With the deployment of Android 10 on all new smartphones comes Android Enterprise, previously known as Android for Work. Even though it has its roots in Android 5.0 (Lollipop) launched in 2014, it is now a mandatory feature on all Android 10 devices when managed with an enterprise mobility management (EMM) solution.
Android Enterprise’s Flexible Deployment Models
To interact with devices, unified endpoint management (UEM) solutions used to rely on manufacturers’ APIs implemented on top of the Android system, creating many inconsistencies from one device to another. To reduce the hassle, Google created a native bundle of APIs enabled for all Android devices, regardless of the manufacturer. This homogenization of management across devices comes along with two key benefits: the creation of containerized work and personal profiles and a managed Google Play store with work-approved applications.
Let’s dive into the different setup models of work and personal profiles.
The first model is known as bring your own device (BYOD), although this term can still apply to a business-owned device. The core principle of this configuration is that the device is not managed by the company, and a containerized area is created for work files and applications. Therefore, the personal environment masters the device and the company only has control over the work profile.
The second hybrid model is the opposite of the BYOD configuration. Here, the work profile masters the whole device and the work-life separation lies in a personal sub-area. This configuration is usually known as corporate-owned personally-enabled (COPE).
In both COPE and BYOD models, the separation consists of isolating work assets from personal files, applications and resources such as messages, contacts and call logs.
The corporate-owned business-only (COBO) configuration makes for a device that is fully managed by the company and strictly aimed at work. Thus, there is no dedicated area for personal activities and the organization has complete control over and visibility into the device.
Lastly, kiosk-managed devices, also referred to as corporate-owned single-use (COSU), stick to COBO configuration where the work profile is locked down to only enable specific functions for targeted usage.
With these four types of configuration, organizations have plenty of flexibility in exercising more or less control over user devices. With an ever-growing BYOD landscape, companies can decide to let employees work on their preferred personal devices while still having control over the work profiles.
Security Is the Final Piece of the Puzzle
Ultimately, this containerization capability, which has been available through UEM solutions for some time, simplifies and unifies Android management, but doesn’t really add a structuring security piece. At the same time, the managed Google Play store reflects the legacy mobile application management functionality delivered by UEMs.
Therefore, corporate data is still exposed — no matter the chosen setup model — to environmental threats coming from applications, network communications and the device configuration just like any other device (Android or iOS). Setting up a work-life separation must only be considered as a data privacy measure and not a security gate.
Indeed, network and device criteria apply for the entire device and a man-in-the-middle (MitM) threat or a root exploit will jeopardize the work profile the same way. Looking at applications, if the ability to validate the security level of applications prior to their distribution throughout the work area is a must-have, the assessment of on-device applications is not to be forgotten. By downloading an application from the store on either the work or personal profile, corporate data is exposed to malware (screenloggers, keyloggers, etc.) and intrusive or leaky applications could hit from one profile to the other.
Hence, Android Enterprise mobile devices require the same security posture as any other device.
What to Look for in a UEM Solution
An effective endpoint management solution aims to provide security on top of device management and will deploy seamlessly in an Android Enterprise environment. Such solutions should provide the following:
- Validation of applications prior to their distribution on the managed Google Play store through detailed security reports on any applications to be distributed
- Agentless application vetting mechanisms that retrieve the list of all applications installed throughout the fleet and assess the security level of all devices
- On-device security that provides 360-degree security coverage and real-time remediation
In sum, Android Enterprise represents a core add-on to the Android framework, homogenizing the management of devices across manufacturers and concretizing inevitable work-life hybrid usage. Android Enterprise capabilities may draw the path of device administration, but they do not, however, bring additional security to the legacy framework.
This is the pitfall to be avoided when implementing this new capability. Just as any other connected hardware does, Android Enterprise devices must fall under the company security policy and benefit from real-time threat defense to ensure the protection of corporate data by thorough and dynamic unified endpoint management solutions.
The post Android Enterprise Adds Flexibility But Still Calls for UEM Solutions appeared first on Security Intelligence.