What is Android enterprise?
Android enterprise (formerly Android for Work) is a collection of enhanced management APIs baked directly into the operating system for universal control and management of all Android devices running Android 5.0 and above. It makes use of profiles first introduced in 5.0 to create a secure, encrypted workspace for corporate applications and data.
In response to growing enterprise demand, Google has been working to develop built-in management out of the box for all Android devices by incorporating universal APIs all OEMs can support. They have also been working internally on their own core applications to support managed configurations, a way of remotely managing email, web traffic and more.
In the past, you could pick up three different devices and have no guarantee they would be capable of enterprise management. Now, with Android enterprise, fragmentation is no longer an issue as all Android devices share the same underlying management APIs, only varying slightly between major updates offering enhanced capabilities.
Android enterprise deployment scenarios
In this scenario, end-users have full control over their devices and EMM administrators control a second work profile on the device. The work profile integrates fully with the end-user’s own profile to create a seamless experience, highlighting work applications with an orange briefcase. Administrators have very limited visibility into the device beyond basic information, and that includes no visibility of applications installed on the personal profile, as there is no EMM agent installed and running on the personal profile.
Work profile is suitable for a BYOD-type deployment scenario where it is only necessary to secure and manage the work container and device passcode, leaving control of the device and general maintenance to the end-user.
The work profile is encrypted and passcode-enabled by design, although a passcode is optional. DLM features allow EMM admins to prevent copying and pasting from outside of the work profile, as well as blocking screenshots and other forms of data sharing. However, optional contact sharing between profiles can be enabled for associating numbers to contacts when a call comes in.
Furthermore, if a device is retired, it only removes the work profile and leaves the rest of the device untouched.
In this scenario, a device is taken directly out of the box and provisioned from a factory-reset state. EMM admins (or end-users) can provision this device in any of the following ways:
- An NFC bump (NFC must be supported and enabled out of the box)
- A DPC identifier (preferred for devices running 6.0 or above)
- A QR code (requires 7.0 or above and OEM support)
- Zero-touch provisioning (see below, Android 8.0 and OEM support)
Once any of the above are used, the device then skips the normal setup wizard and instead prompts for enrolment into EMM.
Work-managed is suitable for secure environments where EMM administrators control the device functionality, the applications permitted for installation (via managed Google Play which only gives access to approved apps), in addition to having full visibility of the device.
This profile also permits the use of a Kiosk if required, further locking down the device. There is very little user-freedom with work-managed devices and retiring the device will fully wipe it.
Work profiles on fully managed devices
This deployment scenario is available for devices running Android 8.0 and above, and as the name suggests, it combines the two previous deployment scenarios into one device.
Work profiles on fully managed devices offer a middle ground between work profile and work-managed, affording the end-user some flexibility in confining work applications to the work profile and allowing user applications and settings outside of the work profile to be user-controlled. Of course, as it’s work-managed, EMM administrators can impose restrictions on the device that override end-user control if required.
In this scenario, the device will be provisioned like a work-managed device with an out-of-the-box setup. EMM administrators will have full control over the device, and if supported by the EMM provider, will be able to convert work-managed devices into work profiles on fully managed devices devices with little effort.
Work profiles on fully managed devices is very similar to “legacy” Android management in that the device is managed but end-users can be given freedom to use it as they see fit. Therefore, it will be the preferred deployment scenario for enterprises adopting Android enterprise in the future.
Retiring a work profiles on fully managed devices device will fully wipe it, including all user data.
As of Android 8.0, device OEMs have the ability to include zero-touch provisioning support for devices. EMM administrators can remotely provision devices for either work-managed deployment scenario from a dedicated Android zero-touch console, allowing devices to enrol directly out of the box.
Zero-touch requires that devices be purchased through authorised resellers, who also manage access to the zero-touch console. When devices are purchased, they’ll be automatically added to the console, where EMM admins can configure EMM server and device configurations that will be automatically applied to devices during the first device boot (and all subsequent ones after a factory reset).
Zero-touch makes the deployment of work-managed Android devices as simple as iOS on Apple’s Device Enrolment Programme.
Android enterprise vs Legacy Enrolment
A common question when discussing Android enterprise is how is it different?
With Android enrolment today (referred to by Google going forward as device administrator enrolment), EMM administrators are very much limited to Samsung devices to be able to guarantee a reasonable degree of management. Other OEMs offer little to no APIs for device management and are therefore mostly confined to BYOD deployments.
When a Samsung device is enrolled, EMM administrators have management over the device to a degree similar to that of the work-managed scenario described above, and can combine it with an EMM container (such as MobileIron AppConnect or AirWatch Container) to partition off critical corporate applications behind an additional passcode-enabled and encrypted sandbox.
Getting to this point, however, relies on the end-user granting the EMM client application administrative privileges and enabling unknown sources, normally resulting in a warning and later potentially enabling the end-user to sideload non-Play Store applications.
Then there are other problems, such as Factory Reset Protection, which requires the password of the Google account last used if wiped prior to the account being manually removed, which is similar to iOS Activation Lock (sometimes referred to as a feature of Find my iPhone). Speaking of Google accounts, either end-users or administrators will usually have to manage them to enable application downloads, a requirement that is non-existent with Android enterprise as accounts are managed automatically. Generally speaking, there are no silent application installation capabilities, unless applications are distributed as raw APKs from the EMM, which is not a recommended practise.
Enabling Android enterprise
Android enterprise can be enabled in two ways; the first as part of a larger GSuite domain, in which domain verification and additional configurations are normally required, and a second much simpler method—Android enterprise accounts.
For the latter, an EMM administrator will need roughly an hour to sign up with Google using a generic, corporate Gmail account, which is simply a Gmail account not tied to any particular person. The request is initiated either through the EMM platform directly or the customer portal of the EMM vendor, after which a configuration is returned to import into the EMM and the connection is then successfully established (providing network firewall rules do not block access to accounts.google.com and googleapis.com).
From there, just a few initial configurations/profiles need to be created and assigned either to a static group/label for testing, or dynamic to deploy to all enrolled Android devices.
Android devices are generally cheaper and offer far more flexibility to meet the needs of organisations. Nevertheless, this price gap has long been considered something of a false economy due to the increased costs of support and device maintenance. While that will remain true for a large subset of non-GMS certified devices (like those imported from China) and devices with unrealistically low specifications, mid-market Motorola, Sony, Samsung and other similar brands are far more accessible when managed with Android enterprise.
EMM administrators will be able to offer a consistent experience both for end-users and those supporting them.