IBM Security MaaS360

 View Only

Modern Android Device Management with Android Management API (AMAPI) by IBM Security MaaS360

By Vinayaka Hegde posted Wed April 03, 2024 06:53 AM

  

Authored by @Vinayaka Hegde co-authored by @Rajneesh Dwivedi @Aakash Kumar Jain

What is Android Management API (AMAPI)?

At IBM Security, MaaS360 supports Android device management using the AMAPI. It applies to Profile Owner solutions, which primarily involve Bring Your Own Device (BYOD) and Work Profile Company-Owned (WPCO) devices.

Why AMAPI ?

AMAPI is an Android product that stands out with its unique approach. The solution is built from the bottom up, providing users with a native on-device experience. Its regular introduction of new management policies ensures that the MaaS360 solution can promptly keep pace with the evolving Android landscape and meet customer requirements.

AMAPI, a part of the core Android ecosystem, is diligently updated and maintained by Google. This commitment to best practices in device management, as recommended by Google, ensures its reliability and native compatibility.

It offers a robust, flexible solution for managing Android devices in enterprise environments. Its granular control, secure app deployment, enhanced security features, and centralized management capabilities make it an attractive choice for organizations of all sizes.

Benefits of using AMAPI

The following are the significant benefits of AMAPI:

 It simplifies device management with its single intuitive API. With just a few REST API calls, IBM MaaS360 can apply MDM policies, manage apps, and

   perform  device-level actions like lock and wipe. This provides a modern and user-friendly solution for managing Android devices, enabling the

   administrator with a straightforward and efficient tool.

It enables the administrator to disable distributed apps, which restricts app usage on a device but keeps all app data safe on the device.

It seamlessly manages multiple Android versions, making it a breeze to support new features on various OEM devices across different Android versions, 

   such as Android 13 and Android 14. This flexibility ensures that your device management remains up-to-date and adaptable.

It supports the entire enterprise mobility management lifecycle. AMAPI offers enhanced security, scalability, and future-proof capabilities within

   MaaS360

Security: It prioritizes security with its support for various features, including device encryption, password enforcement, and remote wipe capabilities.

   These measures protect sensitive data and prevent unauthorized access, reassuring decision-makers that their organization's information is safe.

• Scalability: It can easily be scaled to support many devices, making it suitable for organizations of all sizes, from small businesses to large enterprises.

Reduced client-side testing: The Android Management API handles device configuration and policy enforcement on the server side, eliminating the

   need for extensive client-side testing.

It optimizes performance for the Android agent and server, providing a more robust user and admin.

How it works?

In this approach, the communication flow involves the following components:

 

MaaS360 portal

The administrator performs the device actions, applies policies, and distributes apps on the devices. 

The MaaS360 server continuously listens to the pub/sub topic to get the device/applied policy details sent from the Android Device Policy (ADP) Google client app.

Google Cloud (AMAPI)

It manages MDM actions, major MDM policies, and Google Play/private apps from the MaaS360 portal.

This will be passed down from Google Cloud to the Android Device Policy (ADP) app, built in as a native app from Google.

 • MDM actions: Lock, Reset passcode, and Wipe.

 • MDM policies: passcode policy, security policies, device restrictions, and so on.

Android Device Policy (ADP) client app

It acts as a client MDM app and applies the above enforcements on the device.

Additionally, it collects device details and applied policy details from the device and reports the same to pub/sub topic in the Google Cloud.

MaaS360 core app (MaaS360 MDM for Android):

This compulsory work app is installed during device provisioning and manages certificates, enterprise apps, Secure Productivity Suite (SPS) actions, and other device management policies, such as OOC, rules, VPN, and so on.

Payload management is mainly done using the Maas360 core app, which reports device details, including apps installed and other significant information, to the Maas360 portal.

How is it different from the Classic Android Enterprise?

 • Modern Android Enterprise (known as AMAPI): Leverages AMAPI for granular device management and advanced security on compatible devices.

 • Classic Android Enterprise: Uses traditional Custom Device Policy Controllers(DPCs) for basic device management functions on a wider range of                            Android devices.

Embracing the evolution of Android Enterprise, the transition from Classic Android Enterprise to Modern Android Enterprise with MaaS360 brings forth a host of enhanced security features, ensuring device security remains at the forefront.

Important notes

MaaS360 Secure Productivity Suite, Rules, Team Viewer Support, Geofencing: While Modern Android Enterprise enhances and simplifies Device Management capabilities and device security, it's important to note that all classic features are fully supported within this framework.

The transition to Modern Android Enterprise with MaaS360 heralds a new era of streamlined device management and fortified security measures, ensuring organizations can effectively safeguard their mobile infrastructure in an evolving digital landscape.

The following are the notable changes across various workflows, underscoring the strengthened security measures inherent in Modern Android Enterprise.

Device Provisioning (Device Enrollment)

AMAPI seamlessly integrates device Management capabilities into the Android OS, streamlining the device provisioning process.

Administrator:

A new Enrollment Wizard has been introduced in the MaaS360 portal under Devices > Enrollments, enabling the administrator to effortlessly generate QR Codes or ZT/KME JSON for Device Owner Provisioning within Modern Android Enterprise.

User:

Users will first encounter Google's Android Device Policy app during device enrollment, followed by instructions to download and install the MaaS360 core app.

 o Profile Owner enrollment: Users can initiate device enrollment directly from the Device System Settings.

 o Device Owner enrollment: The process for device owner enrollment remains the same as classic Android Enterprise. It involves a preliminary Device                             Factory Reset followed by either scanning a QR Code or initiating enrollment directly, which is especially applicable in zero-touch scenarios.

Policies

MaaS360 has introduced a dedicated Modern Android Enterprise Settings section in the Android MDM policy.

Like Classic Android Enterprise, the administrator can access various policies categorized under different tabs, facilitating the configuration of necessary device restrictions.

Security has been subdivided into Device Security, App Security, and Data Security, offering the administrator enhanced visibility into different security policies. 

Apps

Modern Android Enterprise enables the administrator to set App Permissions directly from the App Distribution wizard. MaaS360 supports various app types, including Google Play, Private Channel, Enterprise, and Web Apps. It introduces additional app settings, such as specifying the Disable app and Dedicated Scopes during App Distribution.

Device Actions

MaaS360 currently supports the same actions as classic for Modern Android Enterprise devices.

    AMAPI Profile Owner Enrollment Video:

0 comments
71 views

Permalink