The surge in remote and mobile working has put an increased emphasis on how organizations should best manage and secure device access to critical information. New research from Omdia, in a survey of 700 IT decision makers, found that businesses are  expanding and strengthening access controls now that many employees spend very little or no time in the office.

This has piqued interest in the Zero Trust security model, which is built on the premise that access to corporate resources should continuously be verified. In the Omdia survey, 31 percent of the respondents are currently using a Zero Trust, with another 47 percent planning to do so in the near future.

Understanding the Zero-Trust security model

The Zero Trust security model enables a mobile and remote workforce to securely connect to company resources from virtually anywhere. Devices are vetted before being granted access to company resources. Companies can use tight, granular controls to specify the level of access whether the devices are connected to a corporate network, from home, or elsewhere.

An effective Zero Trust implementation requires numerous device signals, context and controls to make intelligent decisions about access. A key piece of a Zero Trust architecture is the enforcement point, which is the identity or network component that grants or denies access based on the various device and user signals that are available. For example, the enforcement point may decline access to devices that do not have the most recent security patch or show signs of running a compromised operating system.

How Android enables a Zero Trust security approach

Android has a wealth of platform features and APIs that our enterprise mobility management and security partners leverage to safeguard backend services and resources. Let’s look at how Android provides the building blocks you need for a Zero Trust deployment.

Android provides a variety of device signals that administrators can use in building systems to verify the security and integrity of devices. In a Zero Trust model, these signals are used to assess whether a device should be allowed to access corporate information.

The first thing that needs to be checked is the OS version and Security Patch Level of the device. The SafetyNet Attestation API verifies a device has not been rooted, while the SafetyNet VerifyApps API checks for the presence of malware. Admins can also confirm if applications are complying with Android security standards. The NetworkEvent and SecurityLog logs provide data to check for any suspicious activity or anomalies on devices.

The next aspect is context: 

• Who is trying to access a particular resource—are we sure that this is in fact the right device and person?

• What resource are they trying to access—is this resource restricted to a select audience or region?

• When are they trying to access it—is this during work hours or after hours?

• Where are they trying to access it from—are they in their normal region or traveling?

• How are they attempting to access it—are they accessing this from a web app or native app, is the device fully managed or BYOD?

• Why do they need to access it—is this someone who typically accesses this information?

Putting Zero Trust to work for you

Now that we have device security signals and the context we can decide how to control the access to the information.

Here are some examples:

• If a user is on a rooted device — no access.

• If a user is traveling international — limited access.

• If a user is trying to access a resource for the first time in a while — prompt for a second factor during the authentication flow.

The Android platform provides the signals and intelligence in order to understand the context and define appropriate controls in a Zero Trust deployment. What makes Android unique as a Zero Trust endpoint is that unlike other operating systems where you need to rely on the Enterprise Mobility Management (EMM) solution to gather the appropriate device signals and attributes, on Android access to these signals can be delegated so that which ever component is acting as the enforcement point; whether it be the identity provider or the network access control component, can collect all of the necessary information directly off the endpoint device as opposed to integrating with a multitude of backend systems.

If you are currently using Zero Trust or moving in that direction, make sure to confirm that your EMM or your enforcement point can access the plethora of signals directly from the device. And check out the Omdia security report to learn more about growing adoption of Zero Trust security.

Android 11 marks our seventh release with enterprise features, going back to 2014 when we introduced the work profile to secure and separate work data on a personal device. Now we’re coming full circle with new work profile improvements that make Android even more private and productive for employees. We’ve also included some key security updates in this release to further protect both work and personal data. 

Making employee privacy job #1 

Android champions employee privacy with the work profile, and in Android 11 we’re bringing the same work profile privacy protections from personally-owned devices to company-owned devices as well. Privacy is an expectation for employees and IT decision makers alike: a new Omdia research survey of 700 IT decision makers found that 80 percent of respondents believed personal data should be kept private from IT on a company-owned device. 

To better support company-owned devices, the work profile now offers device controls like asset management tools and personal usage policies that give IT the ability to keep devices compliant with corporate policy without compromising employee privacy. And regardless of who owns the device, industry-leading data separation and security controls help ensure work data is secure in the work profile. To learn more, read our new work profile security paper.

To give employees more information about their location privacy, we’ve added a new notification whenever their IT admin grants location access to work apps. We’ve also enhanced our agreements with device manufacturers to help ensure all work profile privacy protections are reliably enforced. 

Making it easy to get work done

The work profile makes the separation of work and personal data visible and usable for employees, while enabling easy switching between profiles. This helps people focus on their work and avoid accidental data leaks, all on a single device. 

We’re taking that even further in Android 11 by expanding work and personal separation to more places throughout Android. Employees will now see separate tabs for work and personal when they share files, open content or go into their settings menu.

