IBM Security MaaS360

 View Only

MaaS360 and Android Enterprise: Fully Managed Device (Device Owner) and Work Profile (Profile Owner) Overview

By Margaret Radford posted Mon July 08, 2019 12:56 PM

  
The objective of this blog is to provide an overview of  the MaaS360 and Android Enterprise solution set and the differences between fully managed device (Device Owner) and work profile (Profile Owner) mode when managing your devices in MaaS360. It's important to understand what each experience has to offer both from an administrator and a user perspective. This blog will also serve as prerequisite to a follow on blog, which will provide more detail about preparing and distributing apps and the resulting user experience in fully managed device (Device Owner) and work profile (Profile Owner) mode. 

Overview


By now, most everyone in the endpoint management universe has heard about Google's Android Enterprise solution set and the deprecation of the legacy Device Admin management mode with Android Q. If you haven't or you need a refresher, and you are managing Android devices with MaaS360, then here is a great webinar that introduces you to the Android Enterprise solution set.  The webinar is from Think 2018, but it is a good introduction to the whats and whys of Android Enterprise.
Review the first 24 minutes of  MaaS360: Welcome to the Android Enterprise Tool Set

Note: Android Enterprise solution set capabilities are supported in the basic MaaS360 MDM package.

MaaS360 will continue to support legacy Device Administrator mode on your pre-Android Q devices, but it's time to put a plan in place to migrate from legacy Device Administrator to the new Android Enterprise management toolset, by enabling Android Enterprise in your Maas360 portal. You can migrate existing Android 5+ devices to Android Enterprise  work profile or just plan to enable Android Enterprise in your next refresh cycle.

MaaS360 will provide a migration tool for Device Administrator to Work Profile (Profile Owner), expected release is mid to late July 2019 .

Read about the migration program here in the IBM Knowledge Center.  

Identifying Android legacy Device Administrator devices


Let's review what a device looks like in the MaaS360 portal that is being managed using legacy Device Administrator APIs. You can identify them easily by the Device Enrollment Mode and Container Type located in the Hardware Inventory category of the Device Inventory record.

Here is an example of an Android 5.0 device with Device Enrollment Mode = Manual and Container Type = Device Administrator
Note: In an upcoming MaaS360 agent release, the Device Enrollment Mode will display as Device Administrator instead of Manual for legacy managed Device Administrator devices. 

DeviceAdminInventoryRecord.jpg

Setting Up Android Enterprise in the MaaS360 portal


In order to take advantage of the Android Enterprise solution set, an enterprise mobility management service such as MaaS360 is required. MaaS360 is an Android Enterprise Recommended (AER)  Enterprise Mobility Management (EMM) solution for corporate, BYOD, and dedicated devices. To find out more about the AER program for EMM vendors, view this joint IBM and Google webinar.
IBM Joins Google in Announcing Android Enterprise Recommended Program for EMMs

Android Enterprise provides consolidated management capabilities across multiple device vendors and across multiple operating system versions. Therefore, you can can expect a similar user experience across devices. 
You must decide  how you are going to enable the Android Enterprise solution set in the MaaS360 Services within the MaaS360 portal. You have two options: Managed Google Play Accounts (no Google-managed domain required) or Google Accounts (Google-managed domain). If you have signed up for G Suite, then you have a managed Google domain and user accounts are managed in the Google Admin console.  

You select one of these options in Setup > Services > Mobile Device Management

Android_Enterprise_Services.jpg

When you select either, Maas360 creates a bind to Android Enterprise. 

If you integrate using Google Accounts, you must prove to Google that you own the domain that you are integrating with. Each user who activates a device with Android Enterprise needs a user account from the Google Admin company account. 
  
If you bind to Android Enterprise using managed Google Play accounts, you only need one Gmail address to enable the Android Enterprise solution set from MaaS360, and no domain bind is required. User accounts are managed behind the scenes by MaaS360 in the MaaS360 user directories. When the user or administrator enrolls and enables Android Enterprise from the device, MaaS360 creates a managed Google Play account, but the user will never have to access the account. The managed Google Play accounts are used for approving applications and silently pushing information down to the device. The account is handled by MaaS360 and the user does not need to do anything with it. 

