Last year, Google’s Project Zero security team discovered a vulnerability affecting modern microprocessors. Since then, Google engineering teams have been working to protect our customers from the vulnerability across the entire suite of Google products, including Google Cloud Platform (GCP), G Suite applications, and the Google Chrome and Chrome OS products. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web.
All G Suite applications have already been updated to prevent all known attack vectors. G Suite customers and users do not need to take any action to be protected from the vulnerability.
GCP has already been updated to prevent all known vulnerabilities. Google Cloud is architected in a manner that enables us to update the environment while providing operational continuity for our customers. We used our VM Live Migration technology to perform the updates with no user impact, no forced maintenance windows and no required restarts.
Customers who use their own operating systems with GCP services may need to apply additional updates to their images; please refer to the GCP section of the Google Security blog post concerning this vulnerability for additional details. As more updates become available, they will be tracked on the the Compute Engine Security Bulletins page.
Finally, customers using Chrome browser—including for G Suite or GCP—can take advantage of Site Isolation as an additional hardening feature across desktop platforms, including Chrome OS. Customers can turn on Site Isolation for a specific set of websites, or all websites.
The Google Security blog includes more detailed information about this vulnerability and mitigations across all Google products.
Enterprise devices regularly access mission-critical data and are a key conduit for company communications. To ensure that organizations can power their mobility efforts with great features and security, Android offers managed device and work profile modes for mobile management.
Many organizations, however, are still using the Device Administration API, which was made available for developers in Android 2.2. When it was first released in 2010, device admin API provided enterprises with a reliable support system for enterprise applications. Since then, the needs of businesses have grown to require more vigorous management and security requirements.
Managing personal and company-owned devices
In Android 5.0, we created managed device (device owner) and work profile (profile owner) modes, which match the security needs of organizations that manage mobile devices. These are feature-rich and secure ways to manage devices. Most organizations are now using these modes to manage mobile devices, and we’re encouraging all organizations to make the switch.
We understand that for some organizations this switch may take time so we will have developed an extended timeline for the transition. Device admin API will be supported through Android Oreo and existing functionality will continue to be available in the next major Android release, though device admin APIs for password enforcement will no longer be supported. In the following Android release, expected in 2019, the APIs for password enforcement will no longer be available. We strongly recommend that businesses plan to move to work profile and managed device APIs. By sharing this update early, we aim to provide companies with sufficient time to migrate existing devices or start fresh as new ones are added to their fleet.
Non-enterprise device management
Some of the device admin APIs are used for non-enterprise device management, like Find My Device, which enables locking and wiping a lost phone. APIs commonly used by these applications will not be affected. Please see the developer migration guide for details on the specific changes.
Making the transition to work profiles or managed devices
For those currently using device admin, there are two strategies available to move to Android’s management APIs. Both options require companies to have an EMM provider that supports either Android’s work profile or managed device mode.
For personal devices used by employees for work, we recommend using the work profile. Migration from a legacy device admin to the work profile can be done with minimal disruption. This can be handled either by enabling personal devices to install a work profile, or by having new devices enroll with a work profile as existing devices phase out of the fleet.
We recommend that company-owned devices be set up as managed devices. Migrating a device from device admin to managed device requires a factory reset, so we recommend a phased adoption, where new devices are enrolled as managed devices while existing devices are left on device admin. New users and new devices should be configured with the new management modes as they are enrolled. Then, older device admin devices can be aged out of the fleet through natural attrition. We recommend that you begin to enroll all new company-owned devices running the major Android release after Oreo as managed devices, in preparation for the removal in the release after that.
Major mobility transitions are typically a large and important undertaking but we know that the needs of companies will be better served with the modern capabilities of Android’s managed device and work profile modes. For specific implementation details, see our developer migration guide.
Editor’s Note: Today’s post is from Becky Torkelson, Computer Support Specialist Leader for Scheels, an employee-owned 27-store chain of sporting goods stores in the Midwest and West. Scheels uses Chrome browser and G Suite to help its 6,000 employees better serve customers and work together efficiently.
Whether customers come to Scheels stores to buy running shoes, fishing rods or camping stoves, they talk to associates who know the products inside and out. We hire people who are experts in what they’re selling and who have a passion for sports and outdoor life. They use Chrome browser and G Suite to check email and search for products from Chromebooks right on the sales floor, so they can spend more time serving customers.