Separating work from personal makes it possible to do things such as pausing the work profile so employees can disconnect at the end of the day. In Android 11 we’ve made this easier by removing unwanted distractions when the work profile is paused and enabling employees to automatically pause work apps according to their own schedule.

Finally, for those times when it’s helpful to view work and personal data at the same time, we’ve built a new secure mechanism for merged experiences, allowing trusted apps to connect between work and personal profiles. Both employees and IT must approve the way an app will handle security and user privacy before allowing an app to connect. 

For instance, Google Calendar will soon allow people to see personal events in their work calendar, helping to better schedule around commitments across their day.  Personal calendar events will remain privately stored on device in the personal profile, invisible to both colleagues and IT. 

We'll be working with additional developers in the coming months to make more connected experiences available to users.

Making it simple to be secure and in control

Android security continually gets stronger as recently demonstrated by Pixel smartphones completing Common Criteria certification on Android 10 by leveraging Android Enterprise management APIs. In Android 11, we're investing even more in security and management features that provide organizations with more protection for their data. 

Last year, we launched Google Play system updates to directly patch OS system components using the same infrastructure we use to update apps. In Android 11, we’re now adding nine more privacy and security components to the original 12 that can be updated via Google Play system updates, allowing us to quickly address even more critical areas without waiting for full operating system updates. 

Other enterprise improvements include: 

• More IT controls for always-on VPN configurations.  

• The ability to pre-grant certificate access for work apps, so specific individual apps can access credentials without user interaction.

• Device attestation using individual certificates, on devices with a dedicated secure element.

• Continued investment in addressing regulatory certification requirements such as Common Criteria - Mobile Device Fundamentals, and FIPS 140-2. 

 These are just some of the improvements in Android 11 that organizations can begin utilizing. To learn more, visit our developer page and read about thelatest consumer features.

Android 11 marks our seventh release with enterprise features, going back to 2014 when we introduced the work profile to secure and separate work data on a personal device. Now we’re coming full circle with new work profile improvements that make Android even more private and productive for employees. We’ve also included some key security updates in this release to further protect both work and personal data. 

Making employee privacy job #1 

Android champions employee privacy with the work profile, and in Android 11 we’re bringing the same work profile privacy protections from personally-owned devices to company-owned devices as well. Privacy is an expectation for employees and IT decision makers alike: a new Omdia research survey of 700 IT decision makers found that 80 percent of respondents believed personal data should be kept private from IT on a company-owned device. 

To better support company-owned devices, the work profile now offers device controls like asset management tools and personal usage policies that give IT the ability to keep devices compliant with corporate policy without compromising employee privacy. And regardless of who owns the device, industry-leading data separation and security controls help ensure work data is secure in the work profile. To learn more, read our new work profile security paper.

To give employees more information about their location privacy, we’ve added a new notification whenever their IT admin grants location access to work apps. We’ve also enhanced our agreements with device manufacturers to help ensure all work profile privacy protections are reliably enforced. 

Making it easy to get work done

The work profile makes the separation of work and personal data visible and usable for employees, while enabling easy switching between profiles. This helps people focus on their work and avoid accidental data leaks, all on a single device. 

We’re taking that even further in Android 11 by expanding work and personal separation to more places throughout Android. Employees will now see separate tabs for work and personal when they share files, open content or go into their settings menu.

Separating work from personal makes it possible to do things such as pausing the work profile so employees can disconnect at the end of the day. In Android 11 we’ve made this easier by removing unwanted distractions when the work profile is paused and enabling employees to automatically pause work apps according to their own schedule.

Finally, for those times when it’s helpful to view work and personal data at the same time, we’ve built a new secure mechanism for merged experiences, allowing trusted apps to connect between work and personal profiles. Both employees and IT must approve the way an app will handle security and user privacy before allowing an app to connect. 

For instance, Google Calendar will soon allow people to see personal events in their work calendar, helping to better schedule around commitments across their day.  Personal calendar events will remain privately stored on device in the personal profile, invisible to both colleagues and IT. 

We'll be working with additional developers in the coming months to make more connected experiences available to users.

Making it simple to be secure and in control

Android security continually gets stronger as recently demonstrated by Pixel smartphones completing Common Criteria certification on Android 10 by leveraging Android Enterprise management APIs. In Android 11, we're investing even more in security and management features that provide organizations with more protection for their data. 

Last year, we launched Google Play system updates to directly patch OS system components using the same infrastructure we use to update apps. In Android 11, we’re now adding nine more privacy and security components to the original 12 that can be updated via Google Play system updates, allowing us to quickly address even more critical areas without waiting for full operating system updates. 

Other enterprise improvements include: 

• More IT controls for always-on VPN configurations.  

• The ability to pre-grant certificate access for work apps, so specific individual apps can access credentials without user interaction.

