Google’s Device Admin (DA) API made available in Android 2.2 in 2010 provided enterprise users with a management solution for their devices. However, with the release of Android 9.0 Google announced the deprecation of some device admin policies.
With the increased use of mobile devices in the workplace and the increased handling of confidential resources, DA’s approach of seeking administrative permissions to manage the device posed great security risks. Since the requirements of enterprises have evolved greatly in the past decade, DA is now considered a legacy management approach since it fails to meet these new requirements head on.
The three steps in managing devices with DA includes the following:
- Firstly the EMM agent will create an MDM app, which is the Device Policy Controller
- Then the user will install the app and provide the Admin permissions
- Device Admin policies will start taking effect on the device
As mentioned before, going for a legacy management approach can bring in several drawbacks such as:
- The DA will ask permission to manage the entire device whether it is corporate owned or owned by the user, if permission is denied, the device cannot be managed at all
- The user must manually download the device admin app for provisioning
- Since there can be more than one admin app in the device, it can lead to app conflicts
- Cumbersome app management approach
The deprecated policies include:
- USES_POLICY_DISABLE_CAMERA
- USES_POLICY_DISABLE_KEYGUARD_FEATURES
- USES_POLICY_EXPIRE_PASSWORD
- USES_POLICY_LIMIT_PASSWORD
In Android 10, if these policies are invoked they will be marked as a SecurityException.
Since managing devices through DA is not viable anymore, how would you go about ensuring that the android devices in your organization has an efficient management solution in place? This is where Android Enterprise comes in.
Android Enterprise (AE) formerly known as Android for Work, is an initiative put forward by Google to enable the use of Android devices in the workplace. It consists of a set of APIs that makes it easy for enterprises to manage and secure all Android devices running on OS version 5.0 and above. In 2014, Android Enterprise was launched as an optional solution which manufacturers could integrate with 5.0 Lollipop. From 6.0 Marshmallow, AE was used as a mandatory component for all manufacturers.
In switching over to Android Enterprise from legacy management, your organization can experience quite a handful of advantages, some of which includes:
- Containerization of corporate and personal data in BYO devices
- A Play for Work console that offers a Play Store just for corporate usage, only apps approved by your organization will be present inside
- Deploy appropriate configurations and permissions on the apps even before it gets pushed to the targeted devices
- A mandated device encryption
- Zero touch enrollment for Android 8.0+ devices
Based on their use cases, the AE enrolled devices can be classified into:
- Device owner mode (fully managed devices) – gives the organization full control on the managed devices. This is used in devices owned by the company.
- Profile owner mode (fully managed devices with work profile) – used in BYO devices, a work container containing the corporate data will be created on the personal device of the employees. Containerization ensures the separation of work profile and personal space of the user’s device
- Dedicated devices – a subset of company owned devices that serves a specific purpose. These devices are locked to a single app or a set of whitelisted applications. It is mainly used for digital signage and kiosk purposes.
Table of Contents
Differences between Android Enterprise and Native Android Management
| Functionalities | Android Enterprise | Native Management |
| Support | It offers a consistent set of APIs to control and manage the applications and devices of the end users | It only has a limited set of device admin APIs to manage and control the devices |
| Updates | OS upgrades and security patches from device manufacturers are delivered within 90 days | Patch delivery may take more than 180 days |
| Containerization | Has containerized support for the separation of both corporate and personal data | No containerization of corporate and personal data |
| Compliance | Mandatory device encryption
More advanced restrictions can be placed on the device functionalities, network, connectivity etc |
No mandatory device encryption
Limited restrictions |
| User Experience | Better app management capabilities
GDPR ready |
Limited app management capabilities
Out of box GDPR readiness not available |
| Zero Touch Enrollment | Available from Android 8.0 and above | Traditional on-boarding |
Management of Android Enterprise devices with Hexnode MDM
The integration of Hexnode with Android Enterprise provides enhanced management capabilities and zero touch enrollment for Android devices running on OS version 8.0 and above.
Advanced restrictions, not found in native Android management can be set to secure the managed devices and prevent the leakage of corporate data. Here’s how switching over to Android Enterprise can help your organization:
Multiple enrollment options
To enroll the devices, you must first enroll your organization in the Android Enterprise program and depending on the business requirements, the devices can be enrolled in either profile owner or device owner mode. Hexnode MDM’s support for AE creates a separate work container on BYOD’s or a completely corporate owned work profile on fully managed devices with no user intervention. Apart from zero touch enrollment, the devices can also be enrolled via GSuite and QR Code. With Hexnode, Android Enterprise can be configured using GSuite.
GSuite provides access to many Google applications and manages the applications distributed to a specific user by the means of an account created by the administrator. Configuring Android Enterprise via GSuite can only be done if you have a GSuite account. Other provisioning methods include DPC Identifier, NFC, Samsung KME, and Android Debug Bridge.
