Emily
Brown

An insightful guide to Android device management

Emily Brown

Jul 12, 2021

12 min read

If I say Android is the leading choice for smartphones in the market, you would probably think – No surprise there! In 2021, seventy three percent of all the smartphones used around the world run on Android. This is no small number! We can safely claim that today, Android is the most popular operating system in the world. When our world is changing into a mobile world, it stands to reason that Android devices are deployed in organizations and enterprises too. There are Android smartphones optimized for business use-cases and then there are personal devices that employees could use for work too (BYOD). The IT manager must manage all these devices, mobile and in transit, without compromising the data, device, user, network or application security. Android device management takes care of exactly that.

Android device management for employees
Using an Android tablet for work
 

Who is this blog for? This blog is for all IT managers, admins, executives and everyone who need to manage Android devices or are simply interested to know the hows and whats of Android device management.

Some terms you need to know

Before getting into how to manage your Android devices, you need to be familiar with some related terms:

Android Enterprise: Android Enterprise is an initiative by Google for enabling the use of Android apps and devices in businesses. This program enables UEM solutions to manage Android devices.

Android Enterprise Recommended: This is a list of devices that are recommended by Google. These devices satisfy enterprise-specific standards. The Android Enterprise Recommended devices go through rigorous testing against the requirements of Google.

Common requirements for Android Enterprise Recommended

  • The device must satisfy the minimum hardware requirements for Android 7.0+ devices.
  • Zero-touch deployment support for bulk enrollment of Android devices
  • Android security updates must be delivered to the devices within ninety days of release from Google for a minimum of three years. For rugged devices, the updates must be delivered within ninety days of release for a minimum of five years.
  • Unlocked devices must be available directly from the manufacturer or reseller.
  • Applications should work the same in both managed profiles and managed devices.

See the complete set of requirements here.

Google Workspace: If you are an admin, you are probably more familiar with the term G Suite. G Suite and Google Workspace are one and the same. G Suite got rebranded to Google Workspace in October 2020. Google Workspace is a set of productivity tools and services that powers around six million businesses around the globe.

Company-owned devices: Just like the name suggests, these are devices that are owned by the organization.


BYOD work profile: If personal devices also double as work devices, it is important to have some distinction between the personal and work apps/data. Android Enterprise enables UEM solutions like Hexnode to create a separate work profile in such devices. This allows for a distinct work container that has only work apps and data. When the personal device is no longer in use, the admin can simply remove the work container from the device.

[Infographic] Android Enterprise vs Device Admin: Why should enterprises migrate?

Managed Google Play Account: Right from the mouth of Google, “Managed Google Play Account is a set of users, devices, and administrator accounts that are used to manage apps for your users.” The Managed Google Play allows the admin to provide the users with a custom app Store in their Android devices.

Android device management 101

Deploying devices

Deploying Android devices
Deploy Android devices with Hexnode
 

For Android, there are quite a lot of ways to enroll and deploy devices with Hexnode. This includes:

  • SMS or email enrollment, where the enrollment details are sent to the end user.
  • Android Enterprise enrollment for both company-owned and BYOD devices.
  • Zero-touch enrollment methods like Samsung Knox mobile enrollment or Android Zero-Touch enrollment.
  • ROM enrollment, where the Hexnode app is flashed to the ROM as a system app for greater privileges.

Majority of the managed devices are enrolled with Android Enterprise as a profile owner or device owner. The profile owner is for BYOD devices. As we discussed before, a work profile is created in this mode. The device owner mode gives complete administrative privileges to the organizations. Only devices that are owned by the organization should be enrolled using this method,

The zero-touch enrollment methods allow for out-of-the-box enrollment without any manual intervention. This is quite useful when you are just directly shipping the devices to your remote employees.

How to manage apps in Android?

What is device management without app management right? A mobile device like Android runs on apps, and it is important that the admins get a say in what gets installed and what does not. Hexnode admins get more than a say, let’s see how.

Hassle free app management with Android Enterprise & Hexnode

Silent App Installation

That’s right, you can silently install or uninstall the applications on managed devices with zero user intervention. Of course, such an awesome feature would be subject to certain conditions. Silent app installation is only possible for devices that are enrolled in Android enterprise program. The in-house enterprise apps can be silently installed in Samsung Knox, LG Gate, Kyocera, rooted Android, devices with Hexnode system app and devices that are enrolled as device owner in Android enterprise. For all the other devices, the user would get a notification to install the specified applications.

App Blacklisting/Whitelisting

Blacklist or whitelist applications to prevent user access to potentially dangerous or unwanted apps. Some apps simply need to be blocked because they serve no purpose except for distracting the employees from work.

Custom App Play Store

Instead of deploying the apps yourself, you can deploy a customized Play Store for managed devices. This can be done by creating App Catalogs in your Hexnode web console and then deploying it to the target devices via policies.

Mandatory Apps

While some apps aren’t needed, some apps are absolutely essential. Make such app mandatory with Hexnode. If these apps are not already installed in the device, Hexnode would attempt to install the apps in the device. For some reason, if the apps are not present on the device, then the device would be marked as non-compliant and the admin can take the appropriate action.

Pre-configuring app permissions and configurations

How great would it be if you just just pre-configure all the app permissions and configurations before it is installed in the device? Well, you can actually do that for Android devices with Hexnode. The permissions and configurations would be automatically present when the apps gets installed on the devices.

