Google has been supporting the use of mobile devices in companies for many years now by always introducing and developing newer and newer solutions for business. Companies differ in the approach they take to the mobile devices, so Google came up with 4 different enterprise mobility strategies, that we all know as: BYOD (Bring Your Own Device), COPE (Corporate Owned, Personally Enabled), COBO (Corporate Owned, Business Only) and COSU (Corporate Owned, Single Use). You can learn more about the differences between all of them here. Now, the time has come for Google to reconsider the COPE solution and to change this strategy to meet users’ expectations and to fully ensure their privacy.
In a recent survey by ESG research, 71% of employees said they expect all personal data stored on corporate devices to remain private. This resistance to the full device management creates many challenges for IT departments. In fact, employees’ concern about their privacy is the top reason mobile devices are still unmanaged by IT, according to IDC:
“Many users of corporate-liable devices have privacy concerns about app usage and corporate IT monitoring their activity” says Phil Hochmuth, program VP, enterprise mobility at IDC. “Due to this concern, 38% of corporate-owned devices deployed in enterprises go unmanaged.”.
To ensure full privacy of employees while still managing the corporate-owned device, Google introduced a new approach that will come to life in Android 11. This approach means that the IT department can deploy the work profile on company-owned devices to help protect employee privacy across their entire mobile fleet – now they can do it regardless if the device is personally or company-owned. Settings that affect the privacy of users can no longer be made in-depth, as it is currently the case.
Google has restricted the use of certain capabilities that could compromise the user’s privacy on the device that is allowed for work and personal use. It’s also worth mentioning, that whoever owns the device, gets to decide how the device can be used. If it’s an employee who owns the device (i.e. BYOD mode) IT department can only manage core security features (e.g. preventing users from installing apps from unknown sources) – that’s the way it was done before and nothing changes in this case. But if it’s the company who owns the device, then the IT can secure the whole device (private part too), but manage only the corporate part. In other words, the work profile adjusts its management capabilities according to who owns the device, while offering the same privacy protections in all scenarios.
These features will be no longer available to work profile on company owned devices:
/ block end user ability to factory reset,
/ disable keyguard,
/ reset password for the device,
/ enable/disable backup service,
/ disallow user from configuring user credentials,
/ manage install apps on private part,
/ control permissions on private part,
/ block clearing personal app data and caches,
/ ability to set default activity to handle intents,
/ ability to poll apps on private part,
/ app restrictions for personal apps,
/ grant privileged access to apps on the private part (delegated scope),
Both internal apps (as private apps) and public apps must be deployed to the work profile only.
/ configure private part VPN,
/ configure always on VPN on private part,
/ sett device wide DNS configuration,
/ setting a global proxy,
/ add an override APN,
/ ability to block user from resetting network,
/ bug report request,
/ network logging.
These features will be no longer available to work profile on company owned devices on private part:
/ view list of installed CA certificates,
/ install user CA on private part,
/ install certificate chain and corresponding private key,
/ generate new public / private key pair,
/ associate certificates with key pairs.
But it’ll be possible to, for example:
/ wipe device,
/ set password complexity,
/ control system update policy,
/ disable screen capture,
/ block external storage,
/ block tethering,
/ block camera,
/ block cross profile data sharing,
/ control data roaming,
/ block SMS usage,
/ block Bluetooth controls,
/ block Wi-Fi configuration,
/ set whitelist / blacklist of apps,
/ suspend apps.
Companies that have devices set in COPE mode will have two options: to prevent the private use of the device by switching to COBO mode or to just accept a new mode: enhanced work profile on company-owned devices.
When the device is updated to Android 11, the profile will automatically change to the enhanced work profile. Existing policies that affect the privacy settings will be automatically deleted. New devices must be enrolled via zero-touch or QR code in order to have an enhanced work profile too.
Famoc is working on changes to the FAMOC manage system to ensure a smooth transition into a new work profile on company owned. Since FAMOC manage 5.8 (released in May 2020) we support zero-touch and QR code enrollment for work profile. This ensures that any device enrolled this way will be ready for upcoming changes. More changes are currently in progress and we’ll inform you about them on our roadmap and via newsletters.