That’s a big improvement over the days when we had a few PCs, equipped with IBM Notes and Microsoft Office, in the back rooms of each store. Associates and service technicians used the PCs to check email, enter their work hours or look up product specs or inventory for customers—but that meant they had to be away from customers and off the sales floor.
Starting in 2015, we bought 100 Chromebooks and 50 Chromeboxes, some of which were used to replace PCs in store departments like service shops. Using Chromebooks, employees in these departments could avoid manual processes that slowed down customer service in the past. With G Suite, Chrome devices and Chrome browser working together, our employees have access to Gmail and inventory records when they work in our back rooms. They can quickly log on and access the applications they need. This means they have more time on the sales floor for face-to-face interaction with customers.
Our corporate buyers, who analyze inventory and keep all of our stores stocked with the products we need, use Google Drive to share and update documents for orders instead of trading emails back and forth. We’re also using Google Sites to store employee forms and policy guides for easy downloading—another way people save time.
We use Chrome to customize home pages for employee groups, such as service technicians. As soon as they log in to Chrome, the technicians see the bookmarks they need—they don’t have to jump through hoops to find technical manuals or service requests. Our corporate buyers also see their own bookmarks at login. Since buyers travel from store to store, finding their bookmarks on any computer with Chrome is a big time-saver.
Our IT help desk team tells me that they hardly get trouble tickets related to Chrome. There was a very short learning curve when we changed to Chrome, an amazing thing when you consider we had to choose tools for a workforce of 6,000 people. The IT team likes Chrome’s built-in security—they know that malware and antivirus programs are running and updating in the background, so Chrome is doing security monitoring for us.
Since Scheels is employee-owned, associates have a stake in our company’s success. They’re excited to talk to customers who want to learn about the best gear for their favorite sports. Chrome and G Suite help those conversations stay focused on customer needs and delivering smart and fast service.
When it comes to Chrome, security is one of our most important considerations—and that’s especially true when it comes to our enterprise users. We’re always looking for ways to further protect enterprises from potential dangers like ransomware, malware, and other vulnerabilities.
Chrome browser has been validated by third parties as a frontrunner in enterprise browser security, and we’re committed to constantly introducing more safeguards. That’s why the latest release of Chrome browser introduces a variety of new security enhancements for enterprises. From new ways to better isolate processes, to broader support for more advanced security standards, to the introduction of new policies, IT admins now have more options to protect their users and businesses from potential threats. Here’s a quick overview of the security updates this latest release of Chrome will offer, plus an update on a few upcoming changes in 2018.
Site Isolation: For enterprises with the highest security needs
Starting with today’s release, Site Isolation is now available. With Site Isolation enabled, Chrome renders content for each open website in a separate process, isolated from other websites. This can mean even stronger security boundaries between websites than Chrome’s existing sandboxing technology. Admins can read more to determine if this capability makes sense for their organization—and start implementing it immediately.
Making it easier to restrict extensions based on required permissions
Although admins have been able to whitelist and blacklist specific extensions in Chrome, we’ve heard feedback that it can be difficult to scale. Beginning today, IT admins can configure a new policy that restricts access to extensions based on the permissions required. For example, through policy, IT can now block all extensions that require the use of a webcam or microphone, or those that require access to reading or changing data on the websites visited. This policy is available now, and will help IT teams enforce necessary controls, without overly restricting users.
Version 1.3 of Transport Layer Security (TLS) and policy
Secure communication on the Internet is made possible through a protocol called Transport Layer Security (TLS). To support the latest security standards, we’re enabling TLS 1.3 for Gmail in today’s release of Chrome browser. The previous version, TLS 1.2, was standardized in 2008 and, although it can be secure when configured correctly, it’s in need of an overhaul. The improvements in TLS 1.3 make it faster and more secure, and we’ll be expanding TLS 1.3 support to the broader web in 2018.
Chrome browser users should not be impacted by this change. IT admins that are aware of any systems that are not interoperable with TLS 1.3 should post feedback in the admin forum. As admins prepare for the wider use of TLS 1.3, they can configure this policy for network software or hardware that will not transit TLS 1.3 connections. More details are available on this page.
