With every major Android release, we want to strike the right balance between improving security and manageability and making the platform more usable and private for employees. 

With Android 12, now in developer preview, we’re introducing a number of features that not only bolster security, but also provide more simplicity and utility for IT and more privacy and productivity for employees. 

Simplifying password complexity

For users on work profile devices, we’re introducing a more straightforward, modern approach to password restrictions. Instead of granular requirements that often result in easily forgotten passwords, we’re establishing pre-set complexity levels of high, medium or low that will be used to access the device. 

With Android hardware-backed brute force protections in place since 2016, IT doesn’t have to employ super-complex restrictions, which can still be guessed by computers. By utilizing the new complexity levels along with other Android security protections, including SafetyNet Attestation API and Google Play Protect, IT teams can be assured devices are safe and easy to use for employees.

Easily set up a work security challenge

Admins can still utilize a more granular password, if they prefer, through the work security challenge to manage access to business apps in the work profile. The work security challenge enables an IT-approved password for access to data in the work profile, separate from a simplified password for the device. 

We’ve improved the device setup process to prompt employees if their provided password doesn’t meet complexity requirements set by their admin. 

Users who receive a prompt can simply choose to increase the strength of their device password or set up a work security challenge to access apps in the work profile. If approved by IT, employees can also switch back to one password for both work and personal if they change their mind. 

For company-owned devices, admins will be able to choose whether they use the new password complexity levels or continue using the more granular restrictions.

Certificate management on unmanaged devices

Certificate management is a critical tool that allows enterprises to enable authentication for employee access to remote services. Today, the process can be seamlessly handled on managed devices through an Enterprise Mobility Management’s (EMM) device policy client, which can programmatically generate keys, install certificates from the Android KeyChain service and present them for authentication. 

In Android 12, we’re streamlining credential management for unmanaged devices by making the process available to apps beside the device policy client. With this expanded credential management, more companies can extend secure access to employees regardless of their location, a key requirement in the COVID-19 era. Additionally, employees can avoid the cumbersome, manual process of installing certificates themselves.

Enrollment-specific IDs for personal devices

For employee-owned managed devices, we’re creating a new enterprise-specific device identifier that may help enhance privacy in the event an employee leaves their current employer. Instead of relying on hardware identifiers such as IMEI or serial numbers, personal devices will get a new identifier derived programmatically during enrollment. 

Enrollment-specific IDs allow IT admins to identify the device if it’s re-enrolled at the same organization, even if the device is factory reset. But these IDs limit IT’s ability to track the device if the employee leaves the company. 

Today’s initial preview covers some of the features you’ll see in the next release of Android with more to come as we get close to launch. Learn about the enterprise features in the Android 12 Developer Preview at the Android developers website. To give Android 12 a try, you can download it to a Pixel device today.

Android Enterprise partners play an essential role in helping customers grow their businesses with Android. We launched the Android Enterprise Partner Program earlier this year to make it easier for partners to engage with Android and grow their capabilities.

Our program provides device resellers, device manufacturers, service providers and enterprise mobility management (EMM) providers with instant access to sales and training resources, community forums and marketing assets. Our goal is to give our partners the resources to build up their knowledge and expertise in Android Enterprise solutions.

The Android Enterprise Partner Program has gained tremendous traction in the last few months. The program is in the process of validating over 200 partners as service providers and device resellers, and hundreds of other partners have joined the program to access our resources. Today, we’re sharing details about the key benefits to the program for all our partner communities and how these can be put to use to give customers a great Android experience. 

A platform to connect with resources

• The Android Enterprise Partner Portal is the single point of entry to all our programs and resources. We have simplified the contracting and engagement process, making it smoother for new partners to onboard and connect with these resources.

• Community forums have become an invaluable resource for partners to connect with industry peers, get technical advice and solicit expert opinions on Android Enterprise solutions. We have tailored communities for our core partner groups, helping create focused discussion forums that meet their needs.

• We offer the Android Academy to provide specialized training and certification for partners to get the most up-to-date knowledge about how to support customers with their mobile deployments. Within the portal, partners can track their teams’ progress along their learning paths to ensure everyone meets their learning objectives. You can learn more about our training and certification offerings at info.androidenterprise.training.

