1) Password Enforcement
Although it sounds very basic, enforcing passwords with the right complexity is the first line of defense and can be done with minimal effort.
The payoff benefits of this simple activity are huge. While acting as an obvious deterrent to malicious actors, it adds an extra layer of safety as most Android devices use the password for internal data encryption too. As such, even if a device is lost or stolen, the underlying data can't be decrypted.
A variety of complexity levels are available through non-exhaustive list of examples is provided below to suit the standards of every industry. A
Android Pattern Lock - Available by default on all Android devices. It involves the user connecting a series of "dots" to form a pattern to unlock the device
Any combination of alphabet/characters is allowed
Needs at least one number
Needs at least one alphabet and one number
Alphanumeric, with special constraints
Needs at least one letter, one number, and a special character. May also need at least one uppercase and one lowercase letter
Apart from complexity levels, there are other options to enhance the strength of the enforced passwords
- Minimum Length - Passwords can range from four to sixteen characters long. Longer Passwords are more secure, but hamper device usability. A good balance must be achieved so that it doesn't cut down on productive usage.
- Password Expiry - This is another standard process adopted by highly regulated industries (like Banking) to force the user to change the password after a certain period of time.
- Password Reuse - This can be used to prevent users from cycling through the same passwords repeatedly.
- Biometrics - The device can be customized to lock/unlock using the user's biometrics such as Fingerprints/Iris Scans/Face Recognition
- Timeout for Auto lock - If devices are left unlocked and unattended for a long period of time, it increases the risk factor. This option allows the device to locks itself after a specified period of time.
- Passwords should be enforced.
- It is desirable to find a balance so that the passwords comply with industry standards/requirements as well as keep the devices usable.
- Additional factors of password expiry and reuse must be incorporated to enhance the security.
2) Device Encryption
This is a no-brainer in the context of corporate security. Only devices that support encryption must be utilized for accessing sensitive data. This might mean dropping support for lower versions of Android devices when the OS and the encryption support provided were still in its nascent stages.
Before enrolling into Android Enterprise solutions, the device automatically prompts for encryption to be completed before they are on-boarded to servers
M (6.0/Marshmallow) and above
From Android M onward, Android devices are encrypted by default out of the box. This encryption can be further enhanced by setting a strong password for access.
N (7.0/Nougat) and above
Android N introduced file-based encryption in addition to device encryption. This provides the highest level of security when combined with enforcement of a strong password. This is a good example of synergy between the first two best practices outlined in the document
- Choose devices that support encryption. This has become a must have with the increase of cyberthreats
- At the time of writing this document (2023), Android S is the latest version of Android available in the market. It is recommended to use devices that are, at the very least, running on Android O MR1 (8.1/Oreo MR1) and above.
3) Restrict Device Features
Android devices have evolved over the years with a plethora of new capabilities that are added regularly. While these capabilities provide a good deal of benefit to the end users, they might be challenging in a corporate environment.
For example, in highly regulated data sensitive domains, leaking of proprietary data or customer data can be a hugely damaging affair.
Such data leaks can happen both intentionally (for example - using the device camera to take pictures of sensitive assets/information, and sharing/transferring data over the network using BT/WiFi or local peer-to-peer sharing) or unintentionally (for example - accidentally triggering smart assistants).
These situations can be averted by appropriately blocking device features for usage. provides a big list of controlling such "risky" capabilities like Camera/ Bluetooth/ WiFi etc. This list is periodically refreshed keeping in constant touch with the features available on newer devices.
Most organizations with a focus on security run a threat modelling activity regularly to ascertain the areas of possible security risks or breaches.
Match these areas with the capabilities of mobile devices and appropriately enforce restrictions.
4) Control of Apps on the device
The earlier guideline was focused on the hardware parts of a device that can carry a risk. But, a more significant threat comes in from the installation of unregulated/unauthorized apps on the device that may steal data silently or compromise the device on a whole.
provides a good deal of flexibility to control apps on the device depending on the control level needed by the organization.