Broader platform support for the NTLMv2 authentication protocol
Last week we shared on our admin forum that Chrome 64, coming in early 2018, will include support for the NTLMv2 authentication protocol, including Extended Protection for Authentication (EPA) on Mac, Android, Linux and Chrome OS. This allows all platforms to perform NTLM authentication with the same level of security that was previously available only in Chrome on Windows.
IT admins can enable this feature today by visiting chrome://flags/#enable-ntlm-v2. In Chrome 65, NTLMv2 will become the default NTLM protocol as it already is on Windows. More details are available on this page. With this update, Chrome will become the only browser to support NTLMv2 with EPA on non-Windows platforms.
Reducing Chrome crashes caused by third-party software
Last week we announced we’ll be implementing changes in Chrome to improve stability and reduce the number of browser crashes. Starting with the release of Chrome 68 in July 2018, we’ll begin blocking third-party software from injecting code into Chrome on Windows.
Code injection has historically been used by products such as anti-virus software. But it’s an outdated process, and we encourage vendors of such software to take advantage of the newer, more effective options available.
In the meantime, we understand sometimes businesses need to rely on such software, and we want to make sure they’re covered. We’ll be introducing a new policy in the coming months that will offer admins extended support for critical apps that require code injection to function.
Admins can visit chrome://conflicts to check if software currently installed on a computer is injecting into Chrome.
We’re excited to bring new capabilities to IT admins that enhance Chrome’s security and stability. For more information about Chrome browser for enterprise, visit Chrome.com/enterprise, or to share feedback, visit our Chrome browser Enterprise Admin Forum.
In August we announced the launch of Chrome Enterprise, a single, cost-effective solution giving you the security and control you need to keep your employees connected. On our road to releasing Chrome Enterprise, we listened to a lot of feedback from businesses. And one of the most common requests we received was greater printing capabilities.
Whether it’s firing off a last minute presentation, or grabbing those boarding passes on the way to the airport, fast and simple printing is business critical. That’s why we’re excited to expand Chrome Enterprise’s native printing capabilities.
Chrome Enterprise’s native print functionality is enabled through the Common UNIX Printing System (CUPS). CUPS uses an Internet Printing Protocol (IPP) that allows printing directly to a printer over the local network. You can add, remove, enable and disable printers by organizational unit in the Google admin console. Enabled printers will automatically appear in a user’s list of Chrome printers.
For employees, setup will be a cinch. With native print functionality, they can add a local printer and begin printing—no connectors needed. They can also print directly to a printer via USB.
For more information on managing native printing in Chrome Enterprise, check out our Help Center article. Or warm up your friendly local printer and fire away from your Chrome browser. Just don’t forget to BYOP (bring your own paper)!
Security is often top of mind for enterprise customers when it comes to choosing a device for work. Company data should be protected against all manner of threats to avoid a costly and distressing security breach.
The new Google Pixel 2 was built with a tamper-resistant hardware security module that reinforces the lock screen against malware and hardware attacks to better safeguard the data stored on your device, like emails, contacts and photos. This is the first of what we hope are many Android devices that feature dedicated security modules.
Benefits of tamper-resistant hardware
The lock screen is the first line of defense in protecting your data from attacks. Devices that ship with Android 7.0 and above verify your lock screen passcode in a secure environment, such as the Trusted Execution Environment or TEE, that limits how often someone can repeatedly brute-force guess it. When the secure environment has successfully verified your passcode does it reveal a device and user-specific secret used to derive the disk encryption key. Without that key, your data can’t be decrypted.
The goal of these protections is to prevent attackers from decrypting your data without knowing your passcode. However, the protections are only as strong as the secure environment that verifies the passcode. Performing these types of security-critical operations in tamper-resistant hardware significantly increases the difficulty of attacking it.
Tamper-resistant hardware comes in the form of a discrete chip, separate from the System on a Chip (SoC). It includes its own flash, RAM, processing unit, and other resources inside a single package, so it can fully control its own execution and ward off external attempts to tamper with it. The package is resistant to physical penetration and designed to resist many side channel attacks, including power analysis, timing analysis, and electromagnetic sniffing. The hardware is also resilient against many physical fault injection techniques including attempts to run outside normal operating conditions, such as wrong voltage, wrong clock speed, or wrong temperature.