Recognizing validated partners and solutions

Device resellers and service providers who meet our technical and go-to-market validation requirements can gain public recognition with a verified partner badge. This badge is an important tool for customers to recognize a trusted ecosystem partner.

Customers can visit the Android Enterprise Solutions Directory to access validated device resellers, service providers as well as Android Enterprise Recommended enterprise mobility management (EMM) solutions and devices. Customers can choose providers and solutions with confidence that they have met the highest standards for the ecosystem.

Partners that wish to find out more and join the program can do so from through the Android Enterprise Partner Portal.

Many small and medium-sized businesses believe that because they’re smaller, their security risk is relatively small as well. But that isn’t always the case. Some small and medium-sized businesses also worry that mobile security requires a large, complex investment, perhaps beyond their budget or expertise.

Smaller organizations, however, are increasingly the target of malicious attackers and may be required by local laws to protect company data. And with more business and customer data residing on mobile devices, one lost or stolen phone can create a major incident that can have a large and lasting impact on your business. 

Investing in mobile security doesn’t have to be a big, complicated endeavor. It’s about using the right tool for the job to help ensure that critical protections are in place.

For businesses with simpler needs, smaller budgets

Small investment, big reward

"Businesses are increasingly telling us their top considerations for investment are security and increased user productivity," said Mark Bowker, Senior Analyst with the Enterprise Strategy Group. "During ESG’s validation of Android Enterprise Essentials, it became quickly evident that the simple management capabilities and seamless employee experience provide confidence in security for businesses and a safer work environment for employees.”

Essentials is ideal for small and medium-sized businesses, but also works for larger organizations that want to extend core protections to devices which may not need advanced device management. Essentials can also serve as a starting point for customers who want to try out simple management at first, and potentially upgrade to more sophisticated management in the future. 

We are working in the initial roll-out with distributors Synnex in the US and Tech Data in the UK. We plan to make Essentials available through additional resellers as we prepare to take this service global starting early next year. To learn more about Essentials and how it makes mobile security easy and affordable for businesses, please register for our webinar or check out our Essentials website. And if you’re interested in becoming an Essentials partner, please visit the Android Enterprise Partner Portal to register for our partner community.

Many small and medium-sized businesses believe that because they’re smaller, their security risk is relatively small as well. But that isn’t always the case. Some small and medium-sized businesses also worry that mobile security requires a large, complex investment, perhaps beyond their budget or expertise.

Smaller organizations, however, are increasingly the target of malicious attackers and may be required by local laws to protect company data. And with more business and customer data residing on mobile devices, one lost or stolen phone can create a major incident that can have a large and lasting impact on your business. 

Investing in mobile security doesn’t have to be a big, complicated endeavor. It’s about using the right tool for the job to help ensure that critical protections are in place.

For businesses with simpler needs, smaller budgets

Small investment, big reward

"Businesses are increasingly telling us their top considerations for investment are security and increased user productivity," said Mark Bowker, Senior Analyst with the Enterprise Strategy Group. "During ESG’s validation of Android Enterprise Essentials, it became quickly evident that the simple management capabilities and seamless employee experience provide confidence in security for businesses and a safer work environment for employees.”

Essentials is ideal for small and medium-sized businesses, but also works for larger organizations that want to extend core protections to devices which may not need advanced device management. Essentials can also serve as a starting point for customers who want to try out simple management at first, and potentially upgrade to more sophisticated management in the future. 

We are working in the initial roll-out with distributors Synnex in the US and Tech Data in the UK. We plan to make Essentials available through additional resellers as we prepare to take this service global starting early next year. To learn more about Essentials and how it makes mobile security easy and affordable for businesses, please register for our webinar or check out our Essentials website. And if you’re interested in becoming an Essentials partner, please visit the Android Enterprise Partner Portal to register for our partner community.

Three years ago, we launched Android zero-touch enrollment to make scaled deployment of Android devices seamless and secure. Since then, we’ve partnered with almost 300 global resellers, with another 100 partners poised to add support shortly. And we have customers who are now deploying hundreds of thousands of devices in one go, lighting up secure, managed devices with ease. 

“With zero-touch enrollment, our IT team enrolls and configures devices quickly — they’re ready for use with the right apps right out of the box.” said Chadhi Mraghni, Director of Information Systems for O2 Care Services, which provides healthcare and home support services throughout France. “This process has shaved thousands of hours off of our device setup time when compared to our previous management mode, freeing up our admins to focus on other strategic tasks to support our teams.”

