KNOX app separation is a solution from Samsung intended for businesses who use the Full management mode of Android to manage their devices.

After using app separation for about 9 months now with thousands of users I can share some of our experiences.

  1. It does what is promises.

    It actually works. Users seems to grasp how it works.

  2. No visibility if app separation is active on the device

    The MDM solutions I tested with (VMware WS1, Intune, Citrix) are not aware of App Separation and do not show if it is active (Dec-2021).

    I would prefer to be able to test availability of App Separation before allowing users to install apps that need to go into Separated Apps, otherwise the apps will just be installed on the device level.

  3. Sometimes confused with the Work Profile

    Some apps detect App Separation as the Android Work Profile being available. Probably due to the similarity, an environment running as a separate user on android.

    For instance, our MTP solution confuses App Separation with the work profile.

  4. Changing the allow list policy

    Switching the policy for devices with app separation already active from inside to outside or vice versa is not that easy in a production environment. Changing the policy requires disabling app separation or a reset of the device.

  5. No device based authentication for apps in the container.

    Some apps use on device authentication methods like biometric unlock or ask you to enter the device pin/password before allowing access. These methods are not available in app separation. Some apps will break, other apps will fallback to built-in methods like a app specific pin or password.

  6. There are apps that leverage services not available in app separation.

    Obvious example: some Corona related apps need to access the Covid exposure service.

  7. Choose the apps to separate carefully

    Apps are not allowed to exist on both locations and there is no exchange of data possible between apps in- and outside of the Separated Apps Folder. Keep apps that need to interact or exchange data with each other together.

    Apps inside the Separated Apps Folder cannot receive configurations from MDM. A managed configuration will not apply, a pushed certificate is not accessible to a separated app.

  8. A few bugs

    Not able to scan a QR code with early 2020 software versions (fixed around June 2021).

    App shortcuts from the device level to launch apps inside the Separated Apps folder sometimes disappear (fixed in Android 12)