Securing devices is always a priority!

The whole purpose of managing devices is security. Okay, maybe not the whole purpose, but definitely a large part of it. So, how can you secure a managed Android device? It really depends on the security requirements of the organization. However, we have listed out a few ways that would be useful to secure managed Android in general.

Password policies

The simplest and often the most effective method to secure your device is to configure a strong password. If the password is not strong enough, it is not very hard to crack it with the primitive brute force method. For example, if it is an eight-character password like “password”, it would not take even a millisecond. Now, a password that combines upper-case, lower-case, numbers and special characters would be strong enough to withstand the brute force attack. For instance, a password like “Blackbird@123” wouldn’t be that easy to crack.

So, what can you do as the IT admin?

Configure stringent password policies that forces the user to configure strong passwords in the device. This can be done in the Hexnode web console. Push these policies to all the managed devices and check password security off from your security checklist.

What about personal devices?

BYOD! Those are personal devices! Can you really force password policies to the personal devices? Even if you can, is it ethical?

As mentioned before, a BYOD Android device should be enrolled in the profile owner mode with Android Enterprise and Hexnode. In such a situation, the Hexnode admin is not managing the whole device, just the work container. The password policies can be configured specifically for the work container.

Certificates

Certificates are a great way to secure and authenticate users to access the corporate resources like VPN, Wi-Fi and more. The IT admins can deploy identity certificate to the managed Android 5.0+ devices with Hexnode. The certificates would be silently installed in Samsung Knox devices and devices that are enrolled using Android Enterprise program.

Managing and securing networks

While caring for the device and user security, it is important to take care of the network security too. With Hexnode, configure and deploy Wi-Fi networks so that the end user gets automatically connected to the network without needing to know the password. You can also configure VPN remotely for securing the flow of data in the network.

Just like app blacklisting and whitelisting, it is often necessary to filter websites too. Use the web content filtering feature to block user access to any potentially harmful websites.

OS Updates

Some updates need to be installed immediately while we may prefer to wait for some others. Schedule OS updates for Android with Hexnode. You can choose to update automatically, update in inactive hours or postpone the updates upto 30 days.

Kiosk for Android

Kiosk mode is a special mode in which the Android device is locked down into applications as specified by the admin. The user has no access to any device settings or any other apps unless the admin allows it. The kiosk mode is useful for converting your normal Android device into a purpose-oriented device – for instance, information kiosks or a restaurant kiosk.

What is Android kiosk mode?

Hexnode allows its admins to lock down the managed Android devices into kiosk mode. They can lock the devices down into a single app, or a set of specified apps, or even videos and images. The devices locked into videos or images would work as a digital signage display.

Managing files in managed Android devices

Android device management includes content management. Hexnode admins can upload the files to the Hexnode file repository and deploy it to the managed Android devices on designated locations.

Remote management for remote devices

We are all familiar with the terms such as remote work, work from home and hybrid work thanks to the recent trends. When remote devices are a part of organization, remote management becomes important too. Everything we discussed so far can be done remotely. Hexnode has a few more remote management friendly features:

Remote View

View what’s happening on the device end live in the Hexnode web console with the Remote View feature.

Remote Control

For Samsung Knox devices, the functionality doesn’t stop at Remote View. The admins can also remotely control the device while viewing the device screen from the Hexnode web console.

Remote App Launch

This feature allows the admin to launch an application in the managed Android device and define conditions of its exit. For example, the admin can specify the time for which the app should remain open. The admin can also give the users control to exit the application when they are done using it.

Remote Ring

If the user can’t find the device and the device volume is turned off, use the Remote Ring feature to play a sound on the device.

Broadcast message

Send custom broadcast messages to managed Android devices with wildcards like %devicename%, %name%, %email% and more.

Set or change ringtone

The admins can set the incoming call ringtone of Android devices remotely.

Clear device password

If the users somehow end up forgetting the password, or if you have a locked device whose previous user no longer works at the company, clear the password of the locked device with this remote action.

Remote Wipe

If the device is lost or if the user left the organization, you may need to wipe the device. Remotely wipe the device with a single click from the Hexnode web console.

Location tracking

Wiping is not the only option for a lost device. Track device location with the location tracking feature. Combined with dynamic grouping and geofencing, you can even apply location-specific policies to the devices.

Monitor and restrict data usage

Monitoring and limited data or Wi-Fi usage ensures that the users are not wasting data. Reduce data costs by configuring device-specific or app-specific limits for data or Wi-Fi usage. The admin would get notified if the limits are exceeded. You can also restrict the user from using data or Wi-Fi once the user exceeds the limits.

What is OEMConfig?

OEMConfig is a standard introduced for Android Enterprise enrolled devices, where OEMs (Original Equipment Manufacturers) and UEMs (Unified Endpoint Management solutions) work together for providing the organizations with best possible management capabilities.

OEMConfig – Breaking the boundaries of Android device management

The best way to learn is by doing it!

Android device management is huge. The possibilities are endless. One thing we can say for certain is that Android for business and work is only going to grow. We did try to cover everything important related to Android device management in this blog, but the best way to get started is definitely by doing it.

Share
  •  
  •  
  •  
  •  
  •  
Emily Brown

Reading is therapy and writing is healing...sincerely, a cool nerd.

Share your thoughts