Google hosted their Annual Global Android Enterprise event in King’s Cross, London, last week. CWSI were in attendance and thought we would share some of Google’s vision for Android in the enterprise in 2017.
In his keynote, David Still, Managing Director, Android Enterprise, noted that Android has just below 30% of Enterprise-managed mobile device market share; his task is to get that closer to Android’s global market share of 85% of shipments. The challenges to Google overcoming low market share are:
- Education: Awareness and education of Android’s capabilities in the enterprise
- Security: The perceived lack of security in Android, particularly when it comes to apps
- Fragmentation: Android’s functionality and security is fragmented across Android, vendor and telecommunication operator branded devices.
- Enterprise Maturity: Maturity and availability of management features and the consistency of these across platforms
- On-boarding: A slow and complex on-boarding for end-users
A challenge for Android has been the perception that it is not a secure platform or, more to the point, that Google are not focussed on security and therefore Android is not focussed on Enterprise. Events like the Android Enterprise summit are held specifically to try to address these misconceptions and encourage the various Android Enterprise partners (EMM vendors, ISVs, SIs and carriers) to convey this message to customers.
The event put a heavy emphasis on security and Enterprise-specific features.
The two most common reasons to avoid Android in the Enterprise are fragmentation and security of the operating system. The Android Enterprise teams’ key message is that a huge amount of effort has gone into improving the security of Android and think it is just a matter of conveying the message and challenging customer perceptions. Rather than going through all the security features of Android Enterprise, just click here for more details. Below is a summary of interesting points that stood out:
- Android Security Patch Decoupling: Security patches for Android have become increasingly decoupled from operating system updates, allowing much quicker security patching of Android by Google. For flagship devices, Google now see more than 50% of devices on the current security patch release, whereas it was less than 20% pre-2016
- Key Attestation: APIs are now available for apps to query whether their security keys are being stored in software or hardware-backed key store. This should create a drive for hardware manufacturers to include a trusted execution environment (TEE) in their devices, which will greatly improve the trust enterprises have for their data on Android devices.
- Separation of Corporate and Personal data: The most common Android Enterprise setup is Profile Owner mode, where the EMM agent (called a DPC) has full control of the profile or container where all corporate apps and data reside, however, it does not manage the underlying operating system where the user may have personal apps and data. This model suits scenarios with devices already in-the-field or BYOD as it is easily added on top of an already in-use device. The other option currently available is Device Owner mode, where the EMM agent has full control of the device. This mode does not have the clear separation between company and personal data, and due to the potential risk of a malicious app getting this privilegeGoogle have mandated that devices must be factory reset to enter De, vice Owner mode. Later in the year, the Android Enterprise team will be announcing a third mode that will allow a mix of both these modes; the EMM agent will be able to setup a container and manage it while also managing the underlying device.
- Verify Apps: The Verify Apps service has been around in Android for a number of years now; however, it is being constantly enhanced and expanded upon. As part of the Verify Apps functionality, Google are constantly scanning the Play Store for potentially harmful apps (PHAs). Taking the concept one step further, Google now feed any APKs they find on the Internet or even attached to emails in Gmail into the Verify Apps engine to detect and profile malware. Verify Apps is also scanning apps as they run on devices after installation. Currently Google are performing around 400 million app scans per day which is truly impressive. If an app being installed, or already installed, it is flagged by the App Verify service a pop-up will inform the user, or in Verify Apps “Strict Mode”, all devices using a Work Profile will block will block PHAs. This last point is particularly important to protect the underlying operation system in Profile Owner mode, where the EMM only has visibility of the corporate profile.
- SafetyNet: This is Google’s Android attestation service, allowing a vendor’s app or back-end service query the security posture of an Android device, for example while launching. SafetyNet can check that the device type has passed Android compatibility testing or that the app binary has not been modified in any way. Read more on SafetyNet here [https://developer.android.com/training/safetynet/index.html]. Since enhancements to SafetyNet and Verify Apps, Google has seen the rate of potentially harmful apps on GMS certificated Android devices drop to 0.05% of devices from closer to 0.2% in 2015.
