Category: Android enterprise

Why it’s time for enterprises to adopt Android’s modern device management APIs

Tom Watkins December 19, 2017 Android enterprise, Connected Workspaces

Enterprise devices regularly access mission-critical data and are a key conduit for company communications. To ensure that organizations can power their mobility efforts with great features and security, Android offers managed device and work profile modes for mobile management.

Many organizations, however, are still using the Device Administration API, which was made available for developers in Android 2.2. When it was first released in 2010, device admin API provided enterprises with a reliable support system for enterprise applications. Since then, the needs of businesses have grown to require more vigorous management and security requirements.

Managing personal and company-owned devices

In Android 5.0, we created managed device (device owner) and work profile (profile owner) modes, which match the security needs of organizations that manage mobile devices. These are feature-rich and secure ways to manage devices. Most organizations are now using these modes to manage mobile devices, and we’re encouraging all organizations to make the switch.

We understand that for some organizations this switch may take time so we will have developed an extended timeline for the transition. Device admin API will be supported through Android Oreo and existing functionality will continue to be available in the next major Android release, though device admin APIs for password enforcement will no longer be supported. In the following Android release, expected in 2019, the APIs for password enforcement will no longer be available. We strongly recommend that businesses plan to move to work profile and managed device APIs. By sharing this update early, we aim to provide companies with sufficient time to migrate existing devices or start fresh as new ones are added to their fleet.

Non-enterprise device management

Some of the device admin APIs are used for non-enterprise device management, like Find My Device, which enables locking and wiping a lost phone. APIs commonly used by these applications will not be affected. Please see the developer migration guide for details on the specific changes.

Making the transition to work profiles or managed devices

For those currently using device admin, there are two strategies available to move to Android’s management APIs. Both options require companies to have an EMM provider that supports either Android’s work profile or managed device mode.

For personal devices used by employees for work, we recommend using the work profile. Migration from a legacy device admin to the work profile can be done with minimal disruption. This can be handled either by enabling personal devices to install a work profile, or by having new devices enroll with a work profile as existing devices phase out of the fleet.

We recommend that company-owned devices be set up as managed devices. Migrating a device from device admin to managed device requires a factory reset, so we recommend a phased adoption, where new devices are enrolled as managed devices while existing devices are left on device admin. New users and new devices should be configured with the new management modes as they are enrolled. Then, older device admin devices can be aged out of the fleet through natural attrition. We recommend that you begin to enroll all new company-owned devices running the major Android release after Oreo as managed devices, in preparation for the removal in the release after that.

Major mobility transitions are typically a large and important undertaking but we know that the needs of companies will be better served with the modern capabilities of Android’s managed device and work profile modes. For specific implementation details, see our developer migration guide.

How the Pixel 2’s security module delivers enterprise-grade security

Xiaowen Xin November 14, 2017 Android enterprise, Connected Workspaces, Pixel

Security is often top of mind for enterprise customers when it comes to choosing a device for work. Company data should be protected against all manner of threats to avoid a costly and distressing security breach.

The new Google Pixel 2 was built with a tamper-resistant hardware security module that reinforces the lock screen against malware and hardware attacks to better safeguard the data stored on your device, like emails, contacts and photos. This is the first of what we hope are many Android devices that feature dedicated security modules.

Benefits of tamper-resistant hardware

The lock screen is the first line of defense in protecting your data from attacks. Devices that ship with Android 7.0 and above verify your lock screen passcode in a secure environment, such as the Trusted Execution Environment or TEE, that limits how often someone can repeatedly brute-force guess it. When the secure environment has successfully verified your passcode does it reveal a device and user-specific secret used to derive the disk encryption key. Without that key, your data can’t be decrypted.

The goal of these protections is to prevent attackers from decrypting your data without knowing your passcode. However, the protections are only as strong as the secure environment that verifies the passcode. Performing these types of security-critical operations in tamper-resistant hardware significantly increases the difficulty of attacking it.