Better app management capabilities
Install applications with no user intervention
One of the greatest perks of Android Enterprise is its enhanced app management capabilities. All the enterprise applications needed by your organization can be silently installed on the Android Enterprise enabled devices enrolled as Device Owner with the Hexnode for Work app (v7.8.2+) installed. Enterprise apps are private apps developed by an organization, since they are used just within the company, these apps cannot be hosted on a public platform like Google Play. The enterprise apps can be added in two ways – you could either upload the APK file of the app in Hexnode’s app inventory or publish the app as a private app in Managed Google Play.
This will then be added to the portal. If your firm requires the latest version of the app to be installed on the users end devices, you can easily update the enterprise app by replacing its old APK file with a new one. Login to the Google Play console, click on ‘All Applications’ and select the app that needs an update. Next choose ‘Release Management’ from App Releases and click on ‘Edit Releases’. Upload the new APK files and add in the release notes. Click on ‘Save’ to complete the process. The Review option will give you a summary of all the app releases. Select ‘Confirm Rollout’ to release the updated app. It will now appear in the list of updated apps published by the developer.
You can distribute the updated app to the devices via the mandatory apps policy or by selecting Action > Install Application from the Manage tab. In AE enabled devices enrolled as device owner, the silent app installation will work for store apps as well. By converting the store app into Managed Google app, it can be silently installed on the devices.
Boost productivity by blacklisting/whitelisting applications
One of the perks of device management with Android Enterprise is that it helps organizations to boost the productivity of their employees by whitelisting a set of applications. This works on both profile owner and device owner enrolled devices. In profile owner, only the applications within the work container can be blacklisted or whitelisted. Once the apps are blacklisted, they will be hidden from the user.
This would also block them from installing or updating the blacklisted apps, if they proceed to do so a notification will be displayed on the screen specifying that the action has been restricted. When a set of apps are whitelisted, the rest of the apps present within the work container will be considered as blacklisted, only the whitelisted applications and the Hexnode for Work app will be displayed. The user will not be able to install any other apps from Play for Work.
When apps are blacklisted on devices enrolled as device owner, it will be hidden. Users will be restricted from installing or updating the blacklisted applications. When a set of apps are whitelisted only those and the Hexnode for Work app will be shown in the entire device. The rest of the applications will be considered as blacklisted and hence will be hidden from the device. Just as in profile owner mode, the user will be restricted from installing any other app from the Play Store. If you try to blacklist and whitelist the same app, it will remain blacklisted.
Approve and add applications
Managed Google Play provides enterprises with the convenience to deploy and manage the apps within their organization with ease.
With Hexnode admins can easily approve and add the Google Play apps to the app inventory and manage their updates. You can even create a custom App Store with these apps and customize it in any way you like by adding pages and app categories.
Configure applications and set permissions
The ease with which you can set configurations and permissions to an app even before it gets pushed to the targeted devices is yet another reason why organizations should switch from native Android management to Android enterprise. You can configure the app from the portal via the policy route.
In order to see the app in the list of configured apps you must add in at least one configuration. App permissions can be set the same way. They can include location, network access and camera. The permissions are not limited to just these three, they can differ based on the app you choose. While setting the permission from the portal, you can choose from any of these three options – default, allow and deny. Default means that the app will follow its default permission.
Customize the play store layout
With device management with Android Enterprise, you can customize Play for Work with the chosen play store apps and custom built the app clusters and pages. Firstly, you will need to approve and add the apps to the list and then design a layout for the store. Once that’s done, you can start adding the apps. Since we have already talked about adding and approving the applications, we’ll jump right into the process of designing a store layout and adding the apps to it.
The store layout will consist of clusters and pages, you can create separate pages for different departments (say marketing or finance) and add clusters (I.e. sections) within the page. The app that you wish to deploy can then be added inside those clusters. If you don’t want a cluster, you click on the trash icon on top to delete it. The ‘Remove All’ button will clear all the apps present within the cluster.
Another cool feature you can get to access is the creation of app catalogs. An app catalog once created can later be pushed to devices either directly or via the policy route. Only Managed Google apps included in the app catalog can be seen in Hexnode for Work.
Publish private apps in Managed Google Play
This secure feature of Android Enterprise management gives organizations the ease with which they can securely distribute essential applications within their firm without facing the risk of giving users access to these apps outside the organization. You can publish an app as a private app in Google Play.
The private app can be published directly to the MDM console and distributed to the devices of the end users. In order to publish an app privately in Managed Google Play, the organization or developer should have a Google Play developer account. The title of the app and its package name should be unique to the developer account. A total of 15 apps can be uploaded in a day and 20 organizations can be entered per app
Set more restrictions
Secure management of devices can be easily accomplished with Android Enterprise, additional restrictions on the device functionalities, network, connectivity and app settings can be set.