The table below lists some of these options in order, from providing the highest safety level to providing the least safety level.
Allow only IT Administrator authorized apps to be installed via 's App Catalog/Google's Managed Play Store
- Most stringent form of control
- Apps can only be installed via managed Play Store (The word "managed" indicates that this is a private Play Store accessible to just the customer's devices, not the public Play Store available to the general audience) or via the customer's
- Direct download of APK files from the internet/side-loading using a computer is blocked.
- Addition of personal Google accounts to access the public Play Store is restricted
Allow installation from the public Google Play Store but only a few approved apps
- A fixed set of apps is allowed to be on the device. Everything else is automatically blocked.
- Apps installed from the public Google Play Store are not guaranteed to be safe unless thoroughly vetted for use.
Allow installation from anywhere but allow only a few approved apps
- A fixed set of apps is allowed to be on the device. Everything else is automatically blocked.
- APK files downloaded outside of the Play Store pose a risk of malicious apps that mimic the package ID of an authentic app and get installed on the device
Allow installation from anywhere but block only a few apps
- Very risky because the set of apps to be blocked would increase everyday as new vulnerabilities are discovered.
- Impossible to build a up-to-date list of all malware apps
- NOT recommended for corporate usage
It is recommended to exercise a form of control over the apps allowed to install on a managed device.
The strictness of the control levels is up to the security and compliance requirements of the organization.
5) Establish Secure Network Communication
Insecure networks are an easy target for allowing malicious actors to snoop in and access proprietary data from mobile devices.
A couple of things to help mitigate this:
- Provide an enterprise WiFi connection to access the company's servers from office locations/other company premises.
- Provide a VPN connection to access a company's internal servers from anywhere outside.
provides an easy way to configure WiFi networks and VPN connections over-the-air and ensure proper authentication is done and network security is established before accessing an organization's internal servers.
- Establish a certificate based WiFi configuration to allow access to the internet on company premises.
- For employees that need to access the company's internal servers, provide a certificate based VPN connection.
- Rotate these certificates for WiFi/VPN periodically on the user devices.
- Certificate based connections are preferable over password based connections for enhanced security.
- IBM MaaS360's Trusteer integration can also be leveraged to detect insecure WiFi connections on managed devices.
6) Device Integrity Checks
There are various ways in which the integrity of the device can be broken such as Device Rooting, Bootloader unlocking, Kernel tampering, Custom ROM installations etc. Almost always, there is a nefarious intent behind any of these activities on corporate devices. Allowing access to corporate data on such devices is an extremely risky aspect and can undermine the security of the organization.
As such, all managed devices must be checked regularly to ensure that they aren't compromised. An easy way to do this is to enable a process called SafetyNet Attestation. Google's SafetyNet Attestation process runs on all Android devices. Samsung has a version specific to its devices called Samsung Knox Attestation.
(In simple terms, the attestation process ascertains that the current state of the device matches the expected state of the Android OS. It uses several internal parameters to detect intrusions and other factors that can affect security.)
provides an easy way to run this attestation check periodically every 24 hours. This can help in detecting devices that have been compromised regularly.
It is always better to stop enrollment and not provide access to corporate data than try to block compromised devices.
In this regard, also provides the ability to check the attestation status as a precursor to enrollment. If the device fails the integrity test, it will not get enrolled at all and there is no risk of corporate data theft.
An additional layer of protection can be added by leveraging 's Trusteer integration. Along with providing real-time root detection checks, it also scans for malware and other factors that can affect the device. This information can further be used to decide the compliance status of a device and take pertinent actions.
- Establish the integrity of the device before enrollment.
- Run periodic checks on managed devices after enrollment.
- Security focused organizations should deploy additional measures to detect attempts to compromise the device in real time for enhanced protection.