Expanding zero-touch to all 9.0+ devices

We are now building on the momentum of zero-touch by expanding its reach and streamlining the management experience for organizations.

First, we’re making zero-touch available on all Android 9.0+ devices through an update in Google Play Services. With this update, all recent devices — including Samsung devices — will support zero-touch. Customers deploying Samsung devices now have the option to choose between two services: Samsung Knox Mobile Enrollment or zero-touch, depending on their needs and preferences.

Second, we’re making it easier for enterprises to configure their devices by integrating zero-touch into their existing enterprise mobility management (EMM) solution. Organizations can now link their accounts to automatically configure and manage their zero-touch devices from within their EMM console, instead of having to utilize the zero-touch portal. 

This update removes friction from device configuration, since zero-touch now understands which EMM solution a customer is using and applies auto-generated configurations, all from the EMM console they use every day. 

Coming to resellers this year

Zero-touch on all Android 9.0+ devices is rolling out now to resellers and will be supported by all zero-touch resellers by the end of 2020. EMM partners are currently adding the integrated zero-touch experience to their consoles, which is a new advanced feature available in all Android Enterprise Recommended EMMs in 2021. Work with a zero-touch enrollment reseller and your EMM to begin enrolling new and existing devices.

With these updates, we believe zero-touch enrollment becomes an even more powerful tool in the hands of enterprise customers, helping you mobilize with greater speed, simplicity and security. Check out our webinar to learn more about the value of zero-touch and what these new updates can do for your business.

We launched the Android Enterprise Recommendedprogram in 2018 to help customers select, deploy and manage devices with more confidence. Since our initial introduction with seven device manufacturers, we’ve expanded the program to more than 30 global partners, most recently adding devices from leading manufacturers such as Lenovo, OnePlus, Oppo, and Xiaomi. To make Android Enterprise Recommended even more useful, we're welcoming Samsung Galaxy devices into the program.

The Android Enterprise Recommended program has become a critical tool for enterprise customers, helping them easily evaluate and approve devices that meet Google’s requirements for hardware, software and updates. This flexibility and device choice is even more pressing during Covid as businesses support more distributed workers. According to IDC senior research analyst Bryan Bassett, 84 percent of US IT decision makers are planning to invest more in mobility as a result of the current business climate.

We’ve heard from a number of customers like SAP, who appreciate that our validated devices establish a baseline they can rely on for quality and consistency in their mobility programs.

“Android Enterprise Recommended helped SAP to easily find Android devices that meet our security, technology, total cost of ownership approach and provided a range of devices to meet our users' needs,” said Christian Lohde, Enterprise IT Architecture Manager with SAP.

Each year we evolve the program requirements to bring more value to customers. This year, we’re rolling out updates to the requirements for Android 11 that focus on tighter hardware specifications, improved testing and more transparency around device update support. The new requirements will be reflected in the updated Android Enterprise Solutions Directory to help customers identify devices best suited to their needs. The Enterprise Solutions Directory now includes information on: 

• Last date of security updates from device manufacturers

• Android release running on a device when validated as Android Enterprise Recommended 

• Regional availability of devices

• Critical industry certifications, such as Common Criteria

Also, with our announcement today that Android zero-touch enrollment is now available on all 9.0+ devices, customers have an additional option to deploy Samsung Galaxy devices in addition to Knox Mobile Enrollment.

Samsung has been a key player in the mobile enterprise space for many years, and we’re excited to have them on board as we make it easier for customers transitioning to a mobile workforce. We look forward to recommending Samsung Galaxy smartphones and tablets to our enterprise customers to provide them with great devices for security, efficiency and productivity.

You can expect to see us working even closer together to help companies achieve their mobility goals. Read more about this in Samsung’s press release here. 

October is the time when ghosts do their best haunting. Yet there are other unwelcome guests who cause havoc year-round, trying to sneak into your company phone and make real-world mischief.

Malware and other threats are always on the mind of mobile security professionals, which is why the issue gets special attention every October for Cybersecurity Awareness Month. While malware is something to guard against for all smartphone users, enterprises must be especially mindful of protecting sensitive corporate data.