SOC resources

Tamper-resistant hardware comes in the form of a discrete chip, separate from the System on a Chip (SoC). It includes its own flash, RAM, processing unit, and other resources inside a single package, so it can fully control its own execution and ward off external attempts to tamper with it. The package is resistant to physical penetration and designed to resist many side channel attacks, including power analysis, timing analysis, and electromagnetic sniffing. The hardware is also resilient against many physical fault injection techniques including attempts to run outside normal operating conditions, such as wrong voltage, wrong clock speed, or wrong temperature.

Security module in Pixel 2

In addition to being tamper-resistant, the security module in Pixel 2 also helps protect against software-only attacks. Because it performs very few functions, it has a super small attack surface. And with passcode verification happening in the security module, even in the event of a full compromise elsewhere, the attacker cannot derive your disk encryption key without compromising the security module first. 

The security module is designed so that nobody, including Google, can update the passcode verification to a weakened version without knowing your passcode first.

Security at the core

Businesses that choose the new Google Pixel 2, or a future Android device with tamper- resistant hardware, will have more peace of mind that critical company data is safer against an entire class of sophisticated hardware attacks. These security upgrades, along with the comprehensive and innovative management features that Android brings to work, give your business a powerful set of tools for a mobile workforce.

How Chrome helped LafargeHolcim stay productive during a merger

Paul Young November 1, 2017 Android enterprise, Connected Workspaces

Editor’s note: Based in Switzerland, LafargeHolcim is one of the world’s largest manufacturers of building materials, with a presence in 80 countries. Paul Young, their head of collaboration and knowledge, tells us how they relied on Chrome and Android devices to stay business ready during a merger.

Merging two large companies, with two large IT systems, is a challenge even under the best of circumstances. So when the world’s two largest cement manufacturers, Lafarge and Holcim, merged in 2015, ensuring business continuity while integrating these two IT systems was a top priority. Fortunately we had Chrome to help.

Before the merger, Lafarge and Holcim both migrated to Chrome, making the transition easier, faster and more cost-effective. The merger increased the company’s global presence to 80 countries, but with Chrome, updates were automatic. Chrome was also pre-installed on each desktop and mobile device, so we saved time because we didn’t need to deploy it region by region. 

Google’s admin console has made it easy for our IT department to manage both Chrome browser and Android devices from a web-based application. Since we have offices around the globe, this was crucial. Not only are Android devices affordable, but our IT department finds them easy to set up and manage from one administrative panel. And with Chrome, our IT staff can manage browser settings for our employees’ devices no matter where they are. Overall, the combination of Chrome and Android devices has saved the company thousands of dollars every year.

Since the merger, LafargeHolcim has become a leader in manufacturing cement, concrete, aggregates and asphalt, but our growth hasn’t diminished our pace of innovation. In 1864, Lafarge won the “contract of the century” and delivered materials to build the Suez Canal. In 1942, Holcim created one of the world’s first cement research and testing facilities. Combined, LafargeHolcim has over 180 years of experience. And with Google, we’re able to help our employees do their jobs better as more of their work moves online and goes mobile—and continue to innovate.

New Android Management API delivers simple, powerful tools for enterprise

Nikita Kostylev October 20, 2017 Android enterprise, Connected Workspaces

Managing mobile devices and applications can be a challenge for businesses and partners of all sizes.

Today, our Enterprise Mobility Management (EMM) partners write their own management app in order to enable management of Android devices; we call this a “device policy controller” (DPC) app. A DPC app is essentially an agent deployed by the EMM, with the real value living in the console and back end, which the app communicates with directly.  

Now, with our newest tool, the Android Management API, customers and EMMs can manage devices using a server-side API and eliminate the need to write a management app. The Android Management API takes on this complexity so partners can focus on what’s important to their customers and not worry about the underlying Android framework.

Now, creating policies for your device fleet is as simple as creating a Google Cloud project and making a couple of REST API calls. The Android Management API is built around policies, rather than discrete transactions; just tell the API how a device should be managed.

