Android management over the ages
The evolution of the MDM (Mobile Device Management) in the market was so rapid that it gave us all a sense of whiplash – from MDM to EMM (Enterprise Mobility Management) and now UEM (Unified Endpoint Management). The rapid name change itself is proof that businesses are using advanced and modern mobile technologies in the workplace. This, in turn, introduced new demands in the market and what was just basic MDMs had to adapt to the changes and make themselves better.
So, what changed in the Android management scenario?
Android management has come a long way from the mere legacy management solutions which had just a handful of APIs to deal with. When Samsung took advantage of the situation and brought Knox solution, it quickly became the most appealing choice for enterprises due to the security it offered along with elaborate management capabilities. For a while, Samsung dominated the niche alone. But then Google introduced the "Android for Work" solution in Android 5.0 Lollipop, which is now Android Enterprise, which possesses features similar to that of Samsung Knox. What's more interesting is that, when Samsung offers the Knox features to the most expensive device models, Android Enterprise could be implemented in any Android 5.0+ devices. This became a more agreeable alternative for enterprises in terms of the device cost.
Android Enterprise: Google's new prodigy
The solution from Google to enhance Android management in Enterprises was called Android for Work in the beginning which later evolved into Android Enterprise. This free program from Google can be integrated with any OEM vendor which uses Android. Google aims to provide an enterprise standard solution which can be integrated with EMMs or G Suite to manage devices thus put an end to the rumors on Android security risks. The solution proved that Android is as good as Samsung or Apple to be used in enterprises, where security is the prime concern. The fast-paced improvements and feature additions in Android Enterprise is proof that Google is aiming for the top of the mobility management chain. Android Enterprise combined with Zero-touch enrollment (from Android 8.0) and G-suite, will soon become an invincible force in the mobility management niche.
Devices can be managed as
- Device owner (fully managed): The scenario in which Android Enterprise enables the EMM to have complete control over the device. A fully managed scenario, where the Device Policy Controller (DPC) app (EMM agent app) have the device administrator controls. EMM will have advanced management capabilities in this mode.
- Profile owner: The scenario where the EMM will have control only over the work profile. For BYOD, the devices will have a managed profile with work-related apps called work profile. Here, the EMM will have control over the work profile instead of complete device ownership like in the fully managed mode.
The security features offered by Android Enterprise can be categorized into three
- Data security
- Device security
- App security
Data here, explicitly means the work content in devices. May the device be BYOD (Bring Your Own Devices), COPE (Corporate Owned Personally Enabled), COBO (Company Owned Business Only) or even COSU (Company Owned Single Use), the work data in these devices are protected with an assortment of security layers. For BYOD and COPE, the devices will have a work profile and personal space. A work container is provided in order to separate the work profile from personal content. This container will eliminate possible mixing up of work and play and thus protect the work data from unnecessary access and sharing.
The work profile apps and notification will have a work badge to make it easily identifiable. Copying contents, taking screenshots or sharing content from the container apps to other (personal) apps can be restricted via an EMM.
Android Enterprise enforces device encryption and a variety of device restrictions for security. An EMM which supports Android Enterprise will be able to provide these functionalities thus ensuring an environment free of vulnerabilities. Based on Device Owner or Profile Owner mode, the security options vary. A device enrolled in Profile Owner mode will not have very tight restrictions available as in Device Owner mode. Device security features include protection from physical tampering of the device, disabling safe mode booting, preventing factory reset and account modifications, disabling changes to device settings and much more.
The network settings such as Bluetooth, Wi-Fi, hotspot, NFC, cell broadcast, etc. can be manipulated according to the work environment with the help of an MDM. Android Enterprise ensures secure communication over the internet by enabling safe browsing, email, messaging and more. These network related restrictions will secure the data-in-transit as opposed to data-in-rest.
AE enables organizations to deploy identity certificates and certificate authorities to devices through MDMs. Also, IT admins can select certificates for specific managed apps silently. Certificate Authority can be removed from the device as well as prevent users from certificate modification.
Enterprises are able to create a Managed Google Play store with work apps that are approved by the organization. The employees in the organization will have access to this Managed Play store and can use it like regular Play store. IT can push the managed apps to the user's devices silently, thus making app distribution seamless. The organization can also configure managed apps such as email, ActiveSync, etc. as seen fit for work.
Google Play Protect
Google constantly monitors the apps in the devices for malicious behaviors and risks. When a risky app is found, it will notify the user to remove the app from the device. It can remove the app by itself. Google Play Protect monitors every app including the ones that are not originated from the Play store. The Google Play Protect service is available in Android 4.2+ devices which have Google services enabled. With an EMM which supports Android Enterprise, organizations can easily implement Google Play Protect service for app security.
Google also reviews the application before publishing the app in the Play Store. The two-stage review process commences when the developer set up an account with Google with their credentials and credit details. The process continues when the developer submits the application to Google. Google verifies if the app complies with Google Play policies. If risks are found the app is sent for manual review. Google offers many ways to detect the "rotten apps". Google Play Protect is always scanning apps for vulnerabilities. Google takes into account the customer review and ratings of apps during the valuation of an app. It also rewards people if they find any security vulnerabilities and reports it to Google.
Enterprise app management
A managed Play Store dedicated to enterprises with only approved work apps is one of the most attractive features offered by Android Enterprise. Even though some EMMs such as Hexnode enables creating its own app catalog, Google's additional security still makes the feature appealing. When app download from outside Google Play is disabled, app-based security reaches its final goal.
Distributing the managed apps to devices is a silent process – no notification, no emails, no phone calls required. The silent app install is available only for these managed apps and no other apps. App-based restrictions such as app install, app verification, open web links in app, etc. can be configured via the EMM. Applications can be configured in such a way that it fits the corporate work environment. Managed app configuration features allow EMMs to specify app behavior and performance. App permissions can also be manipulated with the EMM.
Zero-touch enrollment: The crown jewel for Android Enterprise Recommended
Android Enterprise Recommended program for devices and EMMs is a Google verification program which requires support for advanced Android management features. Introduced in Android 8.0, ZTE has become Android's ultimate hands-free approach to device management. Zero-touch enrollment is the Android version of Samsung Knox Mobile Enrollment (KME) or Apple DEP. As the name suggests, the program enables out-of-the-box experience to the users by being enrolled in an EMM and ready for work.
So, in a nutshell, Android Enterprise is a wise choice for managing Android devices in enterprises. When Google themselves offers such a great program to secure and manage the devices, why think twice? Tied with an EMM like Hexnode MDM, an organization can leverage the maximum management functionalities with Android Enterprise.