What is Android Enterprise? Everything you need to know
Everything you need to know about Android Enterprise.
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Dec 19, 2018
13 min read
The inrush of personal devices into the workplace might bring convenience and augmented productivity for organizations. But this Bring Your Own Devices (BYOD) trend also has a darker side. If the devices are not managed properly there is a huge risk of corporate data breach. Devices with valuable corporate data on them can be lost, stolen or hacked. The compromising of customer information and internal business data can be a disaster for many organizations.
Organizations can’t mandate strong security policies on employee devices as this could raise privacy concerns. Performing a complete wipe on a compromised device often requires the employees’ consent. From the organization’s perspective, it’s not the device but the valuable data on it which is more important. However, for the employees, their privacy would be a major concern. Thus, BYOD can ultimately lead to a conflict between privacy and security.
BYOD has tremendous potential in the corporate world and couldn’t simply be banned considering the security risks. The key is to implement BYOD in a manner that simply ensures security without compromising employee privacy. The concept of containerization unsprang then.
Containerization is all about separating work and play. Containerization technologies are commonly leveraged by organizations to orchestrate the packaging up, isolation, and encapsulation of work data on separate segmented user space within the device. It allows business and personal apps and data to co-exist on a single device, but each stays within its confines. Containerization establishes separate, encrypted containers on personal devices – a secure area on the device that keeps business data insulated from everything else on the device and allows admin to manage only what is in the container restricting corporate access on personal data. Data and apps in personal container space is kept separate and remain private.
Containerization with effective compartmentalization into work and personal workspace domains is an efficient data control mechanism for the individuals who can do whatever they want on their side of the border as well as the businesses that can take over the other part. All the interactions between the user and corporate data take place within the container in its encrypted area.
First generation containerization was proprietary having limited options for employees to use their preferred productive applications and IT teams had no options to roll out mobile applications not supported by these containers. But now containerization is more flexible and integrates with app stores from Apple and Google allowing employees to work with their preferred applications without compromising privacy. The rapid increase in the interest in the usage of container-based isolation constraints has developed the urge for more agile and secure-by-default containerization technologies and approaches that provides a clean separation of concerns. With flexible containers, organizations can offer the users a significantly larger app store experience which can add on to their productivity.
Today it is possible to deploy containers with an MDM profile to enable containerization keeping the management focused on the corporate part of the device rather than the entire device. Mobile Device Management (MDM) solutions support containerization keeping the IT focused on containerized apps residing inside the work containers. All the required business apps are made readily available to the users by this resource-isolated contained environment with enterprises having limited communication or access to the underlying resources.
Deploying MDM technology with containerization gives the opportunity to enforce the use of strong authentication and encryption and to wipe corporate data from lost or compromised devices selectively, personal data remaining untouched. Enterprise wipe also comes in handy when an employee working with his personal device leaves an organization and the organization wants to remove the data from the business container without destroying any resources residing in the personal zone that the device owner has stored on his device. Thus, admins can prevent personal applications from accessing corporate data and users can be confident that the organization won’t access the personal information that they store on the device outside the container.
Google’s Android Enterprise program offers several features to secure and manage corporate data on Android devices. Android Enterprise lets admins create a separate workspace on Android devices in which business-managed applications and data reside. With a compatible MDM server, IT can control how data is managed within the workspace by enforcing strong security policies. Android Enterprise is supported as of Android 5.0 (Lollipop) and is available in almost all recent Android devices.
Android Enterprise containers support any Google play store apps and Google Play’s entire catalog of premium business applications is available to download through Android Enterprise. Additional functionality allows organizations to publish private applications to authorized devices along with approval and configuration of Managed google apps.
Android Enterprise comes with two different types of deployment. Organizations can choose to use MDM either for profile-based or complete management of their Android devices. That is, the company can manage either a work profile on the device or the entire device.
Android devices enrolled as Profile owners will automatically create a work container upon enrollment. Silent installation and removal of work apps residing inside the work profile and per-app restrictions are the major benefits of employing profile owner mode on devices. By default, work profile notifications and application icons have a work badge so they’re easy to distinguish from personal apps. Apps in the work profile do not interfere or communicate with apps in personal space. Apps that are to be used in both the personal and business areas simply run double on the device, one unmanaged for personal use and the other managed. Applications that are part of the Work Profile will be highlighted by a small orange briefcase icon on top of the application icon, but except for that, the application will work just as expected and will be integrated into the overall Android user experience.
Apart from Android Enterprise, Samsung devices have a built-in containerization platform called KNOX. Samsung KNOX is a containerized approach that builds Samsung’s defense-grade mobile security platform into Knox-supported devices released by Samsung. Apps in the KNOX workspace is protected by extensive DAT (Data at Rest) protections and is secured with AES-256 level encryption. KNOX requires an MDM platform for the activation and management of its container. MDM has an extra set of features built for Samsung KNOX devices. However, Samsung KNOX devices can be enrolled in Android Enterprise if they are running OS versions 6.0 and above. When Android Enterprise is deployed on Samsung devices, it can have enhanced platform and hardware level security.
Samsung made a major change from Android 8 Oreo onwards so that it is possible to address the APIs for Knox and Android Enterprise in a single activation. With this Android work profile can be deployed on Samsung Knox COPE devices apart from the other work profile and work managed devices. For simplification of deployment Knox Platform for Enterprise is harmonized with Android Enterprise from Knox 3.0 onwards. The major change brought about by this unification is the replacement of Knox containers with Android work profiles. Knox containers have deprecated in Knox version 3.4 and the new workflow is to build an Android work profile and apply Knox API for certain actions. There are certain features with Android as well as Samsung Knox having the same functionality. The main intent of the unification is to prevent such duplication of actions. According to Samsung, with Android Q and Knox 3.4.1, KPE functions that overlap with AE are discarded but continue to work in Android Q though documented as obsolete. These obsolete features won’t work with Android R Samsung devices.
iOS Business container seamlessly manages corporate apps and data separately from personal apps and data. The data exchange is defined using Managed Open-in. Apple’s Managed Open-in is a security feature released in iOS 7 that prevents attachments or documents from managed sources from being opened in unmanaged destinations and vice versa. Managed apps are apps installed via MDM. The Organization has full control over managed apps and their associated data. MDM can specify whether the application should be removed when the MDM profile is removed and can remove these apps and associated data at any time on demand.
Apple’s containerization approach divides the device into two virtual containers: one for managed work apps and the other for personal apps. Data flow between these two spaces is controlled by applying a set of restrictions from the MDM console. The iOS Business container has a specific set of features that enable corporate data to be managed at a granular level and ensures that the data doesn’t leak out to the user’s personal space. The containerization is built into the core of iOS and enables the same look and feel of iOS allowing admins to seamlessly manage the data with powerful control over the work data while maintaining the same iOS experience for the end users.
Here is the list of restrictions available in the iOS business container to protect your organization’s valuable data:
Along with these, the admin can also enforce other restrictions to secure managed apps by preventing managed app data from syncing with iCloud, preventing screen capture and so on.
Apple’s containerization is quite different from Google’s Android Enterprise approach. The most important thing is that in Android Enterprise, the work profile is visibly demarcated from the personal one whereas in iOS managed and unmanaged domains are not clearly distinguished. iOS business container runs in the background. This seamlessly enables admins to efficiently manage corporate data without the user even being aware of it.
The result of containerization is greater data security and control. Whether the platform is Android or iOS, admin can have explicit control over the work container and make sure that the corporate data is always safe and secured. Thus, containerization can be the perfect key for BYOD management.