Behind the scenes, Google interprets these policies into a specific set of actions for the target device, and executes those requests using the Android Device Policy app, a Google-made managing agent. Because we provides the managing agent, developers don’t need to handle nuances of the framework implementation, such as which APIs are available or what bugs need to be worked around on given versions of Android.

Android devices

We’ve been testing the Android Management API with several early access partners. Mobiltec, which has launched a validated Corporate Owned Single-Use (COSU) solution, found the new API sped up the company’s EMM efforts by easing back on some development needs.

“Android Management API is a powerful Cloud Platform API that allows us to easily integrate Android EMM functions to cloud4mobile, our EMM tool. With this new management API, we can deliver top-of-market EMM solutions to a wide range of devices,” says Paulo Morandi, senior software architect at Mobiltec. “Since we don’t need to develop our own DPC (device policy controller), new features can be added in minutes; just some HTTP requests and you are done.”

 

The Android Management API is compatible with any device running Android 6.0 (Marshmallow) or above that has Google Play installed. Designed with the needs of businesses in mind, it doesn’t matter if an organization’s devices come from one or many manufacturers—this new API provides a consistent way to manage a device.

Our first set of APIs focus on purpose-built devices use cases, such as digital signage, ticket printing, or kiosks. Over the coming months, our team of engineers will add more features to cover knowledge worker management use cases, and ultimately all Android enterprise solution sets.

The Android Management API is now available in beta for all partners and developers, whether they are developing EMM software, purpose-built specific applications, or an in-house solution for an organization.

Want to try it out? Using Google’s API Explorer, you can try out the API and provision a device in minutes. All you need is a new or factory reset Android 6.0+ device and a Gmail account. Check out the Quick Start Guide to discover how quickly things can get up and running. We hope this makes development easier for partners and helps them bring the latest Android features to customers faster.

How Android helped Dalmia Bharat go digital and grow their business

Sunil Tewari October 13, 2017 Android enterprise, Connected Workspaces

Editor’s note: Today’s post comes from Sunil Tewari, Head of Technology and Business Services for Dalmia Bharat Group, one of India’s largest cement manufacturers. Read how Dalmia Bharat Group uses Android to increase sales, optimize cement delivery, and better connect their workforce.

Dalmia Cement is a leader in the Indian cement industry, producing over 9 million tons of cement for its customers every year. Founded as a division of the Dalmia Bharat Group in 1939, we’ve consistently innovated our manufacturing and production processes, pioneering specialty cements used for oil wells, railway sleepers, and air strips.

We’re quick to embrace solutions that make our business more efficient and responsive for our customers. So when it came to mobility, we turned to another powerhouse of innovation—Android. Our analog record-keeping system wasn’t keeping up with our needs: our customers are spread far and wide across India, so many of our employees spend their work hours largely on the road, making sales calls and deliveries. We have between 15,000 and 18,000 trucks delivering cement to cities and remote areas, and 600 sales representatives visiting customers every day.

In a business that relies on strong personal relationships between sales reps and customers, keeping track of contacts, purchases and deliveries with so many employees while on the go is difficult. Sales reps need to be able to get information quickly while they’re at a customer site or in the office. Managers need to make sure drivers are taking the quickest delivery route to where the customers are. And we need to track successful deliveries so we know when to bill the client.

Dalmia Android team

To make all of this a smoother process, we built three Android apps so that sales reps, dealers, and truck drivers could have the information they need most at their fingertips. Our SM@RT-D app gives our sales force the ability to place and track orders. Our SUVIDHA app is used by customers to place orders without needing to contact the sales team, and DriverSathi tracks deliveries and makes billing more efficient.

Android’s secure and flexible platform was the right choice for our company’s apps. We were able to build and deliver apps to our team in six weeks, which are used by more than 4,000 employees and customers.

We are using the Enterprise Mobility Management capabilities in G Suite to manage the devices we provide for our sales force. Employees can also bring their own devices to access resources like Gmail and our company’s apps—we use Android’s device policy controller to manage the work profile, keeping company data secure on these devices. Dealers use their own Android devices to access our apps and place orders.

Since our sales reps began using our SM@RT-D app, sales have increased, with 60 percent of all orders now placed digitally. Our sales team uses the app to get quick access to product information from a customer site, while managers use it to check when the rep last visited that customer and to see what other stops the rep has that day.

Going mobile with Android has been a key piece of our growth, as we’ve become one of the fastest-growing cement brands in India.

Sunil Tewari

Dalmia Bharat Group

We have more than 8,000 active users of our SUVIDHA app, which allows our customers to place orders anytime. Prior to this, they had to call into our sales team. We now see more than 1,000 orders placed each day with the app, which accounts for 35 percent of total sales.

With our third app, DriverSathi, we can track cement deliveries. Drivers get electronic proof of delivery, so we know exactly when each delivery was made, leading to on-time payment for our delivery drivers. Orders are filled 10 percent faster now because the process isn’t paper-based. Customers and dealers know when they will be receiving orders so they can manage their own sales pipelines.

This app also streamlines billing. Previously, invoices were often delayed by up to a month and a half because everything was done via hard copy, and it sometimes took weeks for drivers to hand in the paper invoices. Now the invoicing process starts as soon as the delivery is made because the app verifies exactly when delivery is completed, triggering the payment process.

Building custom apps on Android helped improve every part of our business, starting with the sales process, going all the way through delivery and invoicing. Going mobile with Android has been a key piece of our growth, as we’ve become one of the fastest-growing cement brands in India. Our Android applications enabled us to provide service to more customers in a quicker fashion because our employees have information they need when they need it most—on the road. And by giving the most efficient routing information, workers spend less time driving and more time talking with customers. With Android, it’s a win-win for everyone.

Android Oreo: a smart, tough and productive cookie for enterprises

Tom Watkins September 27, 2017 Android enterprise, Connected Workspaces, work profile

Android 8.0 Oreo is now available, bringing a sweet combination of improved productivity and enhanced security to enterprise customers. The new release builds on the consistent investments we’ve made to make Android stronger, easier to manage, and more productive for the enterprise.  

Personal space on your work device

Android’s unique work profile creates the best of both worlds—separating work and personal data so IT has the security it needs and users have the freedom to use the personal apps and services they want. Only the work data is managed, giving IT full control of corporate information and keeping employees’ photos, apps, and other personal data separate.

In Android Oreo, we’re now bringing work profiles to corporate-owned devices. Now, organizations can enable company devices for personal use with a work profile. While the organization still retains control of the device, work apps and data can be put in a work profile, keeping personal apps and data outside the profile.

This brings the benefits of the work profile to company-owned devices, such as removing the need for a complex device-wide passcode, and allowing employees to turn off work notifications when they’re away. The improved usability and clear separation makes this management mode ideal for corporate-owned, personally-enabled (COPE) deployments.

workspace

Get up and running in seconds

With zero-touch enrollment available in Android Oreo, organizations can deploy corporate-owned Android devices with enterprise mobility management settings pre-configured, so team members can start using their device right out of the box. Devices can be configured online and drop-shipped to employees who will have management enforced from the start.

With the work profile in Oreo, we’ve made it easier than ever for employees to set up their personal device for work, with 10x faster work profile setup. We’ve even reduced the enrollment steps required so users can get their work profile set up with a single tap—no complicated instructions required.

Robust security that stops malware in its tracks

We continue to invest in Android platform security, giving IT more advanced capabilities in managing their fleet of devices. With Project Treble in Oreo, we’re improving security by separating the underlying vendor implementation from the core Android framework. This modularization isolates each hardware abstraction layer (HAL) into its own process so each HAL only gets the hardware driver and kernel access it needs. This improves sandboxing and makes it harder for framework compromises to exploit the kernel.

