Android Q brings new features for enterprise, but in the same time deprecates one that stuck for the last 9 years… Device Admin! Device Admin was available since Android 2.2, so quite a looong time. No wonder that now, when Android 10 is about to come, Device Admin is outdated and has already been for a long time.
It was considered a legacy management approach even back in 2014, when Android 5 with fully managed device and work profile was released. Since Device Admin introduction in 2010, Android came a long way – surprising, huh? :). As a result, Device Admin is not well suited to support today’s enterprise requirements. Enterprises demand a higher trust, because devices are increasingly accessing more confidential resources and are being used in a wider variety of use cases than Android’s original Device Admin API was designed for.
So what should we use now in our enterprises? Google suggests to transition to mentioned managed device and work profile mode. There are 4 ways to manage Android devices in your company – COBO, COPE, COSU and BYOD. All these modes were created in one purpose in mind – to replace the Device Admin API. Let’s quickly recall all of the differences between them.
Fully managed device (corporate owned – business only)
This is the basic mode available for companies that want to provide devices for their users for business purposes only. Enterprise is in full control of the whole device via a device policy controller (DPC) app and can enforce a whole range of management policies.
Fully managed device with work profile (corporate owned – privately enabled)
This mode consists of the fully managed device but it separates personal and work data by applying a work profile on device, where all company related apps and data are being stored. User is free to use the personal part for their private data, however company still has control over the whole device.
Dedicated device (corporate owned single use)
Dedicated device is a device set up to serve a dedicated purpose with a locked selection of apps needed to achieve desired functionality such as kiosks or digital signatures.
Bring your own device (work profile only)
Employees may still want to use their personal device in order to have access to company data. In such a scenario, it’s the best way to create a work profile on device where EMM will configure all work related apps and policies. Enterprise will not have the possibility to manage personal part of the device and user can remove the work profile at any time.
As I’ve mentioned, all these modes were created to replace the Device Admin API. It was an ongoing process since Android 5 and will finally come to an end with the release of Android Q, which will deprecate the obsolete methods.
However, why Device Admin needs to be replaced? There are a couple of reasons for that.
Enterprises have more complex use cases and demand a higher level of security. A lot has changed since Android 2.2 – companies want to deploy devices to their employees more easily, in different use scenarios (work profile, corporate only etc.) and in a way that ensures a required degree of trust between user and the app that manages the device. Android Enterprise introduced new ways of device enrollment using NFC, QR codes, DPC identifiers and more importantly – zero-touch. This way devices enroll to EMM system just after they are taken out of the box.
Device Administrator can be acquired by any app during the life of the device. This leads to situations where malicious apps asks for the possibility to manage users’ mobile phone. When user accepts such request, which is a problem of its own, the attacker is in control. He could then i.e. set users password for unlocking the device and in result, ask for a ransom. Android Enterprise can only be enrolled on a brand new device or, if the user wants only the work profile, the app manages the work container alone, without any possibility to change personal part settings.
There was no easy way to manage corporate applications that enterprises wanted to deploy on their devices. Administrators needed to download APK from external sites in order to have the possibility to deploy them. Device Admin alone did not have any option to install apps silently. Android Enterprise came along with Managed Google Play. It gives the possibility to prepare a work version of Google Play store, where users can download and install all of the apps required by their company. Administrator can select which apps are mandatory and will be installed silently on the device as soon as Managed Google Play account is added. Applications that support managed configuration can also be instantly configured, just after their installation.
These are the main changes but what will actually happen with release of Android Q? Actually, applications that are not targeting Q version, will work in the same way as before. There will only be additional logs visible, recommending not to use the deprecated API. However, the moment DPC starts to target Android Q version, the app will receive Security Exception each time it will try to use old API. So prepare your apps before setting the new target version in your application. Google Play will require apps to target Q in Q3 2020 so there is some time left, but it is best to have it done as soon as possible!