It’s why Android ships with strong protections enabled through Google security services, with anti-phishing features coming from Google Safe Browsing and anti-malware features like Google Play Protect continuously monitoring for malware and removing any if discovered. With so much work taking place on mobile devices, built-in security features are essential.

We are committed to providing transparency into our efforts to reduce Potentially Harmful Application (PHA) rates on devices and in Google Play. Recently, we specifically analyzed Android Enterprise devices to gauge how our enterprise devices fare when they use Google Security Services and Android Enterprise as their sole anti-malware solution. We were pleased to find only .003 percent of devices with any active PHAs. That’s less likely than being hit by a comet or asteroid in the United States!

How our security services deliver for enterprises

We’ve been able to keep the PHA rate on enterprise devices very low by combining built-in malware defense with management APIs so admins have the controls they need to minimize threats to their device fleets. 

Google Play Protect scans over 100 billion apps every day, finding PHAs in real-time, notifying users of potential threats and removing them if necessary. Google Play Protect also works even if the device is offline and users can always perform a manual scan.

Android Enterprise admins further tighten controls with managed Google Play. By using blocklist and allowlist they can control exactly which apps are allowed on devices, closing another potential opening for malware. 

Admins can take other proactive steps such as forcing devices to install operating system updates and disabling the ability to install applications from unknown sources. EMM partners can leverage our APIs to implement security compliance into their mobility offerings. The SafetyNet Verify Apps API, for example, taps into our malware intelligence to help detect if any malware resides on the device.

The integration of our security services and Android Enterprise management tools give our partners and customers the security they need for today’s threats. Last year we also introduced the App Defense Alliance where we partnered with industry leaders to stop bad apps before they reach users’ devices. We’re pleased to see such positive results from these efforts and tangible evidence of how Android Enterprise management paired with our security services help provide comprehensive device protection.  Learn more about Android Enterprise security and how to take advantage of these essential security services.

The surge in remote and mobile working has put an increased emphasis on how organizations should best manage and secure device access to critical information. New research from Omdia, in a survey of 700 IT decision makers, found that businesses are  expanding and strengthening access controls now that many employees spend very little or no time in the office.

This has piqued interest in the Zero Trust security model, which is built on the premise that access to corporate resources should continuously be verified. In the Omdia survey, 31 percent of the respondents are currently using a Zero Trust, with another 47 percent planning to do so in the near future.

Understanding the Zero-Trust security model

The Zero Trust security model enables a mobile and remote workforce to securely connect to company resources from virtually anywhere. Devices are vetted before being granted access to company resources. Companies can use tight, granular controls to specify the level of access whether the devices are connected to a corporate network, from home, or elsewhere.

An effective Zero Trust implementation requires numerous device signals, context and controls to make intelligent decisions about access. A key piece of a Zero Trust architecture is the enforcement point, which is the identity or network component that grants or denies access based on the various device and user signals that are available. For example, the enforcement point may decline access to devices that do not have the most recent security patch or show signs of running a compromised operating system.

How Android enables a Zero Trust security approach

Android has a wealth of platform features and APIs that our enterprise mobility management and security partners leverage to safeguard backend services and resources. Let’s look at how Android provides the building blocks you need for a Zero Trust deployment.

Android provides a variety of device signals that administrators can use in building systems to verify the security and integrity of devices. In a Zero Trust model, these signals are used to assess whether a device should be allowed to access corporate information.

The first thing that needs to be checked is the OS version and Security Patch Level of the device. The SafetyNet Attestation API verifies a device has not been rooted, while the SafetyNet VerifyApps API checks for the presence of malware. Admins can also confirm if applications are complying with Android security standards. The NetworkEvent and SecurityLog logs provide data to check for any suspicious activity or anomalies on devices.

The next aspect is context: 

• Who is trying to access a particular resource—are we sure that this is in fact the right device and person?

• What resource are they trying to access—is this resource restricted to a select audience or region?

• When are they trying to access it—is this during work hours or after hours?

• Where are they trying to access it from—are they in their normal region or traveling?

• How are they attempting to access it—are they accessing this from a web app or native app, is the device fully managed or BYOD?

• Why do they need to access it—is this someone who typically accesses this information?

Putting Zero Trust to work for you

Now that we have device security signals and the context we can decide how to control the access to the information.