• Device attestation using individual certificates, on devices with a dedicated secure element.

• Continued investment in addressing regulatory certification requirements such as Common Criteria - Mobile Device Fundamentals, and FIPS 140-2. 

 These are just some of the improvements in Android 11 that organizations can begin utilizing. To learn more, visit our developer page and read about thelatest consumer features.

Editor’s note: Today’s guest post is from Antoine Houlgatte, Android Enterprise Global Project Director and Pierre-Yves Chardon, Android Enterprise Engineering Leader from SNCF, France's national railway. 

At SNCF, we’re committed to providing a safe and comfortable experience for the hundreds of millions of passengers who ride our trains annually for daily commutes, short trips, and extended travels throughout France.

Mobile devices have long been essential for our frontline workers and business teams in their daily work. Yet we sought a more powerful platform with wider device choice and stronger management features for our fleet. With Android Enterprise, we could manage many device types and secure our data while providing private personal usage.

All aboard with Android

SNCF undertook two key initiatives as part of our transition away from a legacy management system. Our first project was to deploy 12,000 rugged devices to our passenger ticket inspectors and train managers. They’re connected to portable printers and mobile point of sale devices for scanning tickets and accepting payments when passengers begin their journey. 

Our teams use our internal apps for confirming schedules, answering passenger questions and connecting customers to our services from the platform and aboard trains. As dedicated devices, they can be shared by our 16,000 employees who can pick it right up and access our key services.

Simplifying the customer experience

With another project we deployed another 21,500 devices that serve as the primary digital tool for passenger information officers on trains and in stations. These personally-enabled devices include 40 key applications for our frontline teams to assist with passenger support and communication—these apps are critical for services like helping passengers with their seat assignments and requesting services for those who may need additional attention like children or those with reduced mobility. Safety is essential, which is why we provide our teams with a passenger safety app that lets agents trigger an alert with a single gesture to quickly reach security personnel.

During the rise of the pandemic, our teams could assist passengers with their seat assignments while still complying with critical social distancing requirements. And our internal productivity suite apps are pushed out so everyone can access the services they need.

With these devices we sought to give our employees privacy and control over their personal information by enabling the Android work profile. This remains separate from the personal profile and gives IT specific controls over work apps and data. Our employees expect this type of privacy, and our IT team still has the enterprise-grade controls it needs to protect corporate resources. The work profile has been popular with our employees, and we plan to expand this deployment further.

Growing mobility with Android

Along with expanding the number of devices, we plan to start using Android zero-touch enrollment with future device rollouts to further streamline our processes, as our frontline employees will be able to receive a device with apps and configurations already set. 

Android Enterprise gives us a strong foundation to expand our mobility ambitions, and we look forward to supporting our frontline teams and finding new ways that mobility can enhance the customer experience.

For many Android users, Microsoft Exchange is the backend for their company email. Until recently, many email applications on Android used Device Admin capabilities to enforce the necessary security requirements on users’ devices, whether they were issued by their company or personally owned.

These APIs, which we began deprecating in Android 9 Pie, gave IT control over core security features such as device passcode requirements and remote data wipe. While this gives IT admins controls to promote data protection on the devices when using Exchange email clients, it also adds unnecessary complexity.

We've worked closely with Microsoft to create a new set of APIs that give email developers tools to secure their apps while adhering to the high standards we've set in Android for user privacy.

Google and Microsoft work together for user privacy

IT admins have the option to require a user to follow a specified level of password complexity (options are for high, medium or low) to use their Exchange email app. If they don’t follow the set guidelines, they won’t be able to sync and access their corporate email. If IT needs to restrict or remove access on the device, no personal information, such as photos or downloads, will be removed. 

Combined with other Android technologies like the SafetyNet Attestation API, Android hardware-backed brute force protections and Google Play Protect, IT professionals can feel confident their data is protected by enterprise-grade security while giving their employees greater autonomy over their device. 

Bringing these improvements to more users

Gmail will showcase this new functionality later this month. As Android app developers update apps to meet the official Device Admin deprecation requirements in Android 10 later this year, look for your favorite email client to take advantage of this functionality soon.

For companies whose needs evolve and would benefit from even greater management capabilities, we invite them to learn more at android.com/enterprise.

Our customers continue to inspire us with how they are successfully mobilizing their workforce with Android. To help our customers and partners connect and learn from one another, we’ve launched the Android Enterprise Help Community. It’s an open forum for discussing platform features, planning, deployment and sharing ideas about mobility topics.

After testing this concept with a select group it’s now open for all customers and partners who wish to join the conversation.

How to get involved

The Help Community integrates with our Android Enterprise Help Center, giving a centralized hub for finding answers to platform-related questions. During the forum’s beta period, our early testers had helpful conversations about device management modes, zero-touch enrollment and other features.