- Chrome custom tabs for OAUTH – Many third-party apps allow you use your Google/Facebook/LinkedIn account to register/login, which can be really handy. This is typically implemented in these apps by creating a WebView (basically a cut-down browser running with-in the app) which takes you to the login page for Google/Facebook/LinkedIn. On the other hand, there are two issues with this approach. Firstly, you are generally asked for your full Google/Facebook/LinkedIn details again, even though you are likely already logged into these services elsewhere on the device – it’s not really SingleSignOn. This is because the WebView is separate from the main browser on the device, it does not have access to your cookies, so is not aware you are already logged in. The second and considerably more concerning issue is an app that uses a WebView has full visibility of everything you do in that WebView, regardless of whether the site uses HTTPS or not – so the app can be capturing your Google/Facebook/LinkedIn credentials. Google’s solution to this is Chrome Custom Tabs, which allow an app call the main Chrome browser on the device to present the login page. This solves the first issue because the Custom Tab has access to the cookies of the main browser so should log straight in and the second, because the third-party app has no visibility of the Custom Tab. Read more here.
- File-based encryption (FBE): Android 3 and certain Samsung builds, two through to six, have all implemented full disk encryption (FDE), that is the entire storage is encrypted with a single key (password) that is entered on boot/reboot, very similar to how a PC or laptop is encrypted. Android 7 now implements file-based encryption which allows for more granular encrypting of certain pieces of data, different keys for different data etc. While there are still some weaknesses in the implementation, it is a great improvement from FDE and is the beginning of a journey for Android to significantly improved data protection. One notable benefit to enterprises of the Android 7 implementation is that Work Profiles are now encrypted with a separate key to that of the personal side of the device. Here is a good blog post on the topic.
- Network Logging: This set of APIs will allow an EMM receive all DNS queries made on a device, which can then be used to monitor for suspicious behaviour.
The Enterprise Android team’s message on fragmentation was that while they certainly see the challenges it poses, the openness of Android is what has allowed it expand so successfully into TVs, cars, Android compute sticks, set-top boxes, printers and various other applications. Their goal is to find the balance between diversity and fragmentation, which they are achieving with:
- AFW: Android for Work (AfW) ,now just Android Enterprise, provides a consistent, enterprise container and set of management APIs available on all Android devices regardless of manufacturer, beginning with Android 5 (Lollipop).
- Google Mobile Services (GMS) Certification: the Google app suite (Gmail, Play Store, Chrome etc) are not part of the underlying AOSP version of Android, a device manufacturer should obtain a licence to supply these apps on their devices. To obtain this licence their devices must pass various tests to attain GMS Certification which assures end-users that the device has all the hardware and capabilities necessary to run the various Google apps correctly. It is worth noting that GMS Certification is not mandated but you can find non-GMS Certified devices with these apps installed. It is therefore essential that enterprise confirm devices are GMS Certified before purchase.
- Gmail for Enterprise: since early 2016, the Gmail app has supported Exchange ActiveSync and new features are being added constantly (S/MIME, Task sync, Office365 OAUTH2). The purpose of this is to have a single enterprise email client that is available on any Android device, regardless of manufacturer or carrier build. For enterprises, the Gmail app greatly simplifies the roll-out process (particularly in a BYOD environment with diverse devices builds); makes finding support much easier (the Gmail app is used by hundreds of millions of users) and makes supporting their users much easier (only one email client for the support team to learn). The majority of enterprises only make mail, contacts or calendar available to their users, so this single enterprise email client is probably going to have the biggest impact on fragmentation for enterprises.
Android supported management via EMM solutions very early on (2.2?), however, I think Google would agree that until the release of Android for Work, it was not a major focus which is completely understandable because they decided to concentrate on improving the experience for the hundreds of millions of consumer users. This led to the ODMs, who did want to target enterprise, implementing their own management solutions to fill the gap – for example Samsung Approved for Enterprise (SAFE), Samsung KNOX, Sony Enterprise SDK, HTC API and many more. Between different versions of the underlying Android OS, different ODM builds of the OS, different releases of the management APIs (some updating in-line with the OS, some not) and sporadic support from the EMM vendors, the management of Android was unpredictable and not for the feint hearted.
