Companies that use Android devices have few possibilities to manage and secure them. Until recently, the most common way of enrolling an Android device was Device Admin API. Now it’s considered an outdated, legacy management. What should we use then to properly secure our devices? That’s where Android Enterprise comes to the rescue.
Let’s start from the beginning – what exactly is a Device Admin and why it’s being replaced?
Android Device Admin is an API that’s proposing something of a limited offering to fill the void for apps requiring elevated administrative permissions in order to perform certain tasks. You can use the Device Administration API to write device admin apps that users install on their devices. It’s used for email clients, security apps that do remote wipe and device management services and apps.
Device Admin has been available since Android 2.2, so quite a looong time. It was considered a legacy management approach even back in 2014, when Android 5 with a fully managed device and work profile was released. Since the Device Admin introduction in 2010, Android came a really long way. As a result, Device Admin is not well suited to support today’s enterprise requirements. Enterprises demand a higher trust, because devices are increasingly accessing more confidential resources and are being used in a wider variety of use cases than Android’s original Device Admin API was designed for.
Read about Device Admin deprecation on Google’s developers site.
So what should we use now in our enterprises, if Device Admin is a legacy approach? Google suggests to transition to Android Enterprise, that provides more security, privacy and a modern approach to management. There are 4 ways to manage Android devices in your company – COBO, COPE, COSU and BYOD. All these modes were created in one purpose in mind – to replace the Device Admin API.
Fully managed device (COBO – corporate owned, business only)
This is the basic mode available for companies that want to provide devices for their users for business purposes only. It has a Device Owner mode and the enterprise is in full control of the whole device via a device policy controller (DPC) app and can enforce a whole range of management policies.
Fully managed device with work profile (COPE – corporate owned, privately enabled)
This mode consists of the fully managed device but it separates personal and work data by applying a work profile on the device, where all company related apps and data are being stored. Users are free to use the personal part for their private data, however the company still has control over the whole device. However, in the upcoming Android 11, COPE mode will be changed into an enhanced work profile on company-owned devices due to the privacy concerns. Read more about this change here.
Work profile only (BYOD – bring your own device)
BYOD mode means that an employee “brings” his own device into the company and uses it also for corporate reasons. In such a scenario, it’s the best way to create a work profile on a device where EMM will configure all work related apps and policies. Enterprise will not have the possibility to manage personal part of the device and user can remove the work profile at any time.
Dedicated device (COSU – corporate owned, single use)
Dedicated device is a device set up to serve a dedicated purpose with a locked selection of apps needed to achieve desired functionality such as kiosks or digital signatures.
Enterprises have more complex use cases and demand a higher level of security. A lot has changed since Android 2.2 – companies want to deploy devices to their employees more easily, in different use scenarios (work profile, corporate only etc.) and in a way that ensures a required degree of trust between user and the app that manages the device. Android Enterprise introduced new ways of device enrollment using NFC, QR codes, DPC identifiers and more importantly – zero-touch. This way devices enroll to the EMM system just after they are taken out of the box.
Device Admin can be acquired by any app during the life of the device. This leads to situations where malicious apps ask for the possibility to manage users’ mobile phones. When a user accepts such a request, which is a problem of its own, the attacker is in control. He could then set the user’s password for unlocking the device and in result, ask for a ransom. Android Enterprise can only be enrolled on a brand new device or, if the user wants only the work profile, the app manages the work container alone, without any possibility to change personal part settings.
Management of apps
There was no easy way to manage corporate applications that enterprises wanted to deploy on their devices. Administrators needed to download APK from external sites in order to have the possibility to deploy them. Device Admin alone did not have any option to install apps silently. Android Enterprise came along with Managed Google Play. It gives the possibility to prepare a work version of Google Play store, where users can download and install all of the apps required by their company. Administrators can select which apps are mandatory and will be installed silently on the device as soon as a Managed Google Play account is added. Applications that support managed configuration can also be instantly configured, just after their installation.
Android is provided by many OEMs (Original Equipment Manufacturers). Some OEMs (like Samsung) have implemented their own APIs and it requires EMMs to implement those APIs. It’s not a very secure solution because it involves enabling unknown sources and sideloading APKs. Android Enterprise has an advantage here – it uses OEMConfig. You just install the correct OEMConfig app on the device (OEM provider should be able to provide the correct OEMConfig app) and then locate the OEMConfig or device management section to set and apply custom, manufacturer-specific policies. Easy as that!
So, now we know that Android Enterprise is recommended by Google and Famoc, as it’s a much more secure and modern approach. But how to migrate from Device Admin to Android Enterprise?
Migration from Device Admin to Android Enterprise should have four stages:
/ Analysis – understanding the current deployment
/ Requirements mapping – determining feature requirements
/ Proof of concept – setting up a test instance
/ Deployment – time to migrate!
These stages are described step by step in Google’s migration tutorial. If you want to properly migrate and be fully secure, please read the Android Enterprise Migration Bluebook.