7) Secure Corporate Container
Use of a secure "container" for accessing and using corporate data provides a lot of security benefits like
- Encrypted Emails & Attachments
- Prevent Unauthorized Backups, Copying & Pasting of Email Content
- Blocking attachments originating from Android Devices
- Provides users with a consistent experience on all versions of the Android OS
Native Email apps or the default GMail app on Android do not come loaded with these features. Another enticing bonus feature is that it is easier to quickly wipe the container and remove all corporate settings and data when an employee using a BYOD device leaves the company.
's Secure Productivity Suite provides a FIPS compliant secure container to manage the user's emails, contacts, calendars, documents, Intranet access and file management suites (like SharePoint, Fileshare, Box, Google Drive and OneDrive). Granular policies can be applied on the container for operations like sharing data, forwarding attachments, copying & pasting content & taking screenshots. Devices that are lost/stolen can be selectively wiped to remove corporate data from the container.
- Use a separate corporate container that boasts enhanced security features
- Apply granular policies to control access of corporate data
- Wipe the container to delete data if the user leaves the company or if the device is compromised
8) Compliance Rules and Automated Remedies
All the best practices shared earlier can be neatly tied together by setting up compliance rules. These rules help in detecting violations of the deployed policies and configurations. The device can be marked as "Out of Compliance" and appropriate action(s) can be taken.
For example, the device can be non-compliant if:
- The current device has no password or the password doesn't match the desired complexity
- Google Attestation fails and detects an integrity compromise
- Unapproved accounts are added to the device
- IBM MaaS360's Trusteer integration flags malwares installed on the device or if the device is connected to an insecure WiFi network
and many more such conditions. The IT Administrator is now empowered to take appropriate countermeasures.
provides a variety of such countermeasures ranging from a simple warning shown to the user, to barring of access to corporate data. In extreme conditions, even a full wipe of the device can also be performed.
Furthermore, these responses can also be automated to execute on the device so that the IT admin's work is easier while handling devices on a large scale.
- Compliance Rules can be set up to detect violations of compliance in real-time so that appropriate actions can be taken.
- Automated handling of violations can be set depending on severity and preferences of the customer
- It is a good idea to first warn the users of an impending violation and give an opportunity to fix the problem if it is something that can be resolved (Eg : Password Complexity). Repeated violations or failures of an extreme nature (like loss of device integrity) should lead to more drastic countermeasures.
9) Test Deployments
Before undertaking large scale deployments, apply the configurations and policies on a test device/small set of test devices. Use these devices to test the three major lifecycle components.
- Enrollment(On-boarding) & Monitoring - Ability to see the device on the EMM portal and interact with it
- Access & Usage of Corporate Data - Ability to grant/revoke access as needed and apply other security measures
- Removing enrollment & Clean up - All data is wiped ( ensures this by default on Android Enterprise deployments)
Once the deployment is satisfactory, it can then be rolled out in succession to larger sets of users. This will help lower the risk of unintentional changes to the configurations pervading across the organization.
- Apply new configurations on a set of test devices and slowly scale them across the organization.
- Thoroughly test enrollment (on-boarding), data usage and access, and removing enrollment(clearing data)
10) Constant Monitoring and Periodic Review
Constant monitoring of devices will help in determining compromised devices. It will also help in finding out "rogue" devices - devices that have been enrolled but haven't communicated to the portal for a long period of time.
It is necessary to keep an eye out for new features provided by the EMM and tweak the policies and configurations as desired. As newer OS versions are rolled out, consistently improves it's offering to provide zero day support and help the customers stay on top of new tech developments.
can help in determining the security of the whole environment with features such as
- Regular insights showing the number of devices at risk
- A Risk Dashboard that showcases the trend of organization, user and device risk over a period of time.
The data is refreshed every 24 hours to provide a comprehensive picture of the organization risks on a whole.
- Device Compliance reports
- Audit reports for the devices and the various actions performed on them.
- Customized alerts
- Constantly monitor the overall "health" of managed devices
- Periodically review assigned security policies to cover new tech developments and changes in requirements/usage of devices.