Note: Users must enroll with the MaaS360 for Android Agent version 5.65 or later which supports these app level functions. Older versions of the app cannot create Android Enterprise user accounts, which results in a failed enrollment

After you bind your MaaS360 portal to Android Enterprise, you should consider how devices will be managed. There are two modes of enrollment we will discuss in this blog:  work profile (Profile Owner) and fully managed device  (Device Owner). Work profile is primarily used for Bring You Own Device scenarios, where the device is employee owned. And fully managed device is primarily used for company owned devices. Let's review the differences between the two. 

The diagram below highlights the bind required to enable the Android Enterprise solution set in MaaS360. An IT Admin enables the Android Enterprise service within the MaaS360 portal, and chooses between a Google domain-based bind or a managed Google Play Account bind using a single Gmail account. 

Resources for setting up Android Enterprise with MaaS360:
Integrating MaaS360 and Android Enterprise (Video)

Configuring MaaS360 integration with Android Enterprise by using a Google account (requires Google Admin account)
Configuring MaaS360 integration with Android Enterprise accounts by using a Gmail address

Work Profile (Profile Owner): 
Work profile is great for Bring Your Own Device use cases where the employee owns the device. A dual persona is created on the device that includes a work profile and a personal profile. The work profile is managed by the Android Enterprise policy settings that you configure in the MaaS360 Android policy in the portal. 

Note: MaaS360 Android security policies include settings for both legacy Device Administrator and Android Enterprise. If you enroll a device as Android Enterprise, then the Device Administrator policy settings are ignored. 

This is a screen capture of the Android Enterprise policy settings that you can configure  in the MaaS360 Android Security Policy. 

AndroidEnterprisePolicy.jpg
The user only needs to install the MaaS360 app as part of the enrollment and accept the work profile on the device. Extra permissions are not required. When the work profile is installed, the device displays the apps that are part of the work profile with an Android Enterprise icon which is an orange briefcase. 

Here is an example of a device with the work profile installed on it. Note that the Salesforce app is included. This means that the Salesforce app was approved by the administrator in order for it to be included in the work profile. If the device user decides to install Saleforce from the public Google Play Store, another Salesforce app is displayed on the device but with no orange briefcase, indicating it is not part of the work profile, and is for personal use. 

WorkProfileDevice.jpg
The work and personal profiles cannot exchange information which keeps your personal information private and work data secure. The full device cannot be wiped by an administrator. Administrators can only control the removal of the work profile from the device. 
When the user agrees to have the work profile installed on the device,  you can only control that work portion of the device with the Android Enterprise policy settings you configure in the MaaS360 Android policy. Each OEM, such as Samsung or HTC,  gets the same work profile with the same security profile and APIs which provides consistency across devices. 

For example, if an organization pushes an approved Google Play Store app to a device using MaaS360, and the app is already installed on the device for personal use, that app is not installed on the device again. New memory space is created for the work profile, but the work and personal profiles cannot communicate.

When a device is enrolled as work profile (Profile Owner), you can identify it in the Hardware Inventory section of the MaaS360 Device Inventory record. The Device Enrollment Mode and Container Type both display Profile Owner. 

ProfileOwnerExample2.jpg
Resources for enrolling in Work Profile (Profile Owner)

Enrollment guide: Work Profile (Profile Owner)

Fully managed device (Device Owner)

The fully managed device (Device Owner)  mode is for corporate owned assets. It enables the administrator to enroll, monitor, and manage a company owned device. Device Owner devices do not contain personal profiles, only work profiles. The entire device is fully managed.

Unlike Profile Owner which only requires you to install the MaaS360 App to enroll and activate Android Enterprise, Device Owner requires a factory reset or new device. In this way, Android Enterprise is  similar to supervised mode for iOS devices. 
If the device is actively being used, you have to factory reset it in order to put it into device owner mode.
Profile Owner has Android Enterprise security in the work profile, Device Owner has Android Enterprise Security over the entire device.

Device Owner also has a scaled down user interface with limited system and OEM apps. Here is an example of a device that is in Device Owner mode. Notice there are no orange icons indicating your are in a work profile, because the entire device is being fully managed and there is no separation between work and personal. In this case, all apps that are distributed to the device must be approved first within the managed Google Play Store or the MaaS360 App Catalog. 

Device_Owner.jpg
For company owned assets, fully managed device (Device Owner) provides the most complete security package outside any kind of OEM specific support. Because Device Owner requires a factory reset to activate Android Enterprise, you must use one of the following enrollment methods supported by MaaS360.  

