As the lines between work and private life get blurred in this age of hybrid and remote work, employees increasingly expect their personal data and apps to be protected on their work devices. At the same time, IT teams need to ensure corporate data remains secure while delivering a productive user experience.

With Android 12, we’re focused on helping organizations achieve the right balance between protecting employee privacy and equipping IT with necessary security and controls. For employees, that means additional privacy controls over which work apps can access their device data, similar to their experience with personal apps. For IT admins, it means more controls to apply the right set of management configurations for work devices.

Enhancing employee privacy and transparency

Android 12 introduces user privacy enhancements for all managed devices, including improved transparency of admin controls. Work profile users will be able to approve (if allowed by their IT admin) or deny sensor-related permissions, such as location and camera, to work profile apps. On fully-managed devices, IT admins can choose to give their users this same control.

To further protect user privacy, admins will be able to set up WiFi networks for employees through a new network API that doesn’t require user location permissions.

Hardware device IDs for personal devices have also changed. Now, instead of solely hardware-based identifiers, companies can use a combination of hardware and employer-specific identifiers that help preserve employee privacy if they leave their organization.

Android 12 provides users with additional privacy tools, such as microphone and camera indicators and controls, to determine how much information users share with apps. We’ve worked to ensure these privacy features all perform seamlessly for managed devices.

Expanding IT controls and management consistency

Android 11 brought the same work profile privacy features from employee-owned devices to company-owned devices. For Android 12, we’ve added additional controls to help enterprise IT teams reduce security risks and ensure tighter monitoring of business data.

A key addition is network logging for the work profile, to give organizations added control and reporting for their work data, while still protecting user privacy in the personal profile.

We’re also empowering IT to decide what input method editors (IMEs) employees can use in their personal profiles to reduce the risk of using a rogue keyboard that could capture data on the device. IT will also have the ability to disable USB signaling for anything but charging, reducing the risk of USB-based attacks.

Historically, IT admins enforced strict password requirements, forcing users to create highly-complex passwords that were hard to remember. Employees have sometimes resorted to writing down these complicated passwords or they’ve forgotten them altogether, leading to factory resets. Thanks to hardware security improvements that prevent brute-force attacks, these kinds of passwords aren’t needed anymore.

Admins can now easily set password requirements that meet modern security best practices by choosing between pre-set password complexity levels. This will help users and administrators find balance between security and simplicity. We’ve also made it easier for users to set up a separate password for their work profile. Read our newest report, Simplifying Password Quality in Android 12, to learn more.

IT admins will also have the option to slice their 5G network and dedicate connectivity to all apps on a fully-managed device, or specifically to apps in the work profile. In partnership with their carrier, admins will be able to have wider control over quality of service and security of work data.

Join us for the Art of Control digital event

Learn more about all of the ways we’re improving security and management at The Art of Control on October 27. Register for our first Android Enterprise security and management digital event, where we’ll share the latest features in Android 12 through demos and analyst briefings. You’ll also hear from customers like Schneider Electric about how they’re using Android Enterprise to achieve effortless control.

With every major Android release, we want to strike the right balance between improving security and manageability and making the platform more usable and private for employees. 

With Android 12, now in developer preview, we’re introducing a number of features that not only bolster security, but also provide more simplicity and utility for IT and more privacy and productivity for employees. 

Simplifying password complexity

For users on work profile devices, we’re introducing a more straightforward, modern approach to password restrictions. Instead of granular requirements that often result in easily forgotten passwords, we’re establishing pre-set complexity levels of high, medium or low that will be used to access the device. 

With Android hardware-backed brute force protections in place since 2016, IT doesn’t have to employ super-complex restrictions, which can still be guessed by computers. By utilizing the new complexity levels along with other Android security protections, including SafetyNet Attestation API and Google Play Protect, IT teams can be assured devices are safe and easy to use for employees.

Easily set up a work security challenge

Admins can still utilize a more granular password, if they prefer, through the work security challenge to manage access to business apps in the work profile. The work security challenge enables an IT-approved password for access to data in the work profile, separate from a simplified password for the device. 

We’ve improved the device setup process to prompt employees if their provided password doesn’t meet complexity requirements set by their admin. 

Users who receive a prompt can simply choose to increase the strength of their device password or set up a work security challenge to access apps in the work profile. If approved by IT, employees can also switch back to one password for both work and personal if they change their mind. 

For company-owned devices, admins will be able to choose whether they use the new password complexity levels or continue using the more granular restrictions.

Certificate management on unmanaged devices

Certificate management is a critical tool that allows enterprises to enable authentication for employee access to remote services. Today, the process can be seamlessly handled on managed devices through an Enterprise Mobility Management’s (EMM) device policy client, which can programmatically generate keys, install certificates from the Android KeyChain service and present them for authentication. 

In Android 12, we’re streamlining credential management for unmanaged devices by making the process available to apps beside the device policy client. With this expanded credential management, more companies can extend secure access to employees regardless of their location, a key requirement in the COVID-19 era. Additionally, employees can avoid the cumbersome, manual process of installing certificates themselves.

Enrollment-specific IDs for personal devices

For employee-owned managed devices, we’re creating a new enterprise-specific device identifier that may help enhance privacy in the event an employee leaves their current employer. Instead of relying on hardware identifiers such as IMEI or serial numbers, personal devices will get a new identifier derived programmatically during enrollment. 

Enrollment-specific IDs allow IT admins to identify the device if it’s re-enrolled at the same organization, even if the device is factory reset. But these IDs limit IT’s ability to track the device if the employee leaves the company. 

Today’s initial preview covers some of the features you’ll see in the next release of Android with more to come as we get close to launch. Learn about the enterprise features in the Android 12 Developer Preview at the Android developers website. To give Android 12 a try, you can download it to a Pixel device today.