Security module in Pixel 2
In addition to being tamper-resistant, the security module in Pixel 2 also helps protect against software-only attacks. Because it performs very few functions, it has a super small attack surface. And with passcode verification happening in the security module, even in the event of a full compromise elsewhere, the attacker cannot derive your disk encryption key without compromising the security module first.
The security module is designed so that nobody, including Google, can update the passcode verification to a weakened version without knowing your passcode first.
Security at the core
Businesses that choose the new Google Pixel 2, or a future Android device with tamper- resistant hardware, will have more peace of mind that critical company data is safer against an entire class of sophisticated hardware attacks. These security upgrades, along with the comprehensive and innovative management features that Android brings to work, give your business a powerful set of tools for a mobile workforce.
Editor’s note: Based in Switzerland, LafargeHolcim is one of the world’s largest manufacturers of building materials, with a presence in 80 countries. Paul Young, their head of collaboration and knowledge, tells us how they relied on Chrome and Android devices to stay business ready during a merger.
Merging two large companies, with two large IT systems, is a challenge even under the best of circumstances. So when the world’s two largest cement manufacturers, Lafarge and Holcim, merged in 2015, ensuring business continuity while integrating these two IT systems was a top priority. Fortunately we had Chrome to help.
Before the merger, Lafarge and Holcim both migrated to Chrome, making the transition easier, faster and more cost-effective. The merger increased the company’s global presence to 80 countries, but with Chrome, updates were automatic. Chrome was also pre-installed on each desktop and mobile device, so we saved time because we didn’t need to deploy it region by region.
Google’s admin console has made it easy for our IT department to manage both Chrome browser and Android devices from a web-based application. Since we have offices around the globe, this was crucial. Not only are Android devices affordable, but our IT department finds them easy to set up and manage from one administrative panel. And with Chrome, our IT staff can manage browser settings for our employees’ devices no matter where they are. Overall, the combination of Chrome and Android devices has saved the company thousands of dollars every year.
Since the merger, LafargeHolcim has become a leader in manufacturing cement, concrete, aggregates and asphalt, but our growth hasn’t diminished our pace of innovation. In 1864, Lafarge won the “contract of the century” and delivered materials to build the Suez Canal. In 1942, Holcim created one of the world’s first cement research and testing facilities. Combined, LafargeHolcim has over 180 years of experience. And with Google, we’re able to help our employees do their jobs better as more of their work moves online and goes mobile—and continue to innovate.
With G Suite, we’re focused on building tools that help you bring great ideas to life. We know meetings are the main entry point for teams to share and shape ideas into action. That’s why we recently introduced Hangouts Meet, an evolution of Google Hangouts designed specifically for the workplace, and Jamboard, a way to bring creative brainstorming directly into meetings. Combined with Calendar and Drive, these tools extend collaboration beyond four walls and transform how we work—so every team member has a voice, no matter location.
But the transformative power of video meetings is wasted if it’s not affordable and accessible to all organizations. So today, we’re introducing Hangouts Meet hardware—a new way to bring high-quality video meetings to businesses of any size. We’re also announcing new software updates designed to make your meetings even more productive.
Introducing Hangouts Meet hardware
Hangouts Meet hardware is a cost-effective way to bring high-quality video meetings to your business. The hardware kit consists of four components: a touchscreen controller, speakermic, 4K sensor camera and ASUS Chromebox.
The new controller provides a modern, intuitive touchscreen interface that allows people to easily join scheduled events from Calendar or view meeting details with a single tap. You can pin and mute team members, as well as control the camera, making managing meetings easy. You can also add participants with the dial-a-phone feature and present from a laptop via HDMI. If you’re a G Suite Enterprise edition customer, you can record the meeting to Drive.
Designed by Google, the Hangouts Meet speakermic actively eliminates echo and background noise to provide crisp, clear audio. Up to five speakermics can be daisy-chained together with a single wire, providing coverage for larger rooms without tabletop clutter.
The 4K sensor camera with 120° field of view easily captures everyone at the table, even in small spaces that some cameras find challenging. Each camera component is fine-tuned to make meetings more personal and distraction-free. Built with machine learning, the camera can intelligently detect participants and automatically crop and zoom to frame them.
Powered by Chrome OS, the ASUS Chromebox makes deploying and managing Hangouts Meet hardware easier than ever. The Chromebox can automatically push updates to other components in the hardware kit, making it easier for large organizations to ensure security and reliability. Remote device monitoring and management make it easy for IT administrators to stay in control, too.