The forum is ready for mobile IT experts who want to offer guidance for those seeking answers to mobility questions. Also, admins who are on a quest for new information about a mobility challenge can start a conversation thread around a new topic or read the many contributions from others.

Becoming a Google Product Expert

When you become an expert, you'll get exclusive program perks, like special badges in the Google Help Communities, direct access to Google employees to provide product feedback and a chance to test Google products before they're released.

Join the conversation

We aim for this community to be useful for everyone, from highly engaged experts to those who are seeking an answer for a specific situation.  Be sure to check back regularly for further content and user engagement opportunities in our Help Center and Help Community.

Employees increasingly demand privacy from the technology they use every day, but employers often see privacy in opposition to enterprise data security. 

Since its debut in Android 5, the work profile has secured company data on personally-owned devices while preserving employee privacy. The separation of work and personal apps means IT gets full control over work apps and data, but has no visibility into personal apps. In Android 11, we’re bringing these privacy protections to company-owned devices as well, while providing IT the additional capabilities needed to manage company assets. 

Employees demand privacy, even on company-owned devices

In a recent survey by ESG research, 71 percent of employees said they expect all personal information to remain private on work devices. This resistance to traditional full device management creates challenges for IT organizations. In fact, employee concern about privacy is the top reason mobile devices remain unmanaged by IT, according to IDC: 

“Many users of corporate-liable devices have privacy concerns about app usage and corporate IT monitoring their activity,” says Phil Hochmuth, program VP, enterprise mobility at IDC. “Due to this concern, more than a third (38 percent) of corporate-owned devices deployed in enterprises go unmanaged.”

Personal data should always stay private

Android is committed to delivering simple, consistent privacy protections to our users. Just as IT shouldn’t put company data at risk to enable mobile productivity, employees shouldn’t be asked to reveal private, personal data to their company. 

That’s why we’ve expanded Android’s commitment to employee privacy in Android 11, by bringing the privacy protections of the work profile to company-owned devices. This means IT can deploy the work profile to help protect employee privacy across their entire fleet, regardless if the device is personally or company-owned.

Always get the right level of management

To make the work profile a great tool for company asset management, we had to bring to it many of the capabilities our customers value in Android’s fully managed devices. These include: 

• Asset management protections, even if devices are lost or stolen

• Personal usage policies such as restricting what apps employees can use, to keep device usage in compliance with corporate policy

• Hardware management, to restrict or prevent configuration of features like Bluetooth, cameras, and removable storage

Extending management beyond the work profile required us to separate the management of data from visibility into that data. For example, IT can block an employee from using social media apps on a company-owned device, but in doing so doesn’t need to know the other apps they use outside of work. Now Android can help preserve employee privacy in the personal profile while enabling IT management of what employees can do with the personal profile.

Whoever owns the device gets to decide how the device can be used. As before, if an employee owns their device IT can only manage core security features, like preventing users from installing apps from unknown sources. But if the company owns the device, IT can now manage how users interact with the whole device. In this way, the work profile adjusts its management capabilities according to who owns the device, while offering the same privacy protections in all scenarios.

Get it first with the Android Management API

We’re pleased to announce that the Android Management API will support these work profile enhancements in July enabling customers and developers to try out these new features on the Android 11 Beta.

Exclusive to the Android Management API, we’re bringing Android 11’s new combination of strong personal privacy protections and robust asset management features to older Android devices, as far back as Android 8. This means customers can deploy a single management solution across most, if not all of their Android fleet, not only for personally- and company-owned devices but across a wide range of Android versions as well. Speak with your enterprise mobility management (EMM) provider to learn how your company can make the most of the work profile.

Prioritizing privacy

Android 10 delivered many helpful features for enterprise admins and users. It also marked the official deprecation of Device Admin-based management, a legacy form of Android management. 

Since our original announcement about this change in 2017 we’ve been encouraging customers to adopt Android Enterprise, which offers a modern management framework for the evolving needs of enterprise customers.

While Android 10 marks the official deprecation of Device Admin, some customers may still be on the legacy management framework because either their devices are not yet upgraded to Android 10 or their Enterprise Mobility Management (EMM) Device Policy Controller is not updated to API level 29. 

However, when Android 11 launches later this year, it is expected EMMs will need to update their DPCs to API level 29 by the fourth quarter of 2020. When this occurs, admins will no longer be able to manage lock screen settings, passwords or disable the camera.

We’ve created a new video that outlines many of the key changes that IT admins can expect and strategies to prepare for a transition to Android Enterprise.

To assist customers with this migration, we’ve created the Android Enterprise Migration Bluebook, which provides detailed steps and best practices for moving from a legacy Device Admin deployment to Android Enterprise. We also encourage reaching out to your organization’s EMM provider for assistance with planning.