Author Archives: Tom Watkins

Why it’s time for enterprises to adopt Android’s modern device management APIs

Enterprise devices regularly access mission-critical data and are a key conduit for company communications. To ensure that organizations can power their mobility efforts with great features and security, Android offers managed device and work profile modes for mobile management.

Many organizations, however, are still using the Device Administration API, which was made available for developers in Android 2.2. When it was first released in 2010, device admin API provided enterprises with a reliable support system for enterprise applications. Since then, the needs of businesses have grown to require more vigorous management and security requirements.

Managing personal and company-owned devices

In Android 5.0, we created managed device (device owner) and work profile (profile owner) modes, which match the security needs of organizations that manage mobile devices. These are feature-rich and secure ways to manage devices. Most organizations are now using these modes to manage mobile devices, and we’re encouraging all organizations to make the switch.

We understand that for some organizations this switch may take time so we will have developed an extended timeline for the transition. Device admin API will be supported through Android Oreo and existing functionality will continue to be available in the next major Android release, though device admin APIs for password enforcement will no longer be supported. In the following Android release, expected in 2019, the APIs for password enforcement will no longer be available. We strongly recommend that businesses plan to move to work profile and managed device APIs. By sharing this update early, we aim to provide companies with sufficient time to migrate existing devices or start fresh as new ones are added to their fleet.

Non-enterprise device management

Some of the device admin APIs are used for non-enterprise device management, like Find My Device, which enables locking and wiping a lost phone. APIs commonly used by these applications will not be affected. Please see the developer migration guide for details on the specific changes.

Making the transition to work profiles or managed devices

For those currently using device admin, there are two strategies available to move to Android’s management APIs. Both options require companies to have an EMM provider that supports either Android’s work profile or managed device mode.

For personal devices used by employees for work, we recommend using the work profile. Migration from a legacy device admin to the work profile can be done with minimal disruption. This can be handled either by enabling personal devices to install a work profile, or by having new devices enroll with a work profile as existing devices phase out of the fleet.

We recommend that company-owned devices be set up as managed devices. Migrating a device from device admin to managed device requires a factory reset, so we recommend a phased adoption, where new devices are enrolled as managed devices while existing devices are left on device admin. New users and new devices should be configured with the new management modes as they are enrolled. Then, older device admin devices can be aged out of the fleet through natural attrition. We recommend that you begin to enroll all new company-owned devices running the major Android release after Oreo as managed devices, in preparation for the removal in the release after that.

Major mobility transitions are typically a large and important undertaking but we know that the needs of companies will be better served with the modern capabilities of Android’s managed device and work profile modes. For specific implementation details, see our developer migration guide.

Android Oreo: a smart, tough and productive cookie for enterprises

Android 8.0 Oreo is now available, bringing a sweet combination of improved productivity and enhanced security to enterprise customers. The new release builds on the consistent investments we’ve made to make Android stronger, easier to manage, and more productive for the enterprise.  

Personal space on your work device

Android’s unique work profile creates the best of both worlds—separating work and personal data so IT has the security it needs and users have the freedom to use the personal apps and services they want. Only the work data is managed, giving IT full control of corporate information and keeping employees’ photos, apps, and other personal data separate.

In Android Oreo, we’re now bringing work profiles to corporate-owned devices. Now, organizations can enable company devices for personal use with a work profile. While the organization still retains control of the device, work apps and data can be put in a work profile, keeping personal apps and data outside the profile.

This brings the benefits of the work profile to company-owned devices, such as removing the need for a complex device-wide passcode, and allowing employees to turn off work notifications when they’re away. The improved usability and clear separation makes this management mode ideal for corporate-owned, personally-enabled (COPE) deployments.

workspace

Get up and running in seconds

With zero-touch enrollment available in Android Oreo, organizations can deploy corporate-owned Android devices with enterprise mobility management settings pre-configured, so team members can start using their device right out of the box. Devices can be configured online and drop-shipped to employees who will have management enforced from the start.

With the work profile in Oreo, we’ve made it easier than ever for employees to set up their personal device for work, with 10x faster work profile setup. We’ve even reduced the enrollment steps required so users can get their work profile set up with a single tap—no complicated instructions required.

Robust security that stops malware in its tracks

We continue to invest in Android platform security, giving IT more advanced capabilities in  managing their fleet of devices. With Project Treble in Oreo, we’re improving security by separating the underlying vendor implementation from the core Android framework. This modularization isolates each hardware abstraction layer (HAL) into its own process so each HAL only gets the hardware driver and kernel access it needs. This improves sandboxing and makes it harder for framework compromises to exploit the kernel.

We’re also enabling stricter enforcement of Google Play Protect, our always-on security service that scans for malware and blocks potentially harmful apps. Now, admins can block unknown or risky apps from being installed across the whole device, outside the work profile. We’re also providing new APIs to enable administrators to verify the security posture of their fleet including details on which apps are installed.

With the inclusion of secure password reset, it’s now easier for admins to securely help users recover from forgotten passwords on fully encrypted devices. Admins can also enable network logging for corporate-owned devices to record DNS lookups and TCP connections, helping companies detect suspicious network behavior or remotely debug problematic apps.

Improved privacy and transparency

It’s important for employees to have visibility into management policies, particularly when considering a device for personal use. To help employees stay informed, we’ve made it easier to see management actions taken across the device, such as the installation of a new app or enforcement of a lock screen. We’ve also improved notifications for connectivity changes, like always-on VPN and network logging.

These are just a few of the new and improved enterprise features in Android Oreo, with more updates coming soon. To learn more, check out the What’s new in Android 8.0 page.