New Hangouts Meet enhancements greatly improve user experience and simplify our meeting rooms. It also creates new ways for our team to collaborate.
Bradley Rhodes
IT Analyst, Woolworths Limited, Australia
Says Bradley Rhodes, IT Analyst End User Computing at Woolworths Ltd Australia, “We are very excited about the new Hangouts Meet hardware, particularly the easy-to-use touchscreen. The enhancements greatly improve the user experience and simplify our meeting rooms. We have also seen it create new ways for our team to collaborate, like via the touch-to-record functionality which allows absent participants to catch up more effectively.”
More features, better meetings
We’re also announcing updates to Meet based on valuable feedback. If you’re a G Suite Enterprise edition customer, you can:
- Record meetings and save them to Drive. Can’t make the meeting? No problem. Record your meeting directly to Drive. Even without a Hangouts Meet hardware kit, Meet on web can save your team’s ideas with a couple of clicks.
- Host meetings with up to 50 participants. Meet supports up to 50 participants in a meeting, especially useful for bringing global teams together from both inside and outside of your organization.
- Dial in from around the globe. The dial-in feature in Meet is now available in more than a dozen markets. If you board a flight in one country and land in another, Meet will automatically update your meeting’s dial-in listing to a local phone number.
These new features are rolling out gradually. The hardware kit is priced at $1999 and is available in select markets around the globe beginning today.
Whether you’re collaborating in Jamboard, recording meetings and referencing discussions in Drive or scheduling your next team huddle in Calendar, Hangouts Meet hardware makes it even easier to bring the power of your favorite G Suite tools into team meetings. For more information, visit the G Suite website.
Editor’s note: October is Cybersecurity Awareness Month, and we’re celebrating with a series of security announcements this week. See our earlier posts on new security protections tailored for you, our new Advanced Protection Program, and our progress fighting phishing.
Security has always been one of Chrome’s core principles—we constantly work to build the most secure web browser to protect our users. Two recent studies concluded that Chrome was the most secure web browser in multiple aspects of security, with high rates of catching dangerous and deceptive sites, lightning-fast patching of vulnerabilities, and multiple layers of defenses.
About a year ago, we announced that we would begin marking all sites that are not encrypted with HTTPS as “not secure” in Chrome. We wanted to help people understand when the site they’re on is not secure, and at the same time, provide motivation to that site’s owner to improve the security of their site. We knew this would take some time, and so we started by only marking pages without encryption that collect passwords and credit cards. In the next phase, we began showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
It’s only been a year, but HTTPS usage has already made some incredible progress. You can see all of this in our public Transparency Report:
-
64 percent of Chrome traffic on Android is now protected, up from 42 percent a year ago.
-
Over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on Chrome OS a year ago
-
71 of the top 100 sites on the web use HTTPS by default, up from 37 a year ago
We’re also excited to see HTTPS usage increasing around the world. For example, we’ve seen HTTPS usage surge recently in Japan; large sites like Rakuten, Cookpad, Ameblo, and Yahoo Japan all made major headway towards HTTPS in 2017. Because of this, we’ve seen HTTPS in Japan surge from 31 percent to 55 percent in the last year, measured via Chrome on Windows. We see similar upward trends in other regions—HTTPS is up from 50 percent to 66 percent in Brazil, and 59 percent to 73 percent in the U.S.!
Ongoing efforts to bring encryption to everyone
To help site owners migrate (or originally create!) their sites on HTTPS, we want to make sure the process is as simple and cheap as possible. Let’s Encrypt is a free and automated certificate authority that makes securing your website cheap and easy. Google Chrome remains a Platinum sponsor of Let’s Encrypt in 2017, and has committed to continue that support next year.
Google also recently announced managed SSL for Google App Engine, and has started securing entire top-level Google domains like .foo and .dev by default with HSTS. These advances help make HTTPS automatic and painless, to make sure we’re moving towards a web that’s secure by default.
HTTPS is easier and cheaper than ever before, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP. There’s never been a better time to migrate! Developers, check out our set-up guides to get started.
Managing mobile devices and applications can be a challenge for businesses and partners of all sizes.