Here are some examples:

• If a user is on a rooted device — no access.

• If a user is traveling international — limited access.

• If a user is trying to access a resource for the first time in a while — prompt for a second factor during the authentication flow.

The Android platform provides the signals and intelligence in order to understand the context and define appropriate controls in a Zero Trust deployment. What makes Android unique as a Zero Trust endpoint is that unlike other operating systems where you need to rely on the Enterprise Mobility Management (EMM) solution to gather the appropriate device signals and attributes, on Android access to these signals can be delegated so that which ever component is acting as the enforcement point; whether it be the identity provider or the network access control component, can collect all of the necessary information directly off the endpoint device as opposed to integrating with a multitude of backend systems.

If you are currently using Zero Trust or moving in that direction, make sure to confirm that your EMM or your enforcement point can access the plethora of signals directly from the device. And check out the Omdia security report to learn more about growing adoption of Zero Trust security.

Android 11 marks our seventh release with enterprise features, going back to 2014 when we introduced the work profile to secure and separate work data on a personal device. Now we’re coming full circle with new work profile improvements that make Android even more private and productive for employees. We’ve also included some key security updates in this release to further protect both work and personal data. 

Making employee privacy job #1 

Android champions employee privacy with the work profile, and in Android 11 we’re bringing the same work profile privacy protections from personally-owned devices to company-owned devices as well. Privacy is an expectation for employees and IT decision makers alike: a new Omdia research survey of 700 IT decision makers found that 80 percent of respondents believed personal data should be kept private from IT on a company-owned device. 

To better support company-owned devices, the work profile now offers device controls like asset management tools and personal usage policies that give IT the ability to keep devices compliant with corporate policy without compromising employee privacy. And regardless of who owns the device, industry-leading data separation and security controls help ensure work data is secure in the work profile. To learn more, read our new work profile security paper.

To give employees more information about their location privacy, we’ve added a new notification whenever their IT admin grants location access to work apps. We’ve also enhanced our agreements with device manufacturers to help ensure all work profile privacy protections are reliably enforced. 

Making it easy to get work done

The work profile makes the separation of work and personal data visible and usable for employees, while enabling easy switching between profiles. This helps people focus on their work and avoid accidental data leaks, all on a single device. 

We’re taking that even further in Android 11 by expanding work and personal separation to more places throughout Android. Employees will now see separate tabs for work and personal when they share files, open content or go into their settings menu.

Separating work from personal makes it possible to do things such as pausing the work profile so employees can disconnect at the end of the day. In Android 11 we’ve made this easier by removing unwanted distractions when the work profile is paused and enabling employees to automatically pause work apps according to their own schedule.

Finally, for those times when it’s helpful to view work and personal data at the same time, we’ve built a new secure mechanism for merged experiences, allowing trusted apps to connect between work and personal profiles. Both employees and IT must approve the way an app will handle security and user privacy before allowing an app to connect. 

For instance, Google Calendar will soon allow people to see personal events in their work calendar, helping to better schedule around commitments across their day.  Personal calendar events will remain privately stored on device in the personal profile, invisible to both colleagues and IT. 

We'll be working with additional developers in the coming months to make more connected experiences available to users.

Making it simple to be secure and in control

Android security continually gets stronger as recently demonstrated by Pixel smartphones completing Common Criteria certification on Android 10 by leveraging Android Enterprise management APIs. In Android 11, we're investing even more in security and management features that provide organizations with more protection for their data. 

Last year, we launched Google Play system updates to directly patch OS system components using the same infrastructure we use to update apps. In Android 11, we’re now adding nine more privacy and security components to the original 12 that can be updated via Google Play system updates, allowing us to quickly address even more critical areas without waiting for full operating system updates. 

Other enterprise improvements include: 

• More IT controls for always-on VPN configurations.  

• The ability to pre-grant certificate access for work apps, so specific individual apps can access credentials without user interaction.

• Device attestation using individual certificates, on devices with a dedicated secure element.

• Continued investment in addressing regulatory certification requirements such as Common Criteria - Mobile Device Fundamentals, and FIPS 140-2. 

 These are just some of the improvements in Android 11 that organizations can begin utilizing. To learn more, visit our developer page and read about thelatest consumer features.