Co-authored by Vaishnavi Thotieam.
As the growth of Android Enterprise marches forward, inquisitive IT Administrators are asking us how to streamline Android device deployments. Despite successes they hear about Android 10 (formerly Q), they sometimes question if Android Enterprise is even worth adopting. We’d like to clear up some of the FUD (fear, uncertainty and doubt) out there and provide some guidance on successful Android Enterprise (AE) adoption. The main topic is migration from the deprecated Device Admin (DA) functionality.
But first, allow us to take a step back and explain the history. Google introduced support for Mobile Device Management (MDM) in Android 2.2 using basic DA APIs. One could do only a handful of configurations on such devices – e.g., set passcode policies, camera settings and perform wipe on the device. Since then, enterprise needs have changed and evolved and Google released Android updates to support advanced DA APIs such as setting Wi-Fi profiles, blocking applications, buzzing devices, etc.
Today, Android devices are used in a wide variety of use cases – from point-of-sale transactions to accessing behind-the-firewall resources to augmenting VR experiences. In general, this evolution required organizations to adopt specific OEM manufacturers that provided additional layers of security and configuration on top of DA – even for configuring basic settings such as email profiles. This eventually led to different versions of Android available in the market, leading to what is popularly called “Android fragmentation.”
Google recognized this divide, course corrected and has made tremendous progress to streamline the management of Android devices - reduce fragmentation, increase API reliability and improve security. Google deprecated DA in favor of more state-of-the-art functions that it now provides via Android Enterprise.
So, what does deprecating Device Administration actually mean?
The following security policies will stop functioning on devices running DA on upgrade to Android 10 when EMM apps are also targeted to run on Android 10.0.
- Password Policy – IT Admin will no longer be able to specify device passcode quality/length or expiry period
- Camera/Keyguard Policy – IT Admin will no longer be able to restrict camera or keyguard settings such as Secure Notifications, Remote Input, Smart Lock on lock screen.
- Device Admin Policy - IT Admin will no longer be able to restrict removal of Device Administrator privilege
You might be thinking, “Does deprecation of Device Admin mean Android Enterprise is forced on me?” The answer is “pretty much”. And you should think about it sooner if you cannot restrict your OS updates to below Android 9.0. Nevertheless, there are plenty of good reasons to deploy Android Enterprise.
What are the advantages of deploying Android Enterprise?
Android Enterprise is an upgrade over the legacy DA and comes with an attractive set of out-of-box-the capabilities:
For corporate devices (in Managed Device/Device Owner mode), Android Enterprise mitigates several device security challenges such as providing reliable APIs, mandatory device encryption, malware protection, Factory reset protection, Zero-touch provisioning (for any device Android 8.0+) and enterprise app approval and distribution mechanism. You can even lock down devices to a limited set of applications by running it as a Dedicated Device in COSU mode.
Android Enterprise makes BYOD programs easily adoptable because users can get access to corporate resources in a separate work profile (Managed Profile or Profile Owner mode), giving users flexibility to install apps on their personal side while allowing IT to control just the work profile portion of the device. Sound familiar? Yes, this is a form of native containerization offered by Android. Essentially, the personal devices will have a work profile authentication, or a secondary passcode authentication, which will allow users to access corporate applications in their own personal devices. In addition, the end users can pause or turn off their work profiles when they want to take time out during weekends, vacations, etc. Interesting yeah?
If you are not looking at a BYOD program and need to deploy Managed Devices or Dedicated Devices, you can take a look at this Android Enterprise Device Directory to procure devices that are the right fit for you.
Otherwise, if you have chosen BYOD – way to go!
The first thing to do is login to IBM MaaS360 Console and enable the Android Enterprise service.
Choose an Android Enterprise solution model suitable for your organization:
Determine the management mode and enrollment method based on your requirements:
- Managed Device (Corporate Owned): Requires device factory reset. Enroll devices by using QR code, device policy controller (DPC) identifier, or Zero touch. Samsung devices can be enrolled using KME (Knox Mobile Enrollment).
- Managed Profile/Work profile (BYOD): Enroll devices as ‘Profile Owner’ which separates the work profiles and data from personal profile.
- Fully Managed Device with Work profile or COPE (Company Owned Personally Enabled): This is a hybrid management mode where end Users can use their personal apps and keep their data separate while their company owns the device. This feature is available as BETA in your IBM MaaS360 tenant. Contact your Account Manager to get this enabled.
If you are an existing MaaS360 customer, we recommend that you adopt Android Enterprise program for corporate devices as early as possible. Since Managed Device enrollment requires that a device starts from factory reset state, as and when new devices enter your ecosystem, enroll them into Managed Device/Device Owner mode.
For BYOD use cases, plan the migration to the Work Profile (Profile Owner) in advance so that the deprecation of Device Admin services do not impact your Android device base. If you want to make this transition as smooth as possible, MaaS360’s Work Profile Migration Tool will come to your rescue. You can enable this right from MaaS360 Portal settings menu from:
Settings > Device Enrollment Settings > Advanced > Advanced Management for Android Devices > Enable Android Enterprise Work Profile Migration.
So everyone, gear up! It is clear that legacy Device Admin management is no longer suitable for the modern BYOD workforce. All deprecated features will stop working when EMM apps target Android 10.0. While IBM MaaS360 will continue to support legacy DA mode for possible use cases on your Android 10 devices, it's time for you to put a plan in place to migrate to the new Android Enterprise management toolset, by enabling Android Enterprise in your Maas360 portal.
If you don't start migrating now, you will continue to lose DA functions as they are deprecated, putting you in a precarious management, productivity and security situation. In many cases that means out of compliance. For example, password expiry is required for STIG compliance today, and internal and external compliance policies are getting more stringent, not less.
You can migrate existing personal user devices to Work Profile as soon as possible while also starting to enroll corporate devices as Managed Devices right off factory reset state in your immediate refresh cycle. So, hurry up and embrace the change!
For more insights on DA migration and the latest Android Enterprise Recommended, please check out our Android 2020 Briefing webinar presented by experts from Google and the IBM Security MaaS360 staff.