Today, our Enterprise Mobility Management (EMM) partners write their own management app in order to enable management of Android devices; we call this a “device policy controller” (DPC) app. A DPC app is essentially an agent deployed by the EMM, with the real value living in the console and back end, which the app communicates with directly.
Now, with our newest tool, the Android Management API, customers and EMMs can manage devices using a server-side API and eliminate the need to write a management app. The Android Management API takes on this complexity so partners can focus on what’s important to their customers and not worry about the underlying Android framework.
Now, creating policies for your device fleet is as simple as creating a Google Cloud project and making a couple of REST API calls. The Android Management API is built around policies, rather than discrete transactions; just tell the API how a device should be managed.
Behind the scenes, Google interprets these policies into a specific set of actions for the target device, and executes those requests using the Android Device Policy app, a Google-made managing agent. Because we provides the managing agent, developers don’t need to handle nuances of the framework implementation, such as which APIs are available or what bugs need to be worked around on given versions of Android.
We’ve been testing the Android Management API with several early access partners. Mobiltec, which has launched a validated Corporate Owned Single-Use (COSU) solution, found the new API sped up the company’s EMM efforts by easing back on some development needs.
“Android Management API is a powerful Cloud Platform API that allows us to easily integrate Android EMM functions to cloud4mobile, our EMM tool. With this new management API, we can deliver top-of-market EMM solutions to a wide range of devices,” says Paulo Morandi, senior software architect at Mobiltec. “Since we don’t need to develop our own DPC (device policy controller), new features can be added in minutes; just some HTTP requests and you are done.”
The Android Management API is compatible with any device running Android 6.0 (Marshmallow) or above that has Google Play installed. Designed with the needs of businesses in mind, it doesn’t matter if an organization’s devices come from one or many manufacturers—this new API provides a consistent way to manage a device.
Our first set of APIs focus on purpose-built devices use cases, such as digital signage, ticket printing, or kiosks. Over the coming months, our team of engineers will add more features to cover knowledge worker management use cases, and ultimately all Android enterprise solution sets.
The Android Management API is now available in beta for all partners and developers, whether they are developing EMM software, purpose-built specific applications, or an in-house solution for an organization.
Want to try it out? Using Google’s API Explorer, you can try out the API and provision a device in minutes. All you need is a new or factory reset Android 6.0+ device and a Gmail account. Check out the Quick Start Guide to discover how quickly things can get up and running. We hope this makes development easier for partners and helps them bring the latest Android features to customers faster.
Editor’s note: Today’s post comes from Vijay Badal, Director of Application Services of DOTComm. Founded in 2003, DOTComm provides centralized IT support and consulting for 70 government agencies in the city of Omaha and Douglas County, NE. DOTComm uses Chrome browser and G Suite to improve employee productivity and mobility and cut IT costs.
At DOTComm, our employees provide technical support for more than 5,000 government workers throughout Omaha and Douglas County. Because these workers are spread across 120 different locations, our employees need access to the tools they need to do their jobs whether they’re in the office or on site with our customers. Several years ago, we realized the legacy systems we were using were getting in the way.
When employees had to travel to provide technical support for the government agencies we serve, they didn’t have mobile access to important documents, or the ability to share and send files back to the office, such as videos that outlined technical issues. In addition, hardware and licensing were costly, and inflexible productivity applications were making it difficult for employees to collaborate or work from the road. Plus, we needed half a dozen employees just to maintain our infrastructure!
To solve these challenges, we turned to Chrome and G Suite. Chrome is fast, secure and gives our staff access to thousands of useful extensions. It’s also allowed us to standardize across our desktop and mobile devices. G Suite has helped us cut hardware costs and improve collaboration and mobility. With Chrome and G Suite, we no longer pay thousands of dollars in annual licensing fees, and we’ve reduced the number of people managing infrastructure from six to one, freeing up the other five people to work on different tasks.
Chrome’s extensions have been big productivity boosters. One extension syncs the staffs’ Google calendars with their Salesforce calendars. Previously, employees had to check two separate apps and cross-reference two separate calendars. Now they only need to check one. Another extension gives staff mobile access to Google Docs and Google Sheets. This means they can work nearly anywhere. When they’re out of the office, or in the field, they can create and share files on any device they need.
