5 things to know about Android Enterprise Program in 2020

What is Android Enterprise? – A brief introduction 

Android enterprise is an initiative by Google to enable the use of Android devices and apps in the workplace. Debuted back in 2014 with 5.0 Lollipop, the Android enterprise program aimed to provide new management capabilities to organizations that were willing to adopt the Android ecosystem in their workplace. 

Over the years, we have seen the growth and maturity of Android as a platform. Android enterprise has also grown alongside this. With the help of Android enterprise, the admin is able to provide a lot of flexibility when it comes to workplace device management. There are basically four scenarios that Android enterprise program supports.  

Android Enterprise Program Scenarios.

Work Profile (BYOD)– A separate container or profile is formed within a personal device owned by the user. 

Fully Managed Device– A device that is issued and controlled fully by the corporate. 

Work Profile in a fully managed device (COPE)– Similar to work the only device but the users can do personal tasks too on this device. 

Dedicated Device– Corporate issued device which fulfills a particular task. Like digital signage, ticket printing, etc. 

As of 2020, the latest version of Android is Android 10 and Android 11 is in Beta. Android 10 Enterprise already offers the bleeding edge in device management capabilities and Android 11 aims to enhance these features.  The changes that would be introduced in these versions would be enhancements more or less. Sweeping changes that we have had in previous versions shouldn’t be expected because Android as a platform has matured. That being said here are a few things you should know about Android Enterprise in the year 2020. 

Setting a new standard for Work Profiles 

A work profile is an encrypted container within a device. This container’s purpose is to avoid the mingling of work data and personal data. This is applicable for both corporate-owned fully managed devices and personal devices. In Android 10, it was made possible to provision work profiles via Zero-Touch Enrollment and QR code. This meant that admins were able to deploy work profiles in corporate-owned devices.  

At first glance, this looked like a happy marriage. It would bring out the best in both the solutions. But as it turns out, employees do care a lot about their personal data being private. In a survey conducted by ESG research, 71 percent of employees agreed that all their personal data on the device they use should remain private and out of the hands of the IT department. Even on company-owned devices, employees demanded privacy and this kind of resistance was not good in any way for the organization.  

The functioning of a Work Profile in Android Enterprise Program

Keeping this mind, Google has released a new enhancement through Android 11 for the work profile which is more privacy-centric. This enhancement works in tandem with the provisioning features introduced in Android 10. If the setup wizard uses the tools introduced in Android 10 to add a work profile, the device is recognized as company-owned and the device policy controller (DPC) is granted a wider range of asset management and device security policies. This made sure that the employees got privacy benefits through a single work profile experience on both personally owned and corporate-owned devices. 

Several UX changes have also been introduced to the work profile. The tab view of the menu which was introduced in Android P now extends to: 

• In the Settings app, specifically for Location, Storage, Accounts, and App info. 
• When a user taps Share. 
• When a user is presented with the option to open a selected item with another app (Open with menu). 
• When selecting documents. 

Tabbed View in Android 11 Enterprise’s Work Profile (Source)

The UX also makes it much clearer when the work profile is paused. The icon will turn grey and stay that way until the work profile passcode is entered.  

Work Profile apps in Android 11 Enterprise (Source)

Another UX change is the addition of the “forgot password” button. This can be enabled by the DPC.  

Other features like Managed Google Play, a Play Store that would only display apps pre-approved by the admin, Silent app installation are all intact. 

Other features introduced in Android 10 enterprise program that might be new to you include: 

• Device wide unknown sources: Since Android 10, admins of work profile can prevent any user or profile from installing apps from unknown sources anywhere in their device.  
• Work profile calendars: The apps running in the personal profile can now reflect the events present in the work calendars. The app showing the calendar details should be present in both personal and work profiles. It would essentially redirect the person using the device from the personal profile to the work profile. The user can also disable cross-profile calendars from settings. 
• Silent Wipe: The admin can initiate a silent wipe of the work profile without any user intervention. It wouldn’t ask for permission from the user. 

Tweaking up fully managed devices 

A fully managed device is a device that is locked down to the environment set up by the admin. This scenario is also called the device owner mode and can only be set up with a complete factory reset. As of Android 10, these are the ways you could deploy a fully managed device: 

• Zero Touch Enrollment 
• QR code 
• DPC identifier on startup. (eg: afw#hexnodemdm) 
• NFC Tag 

The following changes were introduced on fully managed devices in Android 10 Enterprise program: 

• Installation of system update manually: Admins can now install updates via a system update file. This helps the admin to test the update on a few devices before it is deployed widely. Duplicate downloads of the update can be avoided, to endure telecom expense doesn’t go through the roof. The admin can also stagger the updates and install them when the device is not in use.  
• EAP WiFi provisioning: QR code or NFC tags that are used for device provisioning can now contain EAP config and credentials. When the QR code is scanned or the NFC tag is bumped, the device is automatically configured to the local WiFi network with EAP and starts the provisioning process without any manual input.  
• DNS over TLS: Private DNS or DNS over TLS(DoT) is now available for organizations. DoT helps in encrypting DNS queries to keep them private and secure. Admins can control the DoT settings of all fully managed devices now. 

Introducing Common Criteria Mode 

Common Criteria Mode is the international standard for defining security standards for IT products. With Android 11 enterprise, admins can now enable this mode on company-owned devices. This includes both fully managed devices and corporate-owned, work profile enabled devices.  

Common Criteria Mode aims to address specific requirements laid down by Mobile Device Fundamentals Protection Profile (MDFPP) to protect IT products against security threats such as 

• Network Eavesdropping: By positioning a wireless communication device somewhere in the network infrastructure, the attacker may acquire data that is being exchanged between a mobile device and any endpoint. 
• Network Attack: In this iteration, the attackers may try to initiate communication with any mobile device or endpoint by establishing themselves in the network infrastructure. The attack could range from pushing malicious software updates to normal applications. 
• Physical access: The attacker may acquire physical access data and can access user data on mobile devices using user credentials.  

And many more. 

Common Criteria mode was previously available only on the Samsung Knox platform as a restriction.  

Better Security with VPN 

Both Android 10 and Android 11 versions of the Enterprise program has aimed to enhance online security beefing up VPN configurations available to the admin.  

• As of Android 11 Enterprise, the user can no longer tamper with the Always-On VPN configurations when it is applied by the admin. This means that all traffic coming into the mobile device would be through a VPN tunnel and the user cannot do anything about it. 
• A VPN lockdown mode allows the admin to block any network traffic that doesn’t use a VPN. Admins of both work profiles and fully managed devices can apply this feature on their respective devices. Certain apps can be exempted by the admin from this lockdown. Exempted apps automatically connect to other networks when the VPN is not detected.  

Expanding Zero Touch enrollment 

Android Enterprise program’s Zero-Touch Enrollment, enables you to make large scale roll-outs of corporate-owned devices, handsfree. This method is available for devices sporting Android 8.0 +. The devices should also be purchased from authorized resellers.  

The device arrives in the hand of your employees as a managed device, out of the box. Previously, the devices deployed through zero-touch were only fully managed devices. Since Android 10, admins can now provision work profiles in corporate-owned devices.  

This widens the scope of zero-touch enrollment.