You can create a policy with the required restrictions from the MDM console and push it on to the targeted devices.
Basic Restrictions
Device Functionalities:
| Camera | Enable/ disable the use of camera on the devices, by disabling the camera icon will be hidden from the menu and home screen
Enabled by default |
Device Owner, Profile Owner |
| Safe Mode | Allows the user to boot their devices to safe mode. On Android devices running on versions 7.0+ the safe mode feature cannot be disabled. | Device Owner |
| Screen Orientation | Choose the screen orientation of the device. The following options are available: users can choose, Auto Rotate, Portrait, Left, Right, Invert | Device Owner |
| Screen Timeout | Configure the screen timeout for the devices. You could either choose to keep the current settings or select a time period from 1,2,3,4,5,10 and 15 minutes. | Device Owner |
Allow Network Settings:
| Wifi | Restrict or permit users from turning on the wifi.
By default, the option to turn on will be enabled. |
Device Owner, Profile Owner |
| Force Wifi | Prevents users from turning off the wifi. | Device Owner, Profile Owner |
| Bluetooth | Allow or deny users from switching on bluetooth.
By default, users will be allowed to use bluetooth on their devices |
Device Owner, Profile Owner |
| Force Bluetooth | Prevents users from turning off the bluetooth | Device Owner, Profile Owner |
| Tethering | Permit users to share their data connection with other devices. | Device Owner |
| Portable Wifi | Allow users to control their portable wifi hotspot settings. The available restrictions include: Always on, Always off, Users can choose | Device Owner |
| Data Roaming | By enabling this option, users can get to turn on data roaming and use the mobile data outside of their home networks.
Data roaming will be allowed by default |
Device Owner |
Advanced Restrictions
Device Functionalities:
| Microphone | When left unchecked, the microphone will be disabled except when making phone calls | Device Owner, Profile Owner |
| Screen Capture | Permit or restrict users from capturing a screen shot either from their device or from Android Studio. In profile owner, screen capture is restricted only for applications within the work container | Device Owner, Profile Owner |
| Copy contents between normal and work profile | Permit users to copy contents between user and work profiles | Profile Owner |
| Users can adjust volume | Allow users to adjust the volume of their devices | Device Owner, Profile Owner (Android 6.0+) |
| Make a call | Permit users to make calls from their devices | Device Owner |
Display Settings:
| Hide Status Bar | Hide the status bar at the top of the screen. By hiding the status bar, access to the notification bar and quick settings tray will be denied.
The status bar will be displayed by default |
Device Owner |
| Display dialogs/windows | Blocks the dialogs/windows prompts on the device. It will block the system overlays, alerts, toast messages, incoming/outgoing calls, application overlays, Hexnode’s password prompts, broadcast message alerts, and floating kiosk peripheral settings icon | Device Owner |
Connectivity Settings:
| Beam from device | You can specify if the user can use NFC to beam out data from the applications | Device owner, Profile owner |
| Transfer data via Bluetooth | Permit the device to transfer data over bluetooth.
Note: Since Android Beam transfers data over bluetooth, turning this option off will affect the Android Beam transfers It is allowed by default |
Device Owner, Profile Owner |
| Configure Bluetooth | Permit or deny users from configuring the Bluetooth | Device Owner |
| Configure cell broadcast | Allow or disallow users from configuring the cellular network settings on the device | Device Owner |
| Users can reset network settings | Allow users to reset the network settings on their device, by enabling this options users will be permitted to reset the current cellular and wifi settings, VPN settings and wifi passwords.
