Authored by @Vinayaka Hegde co-authored by @Rajneesh Dwivedi @Aakash Kumar Jain
What is Android Management API (AMAPI)?
At IBM Security, MaaS360 supports Android device management using the AMAPI. It applies to Profile Owner solutions, which primarily involve Bring Your Own Device (BYOD) and Work Profile Company-Owned (WPCO) devices.
Why AMAPI ?
AMAPI is an Android product that stands out with its unique approach. The solution is built from the bottom up, providing users with a native on-device experience. Its regular introduction of new management policies ensures that the MaaS360 solution can promptly keep pace with the evolving Android landscape and meet customer requirements.
AMAPI, a part of the core Android ecosystem, is diligently updated and maintained by Google. This commitment to best practices in device management, as recommended by Google, ensures its reliability and native compatibility.
It offers a robust, flexible solution for managing Android devices in enterprise environments. Its granular control, secure app deployment, enhanced security features, and centralized management capabilities make it an attractive choice for organizations of all sizes.
Benefits of using AMAPI
The following are the significant benefits of AMAPI:
• It simplifies device management with its single intuitive API. With just a few REST API calls, IBM MaaS360 can apply MDM policies, manage apps, and
perform device-level actions like lock and wipe. This provides a modern and user-friendly solution for managing Android devices, enabling the
administrator with a straightforward and efficient tool.
• It enables the administrator to disable distributed apps, which restricts app usage on a device but keeps all app data safe on the device.
• It seamlessly manages multiple Android versions, making it a breeze to support new features on various OEM devices across different Android versions,
such as Android 13 and Android 14. This flexibility ensures that your device management remains up-to-date and adaptable.
• It supports the entire enterprise mobility management lifecycle. AMAPI offers enhanced security, scalability, and future-proof capabilities within
MaaS360
• Security: It prioritizes security with its support for various features, including device encryption, password enforcement, and remote wipe capabilities.
These measures protect sensitive data and prevent unauthorized access, reassuring decision-makers that their organization's information is safe.
• Scalability: It can easily be scaled to support many devices, making it suitable for organizations of all sizes, from small businesses to large enterprises.
• Reduced client-side testing: The Android Management API handles device configuration and policy enforcement on the server side, eliminating the
need for extensive client-side testing.
• It optimizes performance for the Android agent and server, providing a more robust user and admin.
How it works?
In this approach, the communication flow involves the following components:
MaaS360 portal
The administrator performs the device actions, applies policies, and distributes apps on the devices.
The MaaS360 server continuously listens to the pub/sub topic to get the device/applied policy details sent from the Android Device Policy (ADP) Google client app.
Google Cloud (AMAPI)
It manages MDM actions, major MDM policies, and Google Play/private apps from the MaaS360 portal.
This will be passed down from Google Cloud to the Android Device Policy (ADP) app, built in as a native app from Google.
• MDM actions: Lock, Reset passcode, and Wipe.
• MDM policies: passcode policy, security policies, device restrictions, and so on.
Android Device Policy (ADP) client app
It acts as a client MDM app and applies the above enforcements on the device.
Additionally, it collects device details and applied policy details from the device and reports the same to pub/sub topic in the Google Cloud.
MaaS360 core app (MaaS360 MDM for Android):
This compulsory work app is installed during device provisioning and manages certificates, enterprise apps, Secure Productivity Suite (SPS) actions, and other device management policies, such as OOC, rules, VPN, and so on.
Payload management is mainly done using the Maas360 core app, which reports device details, including apps installed and other significant information, to the Maas360 portal.
How is it different from the Classic Android Enterprise?
• Modern Android Enterprise (known as AMAPI): Leverages AMAPI for granular device management and advanced security on compatible devices.
• Classic Android Enterprise: Uses traditional Custom Device Policy Controllers(DPCs) for basic device management functions on a wider range of Android devices.
Embracing the evolution of Android Enterprise, the transition from Classic Android Enterprise to Modern Android Enterprise with MaaS360 brings forth a host of enhanced security features, ensuring device security remains at the forefront.
Important notes
MaaS360 Secure Productivity Suite, Rules, Team Viewer Support, Geofencing: While Modern Android Enterprise enhances and simplifies Device Management capabilities and device security, it's important to note that all classic features are fully supported within this framework.
The transition to Modern Android Enterprise with MaaS360 heralds a new era of streamlined device management and fortified security measures, ensuring organizations can effectively safeguard their mobile infrastructure in an evolving digital landscape.
The following are the notable changes across various workflows, underscoring the strengthened security measures inherent in Modern Android Enterprise.
Device Provisioning (Device Enrollment)
AMAPI seamlessly integrates device Management capabilities into the Android OS, streamlining the device provisioning process.
• Administrator:
A new Enrollment Wizard has been introduced in the MaaS360 portal under Devices > Enrollments, enabling the administrator to effortlessly generate QR Codes or ZT/KME JSON for Device Owner Provisioning within Modern Android Enterprise.
• User:
Users will first encounter Google's Android Device Policy app during device enrollment, followed by instructions to download and install the MaaS360 core app.
o Profile Owner enrollment: Users can initiate device enrollment directly from the Device System Settings.
o Device Owner enrollment: The process for device owner enrollment remains the same as classic Android Enterprise. It involves a preliminary Device Factory Reset followed by either scanning a QR Code or initiating enrollment directly, which is especially applicable in zero-touch scenarios.
Policies
MaaS360 has introduced a dedicated Modern Android Enterprise Settings section in the Android MDM policy.
Like Classic Android Enterprise, the administrator can access various policies categorized under different tabs, facilitating the configuration of necessary device restrictions.
Security has been subdivided into Device Security, App Security, and Data Security, offering the administrator enhanced visibility into different security policies.
Apps
Modern Android Enterprise enables the administrator to set App Permissions directly from the App Distribution wizard. MaaS360 supports various app types, including Google Play, Private Channel, Enterprise, and Web Apps. It introduces additional app settings, such as specifying the Disable app and Dedicated Scopes during App Distribution.
Device Actions
MaaS360 currently supports the same actions as classic for Modern Android Enterprise devices.
AMAPI Profile Owner Enrollment Video: