In November 2014 Google released Android 5.0 (Lollipop). For consumers the most notable change is, without a doubt, material design. But new design elements and animations are not everything Lollipop has to offer. Behind the scenes Google has introduced new features targeted at enterprise customers.
Before the Lollipop release, integration into enterprise mobility management (EMM) was a challenging task.
The reasons for this are simple:
- Administrators had no universal way of managing Android devices.
- Users had no easy way to keep their personal information separate from corporate data.
- Business owners couldn’t ensure corporate data wasn’t leaked to outside their applications.
Adding to this dilemma is the platform’s fragmentation. Different devices have different capabilities which users and administrators must take into account.
Individual manufacturers already offer solutions for their own devices. This is fine, as long as the business can commit on a single manufacturer. This works well for scenarios where the enterprise provides employee’s devices. However, it is less favorable in a Bring Your Own Device (BYOD) environment.
As an example, Samsung`s Knox provides complete control over managed devices. But it cannot provide a clear separation of personal and corporate data. This makes it less suitable for a dual use scenario. It’s also unsuitable for enterprises that do not have tight control over device purchases.
Android for Work
Along with the release of Android 5 Google also announced Android for Work™. At its core Android for Work is a profile managed by an EMM solution. There are two distinct profiles available:
- A device owner profile, which takes complete control of a device. This is only available for devices running Android 5.x (Lollipop) or newer.
- A work profile, which acts as a container for business applications. The Android for Work app provides this feature also for devices running Android 4.x.
Here’s a quick overview of what Android for Work has to offer:
For corporate-owned devices (COD) Lollipop introduces a device owner profile. A device owner profile must be the only profile installed on a device. There can be no personal profile installed at the same time. This profile gives IT complete control over the device. For example, it allows the silent deployment and removal of applications. Administrators can also wipe the entire device, if required.
This profile can be managed with a special application, called a device owner app. This app must be deployed before the device is set up. If the device is already associated with a user profile, it needs to be wiped first. Additionally, only one device owner can be installed at the same time. The device owner app can manage the device’s settings. It can also provide special permissions to other apps running on the device. For example it can grant other apps the permission to use “screen pinning”. If an app is pinned the user can no longer leave it. This is also known as “Kiosk mode”.
There are currently three known ways by which a device owner app can be installed:
- Put a file containing device owner information into the correct folder. This requires a rooted device, which is not recommended for security reasons.
- Use development tools to connect to the device. Run the “dpm set-device-owner” command with the appropriate arguments.
- User a second device and NFC to send the device owner app to the target device.
The last methods is the recommended strategy for most scenarios. In any case the target device must be running Android 5.x or newer. The device must also be in the “unprovisioned” state. This means it either has to come fresh out of the box or a factory reset needs to be performed.
Once the device has booted into Android it is ready to be provisioned. No steps must be performed on the device before it is provisioned. The second device must be set up to push the device owner app onto the target device. Once both devices are ready, they are touched back-to-back to begin the NFC transfer. Once the transfer is complete the new device should be set up with a device owner profile.
Bring Your Own Device
A device owner profile is not suitable for every situation. There are shortcomings that make it unsuitable for BYOD. For one, it requires a device in mint condition. This is a definite no-go for employees who bring their own device to work. Neither will they like to have their personal devices and data at the complete mercy of IT. At the same time, they need access to corporate data, without compromising its security.
The right kind of solution for this kind of scenario is to set up an Android for Work profile. This is available for Android 5.x devices out of the box. Devices running Android 4.0 – 4.4 can use the Android for Work app.
The profile acts as a container that holds the user’s work related apps and data. An app managing this profile is referred to as a profile owner. When a profile is wiped, all applications and data contained in the profile are removed. Unlike a device wipe this will leave the user’s personal data unaffected.
Administrators can also define which data is allowed to leave a managed container. This prevents users from leaking corporate data into their personal profile. Users can also be blocked from taking screenshots of applications inside the container. At the same time apps inside the container cannot access the user’s personal data.
Android for Work adds a consistent mechanism to provide corporate data on any device. Managed profiles give users a simple way to access work on their personal devices. Without running the risk of intermixing personal and corporate information. For corporate owned devices the addition of the device owner profile means complete control. Without being dependent on a single device manufacturer.
Android for Work is compatible with any device running Android 5.x (Lollipop) or newer. Android for Work profiles are also available for devices running Android 4.0 – 4.4.
For the user this means they are now free to select any device they want, without the risk of exclusion. There is also a clear separation of personal and corporate information.
For the enterprise this means they no longer put their data at risk. Data inside a container cannot be leaked to outside the container. The container can be wiped at any time, while leaving the user’s personal data intact.
Image: Thomas Gehrke via flickr.