We’re also enabling stricter enforcement of Google Play Protect, our always-on security service that scans for malware and blocks potentially harmful apps. Now, admins can block unknown or risky apps from being installed across the whole device, outside the work profile. We’re also providing new APIs to enable administrators to verify the security posture of their fleet including details on which apps are installed.

With the inclusion of secure password reset, it’s now easier for admins to securely help users recover from forgotten passwords on fully encrypted devices. Admins can also enable network logging for corporate-owned devices to record DNS lookups and TCP connections, helping companies detect suspicious network behavior or remotely debug problematic apps.

Improved privacy and transparency

It’s important for employees to have visibility into management policies, particularly when considering a device for personal use. To help employees stay informed, we’ve made it easier to see management actions taken across the device, such as the installation of a new app or enforcement of a lock screen. We’ve also improved notifications for connectivity changes, like always-on VPN and network logging.

These are just a few of the new and improved enterprise features in Android Oreo, with more updates coming soon. To learn more, check out the What’s new in Android 8.0 page.

Android zero-touch enrollment: seamless and secure enterprise deployment

James Nugent September 21, 2017 Android enterprise, Connected Workspaces, enterprise mobility, deployment, Android

Companies around the world deploy Android to mobilize employees and transform their businesses. No matter the use case, we know that a successful deployment is about more than just selecting the right devices; it’s about getting them configured and rolled out into the hands of users as quickly and easily as possible.

Today we’re launching a new deployment method called zero-touch enrollment to make Android rollouts more seamless and secure. With zero-touch enrollment, companies can configure the devices they purchase and have them shipped with management and settings pre-configured, so employees can get up and running out of the box.

Zero touch pixel demo

For administrators, zero-touch enrollment removes the need for users to configure their devices manually and ensures that devices always have corporate policies in place. Support is also much easier, with no extra steps for end-users; they just sign in and get access to their work apps and data.  

Zero-touch is available on devices purchased from our zero-touch carrier partners, and we’re excited to partner with Verizon to offer zero-touch enrollment on the Pixel, phone by Google, starting today.

“For our business customers, deploying new devices and services securely with the ability to enforce device-specific policies is critical for protecting proprietary information and an organization’s brand,” says Ryan O’Shea, vice president of National Business Channels with Verizon Wireless. “The Android zero-touch enrollment program allows our business customers to get up and running seamlessly and securely, and we are excited today to introduce this initiative on the Pixel phone and other future Android devices.”

We’re working with our device partners including Samsung, Huawei, Sony, LG Electronics, HMD Global Oy Home of Nokia Phones, BlackBerry smartphones, HTC, Motorola, Honeywell, Zebra, and Sonim with additional OEMs to be added soon to deliver the zero-touch experience to enterprises. The Huawei Mate 10, Sony Xperia XZ1 and XZ1 Compact specifically will be among the first devices to support zero-touch in the coming weeks and of course, other devices from our OEM partners will launch soon.

Organizations can use software from leading enterprise mobility management providers (EMMs) including VMware AirWatch, BlackBerry, MobileIron, IBM, SOTI, GSuite and others to specify configurations and device policies that are automatically applied to employees’ mobile devices during the initial setup.

If your company already uses other enrollment methods, don’t worry — you can mix enrollment methods to suit your particular needs. Samsung will continue to offer Knox Mobile Enrollment (KME) on Samsung devices, including pre-Oreo devices. Samsung devices that upgrade to, or ship with, Android Oreo will have zero-touch as an additional option. Other existing enrollment methods like QR code and NFC bump will continue to be supported across Android.

Keen to get started with zero-touch? Talk to our carrier partners who plan to offer zero-touch:

  • USA: Verizon, AT&T, Sprint, T-Mobile

  • Europe: BT, Deutsche Telekom


  • Asia-Pacific: Softbank, Telstra


To learn more, visit our zero-touch page.

Page 1 of 1
Scroll Up