There’s a lot of excitement in the air this year after WWDC’19 and Google i/o. It’s the same old recurrent fight between Android and Apple to be the best at enterprise security. Who do you think has won this round? Well whoever it may be, IT reaps their fruit.
This blog post is exclusively dedicated to Android 10 (Yes, it has been officially renamed as Android 10) updates for enterprise. So I urge you to check out Hexnode’s blog post for more details on what happened at WWDC’19.
The launch of Android 10 brings along with it the deprecation of Google’s Device Admin API. After almost a decade of service, its finally time to say goodbye. Not to worry though. Google is all set to tighten up privacy and security with the release of new features for Android Enterprise.
What’s new and buzzing?
Work profile provisioning methods
Cross-profile calendar access
Limited input method control
EAP Wi-Fi provisioning
Managed private DNS over TLS
VPN lockdown exemption
Network activity logging, Certificate selection, Package installation
Manual installation of updates
As we cope through the deprecation of Device Admin API, Android ‘COPE’s up with new work profile provisioning methods for corporate devices. Corporate-Owned-Personally-Enabled or COPE devices portray a promising future for corporate devices. IT admins have been going on for ages about the burden of having to manage personal accounts on corporate devices as there is no strict partition. Even though the concept of COPE has been around for a few years now, we haven’t seen it get implemented much. This initiative from Android to introduce QR code, NFC and Zero-Touch work profile provision methods could encourage more organizations to adopt COPE.
Now this is something useful. How often have you had to shuffle between your work calendar and personal calendar to book a doctor’s appointment or plan a family dinner? It’s time to put a rest to that. With this new feature you can see your work events in your personal calendar and if you want to edit it, you’ll get redirected to the work calendar. Surely simplifies a lot of things but the implication of someone accessing the details of work events outside the passcode protected work profile is daunting.
Do you trust your keyboard? The question might sound silly. But given that all your personal data, including usernames, passcodes and deep private secrets you shared with your best friend can all be accessed by storing your keystrokes on the keyboard makes my question very relevant. For the same reason organizations often enforce the use of standard keyboards on work devices. But now it’s possible to enforce standard keyboard in work profile alone and leave users with their freedom of choice. Hello again, Swiftkey!
Silent wipe of work profile and restriction to block installation of apps from unknown sources in work profile were also introduced. That covers all the important work profile improvements.
Now let’s move on to updates for fully managed devices.
That’s right, now you can have extensive authentication. For devices provisioned through QR code or NFC, it is now possible to include EAP config and credentials including certificates.
Avoid leaking your DNS queries. DNS over TLS is a protocol that secures your DNS queries by wrapping them in a TLS protocol. It provides full stream encryption of all communication between DNS clients and server. But does your organization implement DNS over TLS?
Admins can now exempt apps from VPN lockdown. These apps will be connected to VPN by default, but they can also connect to external networks if VPN is not available.
Admin, thou shall have more power! With Android 10, admins can delegate network activity logging, certificate selection and package installation.
And finally, something interesting….
System updates get easier. Admins of fully managed devices can now choose how to deploy software updates to the devices. They can test them on a few devices before installing them widely. They can push them as system update files without having to download the update from each device. This becomes incredibly useful when the devices are connected in a low bandwidth network. You can also stagger installation of updates now. Make sure the installation is done only when the device is idle.
All in all, I would personally give this round to Apple because none of the Q updates excite me as much as single sign on or user enrollment from Apple. They have added some features that would relieve the headache of IT admins but none that would sweep them off the ground I must say. However, some of the consumer features do look interesting. On-device local AI for live caption and smart replies. How smart is that, right? Coupled with the dark theme and new gestures, Android users sure won’t be disappointed. As for the enterprise, I’m doubtful. The question still remains though. What did Q stand for?