apps list go to the separate apps folder.

    once separated, applications cannot exist in both locations at the same time, so an application must be inside or outside of the separated applications. the exception is third-party keyboards.

    Once the policy is set, it is pushed to end user devices. when the device user starts installing apps, the knox framework separates the apps based on the configured policy.

    for details on separate applications and other ksp policies, go to advanced policies.

    third party keyboards

    Third-party keyboards can exist both outside and inside separate apps folder, so the same keyboard can be used regardless of the location of the app being used. any keyboard app that is installed will be automatically installed in both locations. as such, keyboard apps will be ignored in the app list.

    The following is the default behavior for third party keyboards:

    • after creating separate apps:
      • all previously installed third party keyboards are available in both locations.
      • newly installed third party keyboards are available in both locations.

      access control policies

      The following access control policies apply to separate applications. these policies cannot be changed.

      • by default, managed google play is the only approved installer.
      • external sd card access is not allowed for separate apps.
      • sharing of bluetooth is not allowed for separate applications. applications.
      • copy & pasting between apps in and out of separate apps is not allowed.
      • usb file transfer for separate apps is not allowed.
      • nfc is supported for separate apps except for nfc based in payments.
      • Screenshots for standalone apps are allowed and are saved to storage that only standalone apps can access.

      backup policy

      By default, backup is enabled for separate applications. if the device owner disables backup for the entire device, backup for individual apps will also be disabled. if the device owner re-enables backup, backup for separate apps will also be enabled.

      vpn settings

      When using separate apps, you can set the following types of vpn settings through ksp:

      • full device vpn – All apps on the device, both inside and outside of the separate app folder, use the same vpn tunnel.
      • per-app vpn – IT admin can set up a vpn tunnel for selected apps.
      • vpn per user – IT admin can set up a tunnel vpn for all apps in or out of separate app folder.
      • vpn chaining: Admin can configure two vpn tunnels to encrypt traffic twice.

      For help with these vpn settings, explore the screens below, which show example configurations.

      full device vpn

      Separated Apps

      vpn per app

      Separated Apps

      vpn per user

      Separated Apps

      vpn chaining

      Separated Apps

      vpn profile

      Separated Apps

Leave a Reply

Your email address will not be published. Required fields are marked *