Google’s Device Admin (DA) API was made available in Android 2.2, back in the year 2010, to provide enterprises with a device management solution. Almost a decade later, with the release of Android 9.0, Google announced the deprecation of some of the Device Admin policies. What has changed so much over the years that these policies are going to be entirely scrapped with the release of Android 10.0?
Well, enterprise requirements have changed drastically over these few years due to increased use of mobile devices, both for personal use and for work. With organizations handling more and more confidential resources, the hard-lined approach of DA which seeks entire administrative permissions to manage a device poses a huge security risk. The number, kind, and needs of devices have evolved so much that DA falls short to meet them all.
Let’s meet DA or did you already?!
Ever had an app seeking admin permissions in your device? Were you too apprehensive about switching the toggle? So, you’ve met DA indeed. Good thing you never switched the toggle. Had it been a malicious app trying to sneak into your device, your device would’ve been as good as dead.
Device Admin APIs are quite powerful and are used to create admin apps that users can install on their device. The app enforces the desired security policy, like a password, on the device. The user must install the app and allow admin permissions for the restriction to take effect on the device. Otherwise, the app simply remains dormant. Device management apps, security apps, email clients and even malware make use of DA policies. If malware is given admin permissions, it can easily tamper with your device and data.
Some of the policies supported by device admin APIs are
- Prompt user to set a new password.
- Password restrictions like minimum password length, maximum failed attempts before wipe, require an alphanumeric password etc.
- Require storage encryption.
- Disable camera.
- Immediate device lock.
- Wipe the device contents.
So, this is how device management using DA works
Why is DA being done and dusted?
There are several drawbacks associated with DA.
- The all or nothing approachConsider device management, here DA seeks permissions to manage the entire device, whether it is a corporate or personal owned device (a big no-no! for employees who use their personal device for work). If Admin permissions are denied, the device cannot be managed at all.
- Manual app download for provisioningAs mentioned earlier, for any policy to take effect on the device the user must manually install the device admin app. If an EMM agent is used, it must be installed either from Google Play Store or be sideloaded which can expose the device to potential malware.
- User is the lone kingSince users have all the power, they can simply choose not to install the DA app, leaving the device as free as a bird.
- Possible app conflictsThere can be more than one admin app in a device which can lead to app conflicts.
- Cumbersome app managementIf app management relies on a Google account, the legacy device user must manually install the apps distributed to them from Google Play. At this point the user may intentionally skip linking the Google account, thus allowing no apps to be installed in the device. For private apps to be installed, permissions to “allow app installation from unknown sources” must be enabled, which a user may not be willing. If Factory Reset Protection is enabled on the device and the device is reset without the knowledge of the user, the device will be rendered unusable until the previously used Google account details are provided. Not a good position to be in, right?
Now let’s see what’s being nipped off.
In Android 10, these policies will be marked as a SecurityException when invoked.
So, what now?
With Android 5.0 Google released its Android for Work API, now known as Android Enterprise (AE), as an effort to offer better device management features and meet enterprise requirements. Has this effort led to fruition? Yes! Android Enterprise brings with it a fully-fledged management solution for enterprises.
Behold! AE brings to you …. The Work Profile and Device Owner!
- Personal devices can be set up with a work profile that allows work apps and data to be stored in a separate container within the device. The organization has full control over this work container and cannot interfere with the employee’s personal files.
- Company owned devices can be set up as device owner to have full control over the device and all the data in it.
- AE supports Zero-touch enrollment (ZTE), QR code and NFC enrollment. With ZTE there is no need to manually enroll into an EMM.
- AE also offers a managed Play Store that allows to remotely distribute apps in bulk. In a fully managed device this involves no user intervention.
- EMMs can implement Android Management APIs and manage all Android devices without having vendor-specific integrations. Organizations get to manage devices in bulk using a plethora of management features. In AE, the user is no more the lone king. Thus, AE has a takeaway for everyone.
Pack your bags. Next stop – Android Enterprise!
If you are currently managing your devices by having them enrolled into an EMM which uses DA, pack your bags! now is the time to migrate your devices. With the deprecation, EMMs will not be able to manage your Android 10+ devices using DA. Hence, it will be long gone and soon AE will be the default device management program supported by EMMs. So, move your devices if you are targeting Android Q features, out of DA and into AE now, to have them managed smoothly in the future.
You must be having cold sweats by now. Fear not! help will be provided in every step you make towards AE.
First, evaluate your enterprise requirements, map them and then adopt either one or both the migration strategies suggested by Google. They are called as Big Bang and Phased adoption.
- Big Bang – Here, existing users upgrade to AE in one or more batches.
- Phased Adoption- Here, new users and devices are enrolled into AE and legacy devices are moved out as they age.
Your personal devices can be set up with a work profile and company-owned devices as fully managed devices. For this, you’ll need an EMM provider that best suits your needs. You will also need a corporate Google account to set up managed Google Play.
Don’t forget to test your requirements before you finally deploy.
The steps you’ll need to follow are right here.