IBM Security MaaS360

Android Enterprise: "I'll do that next year..."

By Eamonn O'Mahony posted Thu March 18, 2021 07:58 AM

Hi all

Some of our customers and business partners are aware of Android Enterprise as the newer - and better - way to manage Android devices. I must admit, I'm a bit concerned about the number who are not planning to do this as a matter of urgency.  I had a call with a business partner last week and was asked "By when would you recommend we migrate?" and my answer - no kidding - was "Last year!"

Many of our customers still have devices on Device Administrator mode (the traditional / legacy device enrollment mode previously supported by Google). A few have taken the brave leap into testing, and fewer still have actually gone the whole distance and migrated.   Just FYI - Google have fully deprecated the DA mode support starting with Android 10 - meaning your devices in DA mode have less control and particularly for newer Android versions.  Just in case this blog seems negative - Android Enterprise introduces a whole set of security features that didn't exist before - and which I'm sure you'll be happy to learn about. 

There are a number of issues that can happen with older approaches: 
Can't reset passcode for Android 9 and later devices in Device Admin mode 
Because Google deprecated (sunset) this feature for Android 9 and later, you can't reset the passcode remotely for a DA-mode enrolled device. This means that if a user forgets their lock screen passcode, or it gets locked out, the only option is to fully wipe the device and without option to backup.
Need to enable permissions for apps on DA mode devices
This refers specifically to APK's or what we call 'Enterprise apps for Android'. If you happen to manage this type of app, and specific settings are switched on, it triggers the request to enable permissions for MaaS360 before you can continue. This causes issues with execution of Android (APK) apps and where you are obliged to (manually) enable this permission before the apps can run on the device (only configuration possible).
Need to enable specific permissions in Android policy
Where you want to install APK's / ('Enterprise apps for Android') on Android devices, whether in Device Admin mode or in DO/PO mode (Android Enterprise), you are obliged to open up your devices to the installation of Non-Google Play apps. This is a setting that can be found in Android policy, in either Device Settings (for DA mode) or in Android Enterprise Settings (DO/PO mode), and then in Security > App Security > Allow installation of Non-Google Play Applications. 
While Google has done a lot of work in recent years to strengthen and reinforce Android security, there is still a potential risk to installing these apps. What Google are recommending in its place, is to use Private Apps which you upload to the Play Store and become installed through Google Play, removing the requirement to enable the setting mentioned above. 

Here's a suggestion: if you're working during the pandemic, and your users are not in the office, could you start looking at this and perhaps have it ready when you return to office? I understand some have already made the move back to offices, some of us are still working from home - but I can't recommend enough that you take a look into this!
We have a high quantity of good-quality training and documentation available to you on the links below, to help you get started with Android Enterprise. Some of the training videos last 10 minutes or less. 
I very much appreciate your feedback, so please post your comments below. 

Further reference documentation
Support document on deprecation of Device Admin mode
Get training and certification: IBM Security Learning Academy. Android Enterprise content -
Documentation: IBM Knowledge Center