Android for Work (now Android Enterprise) is set to solve all these issues – namely a single set of management controls and features across all Android devices. However, the Android Enterprise team are taking it further with the likes of –
- EMM Solution Validation – A process and community EMM vendors subscribe to that aims to ensure a consistent and predictable management experience across EMM platforms. For example, EMM vendors will need to demonstrate to Google their platform provides certain features (some will be required, others optional) within a certain time-frame of Google releasing the feature in Android. Read more here.
- Managed Play vs Managed Google accounts – More details are provided below, but in short EMMs can now provision full Google (G-Suite) accounts to devices or more basic Managed Play accounts which allow installing apps and managing the devices without the need for a full Google account.
- Android Management Experience (AME) – AME is a sandbox EMM environment where enterprises can take the latest Android Enterprise features for a spin without needing to implement a full EMM solution. Read more here.
- Managed Configurations – This is a big one, allowing enterprises push configuration to apps as they install to simplify or completely automate the process for end-users. This may be as simple as pushing a registration token, or as complex as pushing client certificates, a full set of app settings, server URLs etc. This feature has been very cleverly implemented, allowing app vendors supply a detailed configuration schema in their app manifest, EMM solutions can then process this schema and present admins with a detailed set of settings and values they can tweak for a given app. Read more here.
- Gmail support for Exchange – After getting devices enrolled with EMM, the next challenge for enterprises adopting Android in the past was an email/contacts/calendar client. Although the vanilla version of AOSP Android came with a mail client, it did not support many of the features enterprises expected, such as SCEP based certificate distribution. Therefore, ODMs like Samsung, HTC, LG, Sony all crafted their own flavours of the native mail client, as did some third parties such as TouchDown, Enterproid/Divide, Mail+, AirWatch, MobileIron, Good, Citrix – another fragmenting factor on top of the underlying operating system fragmentation. In 2016 Google started adding Exchange support to the Gmail app and this has now matured significantly with the likes of S/MIME support and signing certificate distribution due later this year. Gmail will provide a single managed email/contacts/calendar client regardless of the ODM, device type, OS version, or EMM partner.
- Cloud-based management API – This is another big one. At present an EMM vendor must put an app or agent on devices to manage them. Thishis agent is known as a Device Policy Controller (DPC). However, the Android Enterprise team have built a set of cloud-based APIs that will allow management of Android devices without the need to install a DPC on devices. This should greatly simplify the work required by EMM vendors to develop DPCs, which in-turn should allow much quicker management feature integration as all an EMM vendor needs to do is call a new API to expose a new control.
The on-boarding of enterprise users is being tackled on a number of fronts –
- The first is simplifying and speeding up activating Google accounts on devices, necessary to install apps and manage devices. With the first iteration of AfW, it was necessary to use Managed Google Accounts, which meant having a full Google account for all users and claiming your public domain name with Google. Achieving this at enterprise scale tended to mean syncing your Active Directory with Google. Last year Google released Managed Play Accounts, which allowed you to activate a Play account on devices, install apps and enrol for management without the need for a full Google account. EMM solutions can manage the creation of these Play accounts in the background with no need to sync your enterprise directory – a huge improvement.
- The time taken to activate Managed Play Accounts has been constantly driven down, as has the time taken to provision the Play accounts on devices, halving a number of times with further speed increases to come.
- Zero Touch is probably the most exciting, allowing enterprises to ship devices directly to users and have them provision in seconds right out of the box. The feature is currently available for Pixel devices, but will shortly be available to all ODMs that wish to support it. Enterprises will have a management console where they can see all their Zero Touch devices and specify settings to take place during initial power-on and setup, such as skipping setup steps, automatically enrolling with an EMM, proceeding directly to kiosk mode of certain apps etc.
I would like to thank Google for running an excellent event and being very upfront and humble with all their enterprise partners. It was a great event to attend and I think we all came away energised and empowered to drive adoption of Android in the enterprise. For more information on Android in the enterprise please see https://enterprise.google.com/android/.
Philip Harrison, CTO @ CWSI