Now it’s time to migrate to Android Enterprise! Let’s get together and make Android Enterprise a reality!
The share of Android devices in companies has increased strongly in recent years. This is not least due to the wide range of manufacturers, variety, flexibility, applications and costs. This means that manufacturers with the Android operating system often offer more budget-friendly devices than iOS.
Google offers Android Enterprise, a comprehensive and innovative device management solution for corporate and employee devices. To communicate and control managed devices, today’s EMM (Enterprise Mobility Management) or UEM (Unified Endpoint Management) solutions use APIs. APIs can be used to enforce compliance with policies, such as preventing access to system settings, turning off Bluetooth or the camera. A key point is the creation of work profiles that differentiate between personal and corporate data.
Today, some companies have still implemented device administration via Device Administration from Android. Google still supports this up to and with Android version 9 and already announced in 2017 that from Android 10 onwards you will only continue with Android Enterprise and no longer support the Device Administration API.
Android 11 introduces improved support for work profiles on company-owned devices. When a working profile is added by the setup wizard using the provisioning tools added in Android 10, the device will be recognised as company-owned and a wider range of asset management and device security policies will be made available to the Device Policy Controller (DPC). These features allow for easier management of both work and personal use on company-owned devices, while maintaining the privacy of the work profile.
When a work profile is added to a device using any other method, Android 11 recognises that the device is personally owned. The feature set and behaviour for these devices remain as before.
Android Enterprise (AE) has a lot to offer:
- A reliable EMM expertise, as all AE devices know when a configuration is pushed and support and execute the appropriate requests.
- A containerised work/private separation that primarily targets BYOD.
- Unobtrusive application installation without the need for a user-provided Google account on the device
- Managed configurations, a way to provide corporate settings for managed applications
- Out-of-the-box: Zero-touch enrolment for Android 8.0 and above (or 7.0 for Pixel)
Here is a breakdown of the management scenarios that Android Enterprise supports:
As is evident, there is a lot of flexibility to support most business needs that are built right in. The most common management scenario is shown here, where the organisation owns the device but allows some personal use (COPE), available from Android 8.0.
For more information, see Google’s Android Enterprise datasheet.
With the introduction of Android 5.0, Google made user profiles available for mobile phones in addition to the tablets that already use them. With the same functionality, Android Enterprise is able to create a managed user profile, which although it is completely separately encrypted on disk (and from Android 7.0 onwards uses completely different encryption for professional/private purposes), is directly integrated with the current user on the device. This way, both private and professional apps can be provided in the same app drawer, with the professional apps indicated by a briefcase:
The mix of work and personal apps together on the above BYOD device shows the level of integration. As an end user, it feels like just a few more apps are installed, even though the underlying profile configurations work to separate and secure corporate data. DLP policies can prevent the transfer of corporate information outside of the work profile or vice versa. Should a corporate wipe occur, the work profile is simply removed and all user data remains untouched.
Additionally, Google has added work profile authentication for the work profile. This is essentially a secondary password requirement to access corporate data within the profile. BlackBerry Good, MobileIron Apps@Work or AirWatch Container have supported this feature for many years.
This allows the work profile to be paused (temporarily shut down) for evenings, weekends or holidays, which is a great benefit for employees. It can thus help to promote a healthy work-life balance. This has improved massively again with Android 11, where the Android Enterprise team worked closely with Digital Wellbeing to enable automatic work profile scheduling. Thanks to APIs, administrators can ensure that the work profile cannot be turned off indefinitely.
The biggest limitation of the whole BYOD approach from an administrator’s perspective is, as one might suspect, the limited control and visibility over the device itself. Organisations do not ‘see’ anything outside of the work profile and thus can only enforce very basic device-wide policies such as the passcode.
For fully managed devices, there is usually no provision for user provisioning. Since the intended use is for fully company-owned devices, all typical BYOD or COPE scenarios are omitted for these devices and the device is strictly limited to the environment defined by the EMM administrator. However, as of Android 8.0, the COPE scenario has been introduced with support for work profiles on fully managed devices.
By default, when deploying a fully managed device, almost all non-critical system apps are removed unless they are whitelisted. Instead, only access to authorised apps is granted via the managed Google Play.
This means that should an app require the camera function, for example, a camera app would also need to be authorised or whitelisted for enterprise use. There is support for enabling system apps, however this support includes all OEM/carrier apps, which most would want to see removed. It therefore requires certain applications to be disabled rather than enabled as described above.
Fully managed provisioning is currently initiated on the first system boot of a new device – or a device freshly reset from the factory:
- A provisioning app on a dedicated provisioning device (configured with EMM server details) and an NFC bump or tag that can be used to boot devices
- A DPC identifier on the screen to set up a Google account
- A QR code (ideal for devices without NFC)
- Zero-touch enrolment
In Android 10, NFC bump provisioning is deprecated and NFC tags are recommended for NFC provisioning instead.
- Highly enriched know-how:
- Various migration processes
- Removal of potential blockers
- Solution of typical support cases
- Productive Android Enterprise integrations since 2015
- Migration of several customers from Android Device Admin to Android Enterprise
- Migration of in-house apps (from MAM to Managed Google Play)
- Close collaboration with app developers
- Secure SSO solution for Android Enterprise with Hypergate
- Early preparation / introduction of a ‘new’ Android management. Support for new devices with Android 9.x
- Increased security through clear separation of data
- Smooth transition: use Android Enterprise for new registrations, handle migration of already registered devices in batch mode
- On-time migration of your in-house applications
- No fragmentation – Android Enterprise behaves the same on all devices
- Planning and developing the optimal rollout/migration process
- Configure Android Enterprise in your EMM solution
- App management for managed Google Play
- Rollout support up to taking over the entire staging process (incl. zero-touch enrolment)
- Get to know Android Enterprise” workshops
- End-user training
- Clear visual separation between enterprise and personal data.
- Use any application from the Managed Google Play in the Android Enterprise container
- Benefit from the new features of Android Enterprise (e.g. kiosk mode, COPE mode, zero-touch login)
- Improve the security of the Android device fleet
- Minimise fragmentation
to receive more information on Android Enterprise