Android 11 is at the third stage of public beta currently and is expected to release next month. It is an exciting time if you have implemented an Android ecosystem in your organization. There has obviously been a lot of hype around the consumer features that Android 11 brings to the table. Features like bubble chat notifications and increased touch sensitivity are good changes, but nonetheless, there are several enterprise-focused changes that are relevant to an IT admin.
Granted, there might be some changes to the current list of features that Android 11 presents. These are some stand-out features that an IT admin would appreciate.
Scoped storage is a new set of rules that dictates an app’s degree of access when it comes to storage. This was first introduced in Android 10, but there was an outcry regarding the new APIs involved and how they would potentially break legacy apps. Taking this into consideration, Google pushed the release of scoped storage as an Android 11 feature, and now it is finally here.
What scoped storage essentially does is, it creates an isolated sandbox of each unique app. With this, apps no longer need permission to write their own files. And the app can only access its own sandbox; all other sandboxes are out of bounds. Default Android folders such as Photo, Videos, and Downloads will remain as shared spaces. Scoped storage, in essence, aims to end the current free-for-all nature of file access on Android Devices
With the help of scoped storage, admins can apply precise app access controls and rules. It also improves app security as it allows admins to determine which parts of the enterprise’s file system can be accessed by external applications.
Tweaking work profile privacy
As we have already seen in Android 10, Google is now putting emphasis on security and end-user privacy. Now on Android 11, we see the continuation of this trend.
Fully managed devices with work profiles by Android enterprise provides end-users with a work profile and a personal profile within a corporate device. Up until Android 10, the IT admin had full control over these devices since it housed corporate data. This also meant that IT and admin had control over the personal profile within the device. This did not sit well with the end-users and they demanded more privacy.
On Android 11, Google is honing in on privacy and it is safe to say that fully managed devices with work profiles will not be the same as it is. After the devices are upgraded to Android 11, the fully managed device with the work profile scenario of Android enterprise would be migrated to a privacy-driven enhanced work profile mode. This new iteration will have access to granular restrictions to ensure that corporate device policies remain intact. But it will not have access to see how the device is being used. It is very nuanced. Here is an example, the IT admin can blacklist video streaming apps that would drive up the organization’s telecom expenses. But, at the same time, the admin cannot view which all permitted apps the end-user has installed in their device.
In a nutshell, admins can expect less visibility on such devices and can essentially view them as an embellished work profile device. Data which Google has deemed as personal would no longer be available to the admins. This includes app lists, installation reports, app usage statistics, a few details, and more. The admin can also expect stingier device controls. This could include not knowing the device password, being unable to restrict users from conducting factory reset, and more. Anything which would ultimately affect the privacy of the end-user would be out of scope for the admins.
Resume on Reboot
Resume on Reboot is a new feature that is introduced in Android 11. It aims to make the process of installing updates quicker. It does this by letting admins permit devices for accessing storage encrypted by credential after a reboot. Simply put, it allows an android device to complete updates without a manual unlock.
This is a godsend because, as of now, an Over the Air (OTA) update will not be completed unless the user unlocks their device. So, after the reboot, there would be apps that still need to be updated with the new version of the software. These apps cannot be updated without the user being present there physically. Resume on Reboot overhauls this system by storing your login information and unlocking your device when the time comes. The entire process can be completed without any user intervention. Just imagine all the time that would be saved.
Project Mainline improvements
Introduced in Google I/O 2019, Project Mainline was one of the most welcome enterprise features in Android 10. The idea was to make the whole Android OS modular so that the core components can be updated separately, like apps. The updates would be pushed through the Play Store, allowing them to be installed without a full system update. The aim of Project Mainline is to fight fragmentation. The Android OS is fragmented over multitudes of OEMs, each with its own version of Android. Due to this, it takes ages for updates to finally reach the end-user because first, the OEM has to take in the update, then customize it to fit their version and roll it out. Google, by providing core updates via a centralized channel like the Play Store can cut this delay in updates.
Initially, 8 core components within the Android OS were identified and converted into updatable modules. Some of these modules included media codecs, DNS resolver, Documents UI, permission controller, etc. All these modules were closely linked to security and privacy. Now, on Android 11, Google has decided to expand the number of modules by adding 12 more into the mix, this time aiming at modules having a direct relationship with the end-users. Among the 12 is a media provider with a file manager made especially for Scoped Storage.
For admins, Project Mainline is a rather convenient way to keep the devices updated and ready for users.
On the slew of security and privacy features that Android 11 introduces, there are quite a few that deal with the way in which apps handle permissions.
- Now end-users have the option to give temporary permission for an app to use one of the device’s functions (e.g., GPS) for “Only this time”.
- If an app is asking permission twice and the user has denied it both times, the app will be blocked from asking permission again.
- End-users can’t blindly give overlay permissions to apps requesting the same. The user would not be directly taken to the overlay toggle, they would be taken to the step right before it. This is to avoid overlay attacks, an extra tap may make all the difference.
- If an app remains unused for a while, the permissions end-users granted to the app would be revoked automatically.
- Background location tracking is on its way out. Apps can no longer collect location data while it is not running. They can only collect location data when the end-user is aware of them collecting it.
Admins have to look in and possibly refurbish their app permissions policy after all these changes are made live.
Adding 5G capabilities
With the help of 5G state API, Android 11 adds the functionality to support 5G capabilities in android apps. Online functionality would be upgraded as 5G makes the present online experience faster and smoother with better speed and latency.
The capabilities introduced in Android 11 include:
- Meteredness: It detects if whether you are using a metered connection or an unmetered connection. A metered connection would have usage limits and an unmetered connection will have no limits.
- 5G detection: With Android 11, the device can detect if it is connected to the 5G network not using a callback-based API call. By detecting 5G, Android can offer the user a unique in-app experience. Keeping track of the 5G connections is also possible for checking meterdness and for analytics purposes.
- Bandwidth Estimation: The bandwidth rate available for an app can also be detected.
New data access APIs
This basically an under-the-hood change but it is relevant to IT admins because the IT department has to review and update existing applications because there have been some name changes to some existing APIs. With the help of these new APIs, developers can track access permissions beyond the granularity of the app and track which bits of the app (like third-party libraries) might be misused.
These are some really good changes that Google has implemented in Android 11 and it is safe to say that they are moving in the right direction. Admins can be on the lookout for any new updates from their EMM vendor regarding these new changes to get a point-of-view regarding how they are going to handle these changes.