This only works in Android devices running on OS version 6.0 and above |
Device Owner |
| Configure Wifi | Allow users to configure wifi on their devices | Device Owner, Profile Owner |
| Configure Hotspot and Tethering | When enabled, users would be able to configure portable hotspot and tethering on their devices | Device Owner |
Account Settings:
| SMS Receive messages, send messages | Blocking this feature will restrict users from receiving or sending messages from their devices | Device Owner |
| Modify Accounts/Users | Permit users to add, delete and switch between Google accounts | Device Owner, Profile Owner |
| Configure User Credentials | Allows the user to configure their user credentials | Device Owner, Profile Owner |
Restricting other device settings:
| USB Debugging | If this option is enabled, the Android device will be allowed to communicate with a PC running Android SDK via USB | Device Owner |
| Users can enable location sharing | Permits users to enable real time location sharing with others | Device Owner, Profile Owner |
| Factory Reset | Allow user to reset their device to factory settings | Device Owner |
| Read any connected physical external media | Permit users to connect their device to an external physical media | Device Owner, Profile Owner |
| Update data and time automatically | Allow the automatic update of date and time on the device | Device Owner |
| Set the time zone automatically | Automatically update the time zone in which the device is in | Device Owner |
| Configure VPN | Permit or deny users from configuring VPN on their device | Device Owner, Profile Owner (Android 6.0+) |
App Settings:
| Install apps | By disabling this option, you can block the installation of apps on the device | Device Owner, Profile Owner |
| Uninstall apps | Disallow users from uninstalling any apps from the device | Device Owner, Profile Owner |
| Control apps | Allow users to modify the apps in settings or launchers. When the option is enabled, users will be able to uninstall and disable apps, clear the app data and cache, force stop app and clear the app defaults | Device Owner, Profile Owner |
| Verify apps before install | Allow Google to verify the content of the apps for any harmful behavior prior to its installation | Device Owner, Profile Owner |
| Install apps from unknown sources | Allow or deny the installation of apps from unknown sources. | Device Owner, Profile Owner |
| App runtime permissions | Set runtime permissions for the apps, you could either grant, deny specific permissions or set the default permissions for the apps | Device Owner, Profile Owner |
| Parent profile app linking | Permit apps in the parent profile to handle web links from the managed profile.
This works only on Android devices running on OS version 6 and above |
Device Owner, Profile Owner |
Containerization
With the assimilation of BYOD in the workplace, containerization can help keep the work apps and personal apps of the users separate from each other. It establishes a separate, encrypted area on the device where the business data are kept secure. Admins will only be able to manage the work container thus restricting their access to the personal data of the user.
Android devices enrolled as Profile Owner will have a work container where all the work apps will be stored. You can easily differentiate these apps from the normal ones as they will have a work badge icon. Applications present within the work container will not communicate with the personal apps. If you have an app that is being used in both the work container and personal space, it will run separately on the device, only the app with the work badge icon will be managed.
You can configure compliance settings on Android Enterprise devices. Once a device becomes non-compliant, the work container will be deactivated if the deactivation settings have been enabled. The container will get re-activated once again as soon as the device becomes compliant. Work container deactivation is applicable on both device owner and profile owner enrolled devices. Once deactivation is initiated, all the applications present within the work container will disappear. While deactivating the work container via policy, you can specify the time in which the work container should be deactivated on non-compliant devices.
Factory reset protection
Factory reset protection (FRP), an essential security feature in device management with Android Enterprise, prevents an unauthorized person from accessing the phone of your employees after it gets reset to factory settings. In order to login to the device once again, the user will have to enter their Google username and password. Factory reset protection can be applied on Device owner enrolled Android devices (v5.1+).
However, some situations may warrant the bypassing of FRP. You can use your G Suite email ID and google+ profile ID to log in to the device and bypass it.
Schedule OS updates
In devices enrolled as device owner OS updates can be scheduled. You could choose from any of these four options from the MDM console to manage the updates – Default, Update automatically, Update during inactive hours and Postpone update.
When you select ‘Update during inactive hours’ time can be set in which the OS needs to be updated. In ‘Postpone update’ the OS updates will get postponed for up to 30 days.
Configure Android Enterprise enrolled devices with OEMConfig
With OEMConfig, OEM specific settings can be configured on devices enrolled via the Android Enterprise program. It is an application built by OEM and published on the Managed Google Play Store. OEMConfig apps make use of managed configurations to configure the multiple device features provided by the OEM. With Hexnode, you can access these OEM specific features from the portal.
You can customize the OEM specific settings of any managed Android 5.0+ device that has its corresponding OEMConfig app installed. The OEMConfig apps will only work on its corresponding OEM devices. When the OEMConfig app is installed on the device, it uses the settings that has been configured in the portal to manage the device. To configure the device owner or profile owner enrolled device with its corresponding OEMConfig app, you must first approve and add the OEMConfig apps in the app inventory and then set up the OEM specific configurations.
Enable kiosk mode
In Android Enterprise, Kiosk mode works only on devices enrolled as device owner. The device can be locked down to a single or multi app kiosk. To enable kiosk on AE devices go to Kiosk Lockdown > Android Kiosk Lockdown > and chose from any of the three options – Single App Kiosk, Multi App Kiosk, Website Kiosk Settings.
You can exit from the kiosk mode by tapping on the screen 10 times and enter the default exit passcode under Admin > General Settings > Global Exit Settings (Android) > Exit Passcode. You can also set a password in the kiosk policy and push it to the targeted devices.
Bottomline
Some organizations generally go for native management to manage their Android devices, however by switching over to Android Enterprise, you can avail additional functions and keep the critical enterprise applications more secure.
Companies can choose from the Android Enterprise Recommended list of devices to find the right device that will neatly adhere to their business requirements.
Share your thoughts