  • QR Code (Android 7.0+)
    • Create the QR Code in the MaaS360 portal under Devices > Enrollments>Other enrollment options> QR Code
    • At factory reset/activation screen (Welcome) tap 6 times to start the QR Code process
  • Near Field Communication (NFC) bump (Android 5.1+)
    • Note: Near Field Communication (NFC) is a short range wireless communication technology that has a very limited range, usually within 1.5 inches (4cm) 
    • Put one device in Profile Owner mode, and enable programmer mode in the device record. 
    • A notification appears on the profile owner device, and you must choose the target OS of the device to be bumped.
    • Tap the profile owner device to the target device.
    • The set up work device screen pops up on the device owner device.
  • EMM Token: Afw#maas360 (Android 6.0+) 
    • The user or administrator types  afw#maas360 in the google sign-in prompt when starting the device for the first time or at factory reset, then you are prompted to install the MaaS360 app. 
    • OR if you are using the Google-managed domain bind that manages all the Google Accounts, you type the google account credentials
  • Google Zero Touch Enrollment (Android 8.0+ on supported devices) and Knox Mobile Enrollment (KME) is available for Samsung devices
    • Your carrier uploads a list of device serial numbers to the Google Zero-touch portal and MaaS360 consumes the list
    • The MaaS360 Administrator can designate which devices get the MaaS360 App
    • When the device is activated, it automatically enrolls in MaaS360 and enables Android Enterprise Device Owner. 

When a device is enrolled as Device Owner, you can identify it in the Hardware Inventory section of the MaaS360 Device Inventory record. The Device Enrollment Mode and Container Type both display Device Owner. 

Device_Owner_Example.jpg
Resources for enrolling in fully managed device (Device Owner). 
Enrollment guide: Device Owner
Android Enterprise for Device Owners (Video)

Managed Google Play Store

When you enable the Android Enterprise solution set in MaaS360 services and bind to a Google Account (managed Google domain)  or managed Google Play accounts,  a managed Google Play store is created, which is a private play store for your organization. The managed Google Play store is a major benefit of Android Enterprise. You can approve apps from the millions of public apps available from the public play store and only those approved apps can be distributed to the work profile (Profile Owner) or work managed (Device Owner) device . You have the option of approving the apps within the managed Google Play store at https://play.google.com/work or you can approve the apps when adding them to the MaaS360 App Catalog.  When adding apps to the MaaS360 App Catalog, you can also select them to be silently installed on the device. 

Another advantage is the ability to push your company developed apps up to your private play store, which can then be distributed to devices. Google can help you scan the apps to ensure there were no improper coding practices, improper encryption algorithms, or that malware was accidentally injected. 

The managed Google Play store can also be hosted in different places around the world using the Google Play download caching system. 

The screen capture displays an example of the managed Google Play store at https://play.google.com/work 

ManagedGooglePlay2.jpg


When you approve apps, they are displayed in My managed apps. 

ManagedGooglePlay.jpg
The MaaS360 Administrator must add them to the MaaS360 App Catalog in order to distribute them to Android Enterprise devices, whether they are work profile (Profile Owner) or fully managed (Device Owner) devices. The Administrator can either approve them in the managed Google Play Store or in the MaaS360 App Catalog. The administrator must enable silent installation in the MaaS360 App Catalog for the approved app.

AppCatalog.jpg

The diagram below identifies the components of the MaaS360 and Android Enterprise integration that enable you to approve apps and distribute them to fully managed devices (Device Owner) and work profiles (Profile Owner). 



In the next blog, we will cover application management and security with MaaS360 Android Enterprise managed devices in more detail both from an administrator and user experience. 

Additional resources
IBM Security Learning Academy: Android Enterprise set up guides

Open Mic replay: MaaS360 State of the Union: What’s New in 2019?
MaaS360 SMEs talk about how to prepare for upcoming Android Q release and the deprecation of Device Admin. If you have Android devices or plan to have them, this is a must to listen to. 

Don't miss this event replay
Android Q, UEM, and You: Google & IBM discuss Android in the enterprise
Join experts from Google and IBM to discuss:
  • The evolution of Android management from Lollipop to Q
  • Steps IT & Security can take for successful Android rollout
  • How IBM helps to unify Android environments
0 comments
86 views

Permalink