Get up to speed on the latest Android Enterprise developments.
By Jason Bayton
What is Android enterprise?
Android Enterprise (formerly Android for Work) is a collection of enhanced management APIs baked directly into the operating system for universal control and management of all Android devices running Android 5.0 and above. It makes use of profiles first introduced in 5.0 to create a secure, encrypted workspace for corporate applications and data.
In response to growing enterprise demand, Google worked with the likes of Samsung – who are known to be the best-supported Android OEM for device management across the world – to develop built-in management out of the box for all Android devices, and internally on their own Core applications to support managed configurations – a way of remotely managing email, web traffic and more.
While fragmentation has been an issue in the past, where you can pick up 3 different devices and have no guarantee they would be capable of enterprise management, with Android enterprise this is no longer an issue as all Android devices share the same underlying management APIs, only varying slightly between major updates offering enhanced capabilities.
Android Enterprise Deployment Scenarios
In this scenario end-users have full control over their devices and EMM administrators control a second device profile on the device. The work profile integrates fully with the end-users’ own profile to create a seamless experience, highlighting work applications with an orange briefcase. Administrators have very limited visibility into the device beyond basic information, and that includes not having visibility of applications installed on the personal profile as there’s no EMM agent installed and running on the personal profile.
Work profile is suitable for a BYOD-type deployment scenario where only securing and managing the work container and device passcode is necessary, leaving control of the device and general maintenance to the end-user.
The work profile is encrypted and passcode-enabled by design, though passcode is optional. DLM features allow EMM admins to prevent copy/pasting from out of the work profile, as well as blocking screenshots and other forms of data sharing, however optionally contact sharing between profiles can be enabled for associating numbers to contacts when a call comes in.
If a device is retired, it only removes the work profile and leaves the rest of the device untouched.
In this scenario, a device is taken directly out of the box and provisioned from a factory-reset state. EMM admins (or end-users) can provision this device in any of the following ways:
Once any of the above are used, the device then skips the normal setup wizard and prompts instead for enrolment into EMM.
Work-managed is suitable for secure environments where EMM administrators control the device functionality, applications permitted for installation (via managed Google Play, an additional Google Play store type showing only approved apps and therefore no access to other applications) and have full visibility of the device.
This profile also permits the use of a Kiosk if required, further locking down the device. There is very little user-freedom with work-managed devices and retiring the device will fully wipe it.
Work-managed work profile
This deployment scenario is available for devices running Android 8.0 and above, and combines – as the name suggests – the two previous deployment scenarios into one device.
Work-managed work profile offers a middle-ground between Work Profile and Work-Managed, affording the end-user some flexibility in confining work applications to the work profile and allowing user applications and settings outside of the work profile to be user-controlled. Of course, as It's work-managed, EMM administrators can impose restrictions on the device that override end-user control if required.
In this scenario, the device will be provisioned like a work-managed device with an out-of-the-box setup. EMM administrators will have full control over the device, and if supported by the EMM provider, will be able to convert work-managed devices into work-managed work profile devices with little effort.
Work-managed work pofile is very close to “legacy” Android management in that the device is managed but end-users can be given freedom to use it as they see fit, and will therefore be the preferred deployment scenario for enterprises adopting Android enterprise in the future.
Retiring a work-managed work profile device will fully wipe it, including all user data.
As of Android 8.0, device OEMs have the ability to include zero-touch provisioning support for devices. EMM administrators can remotely provision devices for either work-managed deployment scenario from a dedicated Android zero-touch console, allowing devices to enrol directly out of the box.
Zero-touch requires devices are purchased through authorised resellers, who also manage access to the zero-touch console. When devices are purchased, they'll be automatically added to the console, where EMM admins can configure EMM server and device configurations that will be automatically applied to devices during the first (and all subsequent after a factory reset) device boot.
Zero-touch makes the deployment of work-managed Android devices as simple as iOS on Apple's Device Enrolment Programme.
Android Enterprise vs Legacy Enrolment
A common question when discussing Android enterprise is how is it different?
With Android enrolment today (referred to by Google going forward as device administrator enrolment) EMM administrators are very much limited to Samsung devices to guarantee a reasonable degree of management. Other OEMs offer little to no APIs for device management and are therefore mostly limited to BYOD deployments.
When a Samsung device is enrolled, EMM administrators have management over the device to a degree similar to that of work-managed above and can combine it with an EMM container (such as MobileIron AppConnect or AirWatch Container) to partition off critical corporate applications behind an additional passcode-enabled and encrypted sandbox.
To get to this point however relies on the end-user granting the EMM client application administrative privileges and enabling unknown sources, normally resulting in a warning and later potentially enabling the end-user to side-load non-Play Store applications.
Then there are other problems, such as Factory Reset Protection which requires the password of the Google account last used if wiped prior to the account being manually removed, not dissimilar to iOS Activation Lock (sometimes referred to as a feature of Find my iPhone). Speaking of Google accounts, either end-users or administrators will usually have to manage them to enable application downloads, a requirement that is non-existent with Android enterprise as accounts are managed automatically. There’s also no silent application installation capabilities often unless applications are distributed as raw APKs from the EMM, not a recommended practise.
Android enterprise isn't better in every way of course. Samsung do have advanced provisioning capabilities through their own solutions, and with KNOX Premium can not only solve a number of issues above, but offer more management features to boot. However, Samsung's configurator and KNOX Premium come with their own device-based licensing costs while Android enterprise is entirely free of charge (and catching up with Samsung to offer feature parity quite swiftly).
Enabling Android Enterprise
Android enterprise can be enabled in two ways, the first as part of a larger GSuite domain, in which domain verification and additional configurations are normally required, the second is a much simpler method – Android enterprise accounts.
For the latter, an EMM administrator will need roughly an hour to sign up with Google using a generic, corporate Gmail account (this isn’t special, it’s simply a Gmail account not tied to any particular person). The request is initiated either through the EMM platform directly or the customer portal of the EMM vendor, after which a configuration is returned to import into the EMM and the connection is then successfully established (providing network firewall rules do not block access to accounts.google.com and googleapis.com)
From there, just a few initial configurations/profiles need to be created and assigned either to a static group/label for testing, or dynamic to deploy to all enrolled Android devices.
Android devices are generally cheaper and offer far more flexibility for the requirements of an organisation. For the longest time this price gap has been considered something of a false economy due to the increased costs of support and device maintenance, and while that will remain true for a large subset of non-GMS certified devices (like those imported from China) and devices with unrealistically low specifications, mid-market Motorola, Sony, Samsung and other similar brands are far more accessible when managed with Android enterprise.
EMM administrators will be able to offer a consistent experience both for end-users and those supporting them.