As an IT department, we’re particularly pleased with the security and other IT benefits we get with Google. Chrome has built-in malware and phishing protection, and we use the G Suite admin console to ensure all user downloads are stored on the same network drive so they can be checked for malware. The G Suite admin console lets us control Chrome settings for employees, including adding extensions on whitelists so employees can use them, pushing recommended extensions to users, and rolling out Chrome updates on a scheduled timeframe. That’s made our IT administrators’ lives much easier and has been a huge timesaver. And because we centrally manage the rollout of extensions for new employees, individual city and departments no longer need to have a dedicated IT person working on new hire application orientation. So we save time and money with each new hire.
Meanwhile, the number of help tickets for IT support has plummeted, from 30 a day to one or two. For example, we no longer have to deal with local archive files, which means our staff spends less time troubleshooting and the government employees we serve don’t waste time wrestling with unfamiliar technology. Productivity has increased as well. For example, City Police, City Fire, and County Health departments all use shared Google Sheets within their individual precincts for shift change management. This allows them to roll over shift changes swiftly and efficiently, without missing any critical ongoing task assignments.
Chrome browser and G Suite have allowed us to offer more secure and productive IT services to all City of Omaha and Douglas County employees, who are then able to better serve citizens. DOTComm and the City of Omaha were recently honored as one of “Top 10 Cities” by the Center for Digital Government in its Digital Cities Survey 2016, which recognizes cities that use technology to improve citizen services, enhance transparency and encourage citizen engagement. This marked the first time the City of Omaha made the list—but I predict it won’t be the last now that we’re using Chrome browser and G Suite.
Editor’s note: Today’s post comes from Sunil Tewari, Head of Technology and Business Services for Dalmia Bharat Group, one of India’s largest cement manufacturers. Read how Dalmia Bharat Group uses Android to increase sales, optimize cement delivery, and better connect their workforce.
Dalmia Cement is a leader in the Indian cement industry, producing over 9 million tons of cement for its customers every year. Founded as a division of the Dalmia Bharat Group in 1939, we’ve consistently innovated our manufacturing and production processes, pioneering specialty cements used for oil wells, railway sleepers, and air strips.
We’re quick to embrace solutions that make our business more efficient and responsive for our customers. So when it came to mobility, we turned to another powerhouse of innovation—Android. Our analog record-keeping system wasn’t keeping up with our needs: our customers are spread far and wide across India, so many of our employees spend their work hours largely on the road, making sales calls and deliveries. We have between 15,000 and 18,000 trucks delivering cement to cities and remote areas, and 600 sales representatives visiting customers every day.
In a business that relies on strong personal relationships between sales reps and customers, keeping track of contacts, purchases and deliveries with so many employees while on the go is difficult. Sales reps need to be able to get information quickly while they’re at a customer site or in the office. Managers need to make sure drivers are taking the quickest delivery route to where the customers are. And we need to track successful deliveries so we know when to bill the client.
To make all of this a smoother process, we built three Android apps so that sales reps, dealers, and truck drivers could have the information they need most at their fingertips. Our SM@RT-D app gives our sales force the ability to place and track orders. Our SUVIDHA app is used by customers to place orders without needing to contact the sales team, and DriverSathi tracks deliveries and makes billing more efficient.
Android’s secure and flexible platform was the right choice for our company’s apps. We were able to build and deliver apps to our team in six weeks, which are used by more than 4,000 employees and customers.
We are using the Enterprise Mobility Management capabilities in G Suite to manage the devices we provide for our sales force. Employees can also bring their own devices to access resources like Gmail and our company’s apps—we use Android’s device policy controller to manage the work profile, keeping company data secure on these devices. Dealers use their own Android devices to access our apps and place orders.
Since our sales reps began using our SM@RT-D app, sales have increased, with 60 percent of all orders now placed digitally. Our sales team uses the app to get quick access to product information from a customer site, while managers use it to check when the rep last visited that customer and to see what other stops the rep has that day.
Going mobile with Android has been a key piece of our growth, as we’ve become one of the fastest-growing cement brands in India.
Sunil Tewari
Dalmia Bharat Group
We have more than 8,000 active users of our SUVIDHA app, which allows our customers to place orders anytime. Prior to this, they had to call into our sales team. We now see more than 1,000 orders placed each day with the app, which accounts for 35 percent of total sales.
With our third app, DriverSathi, we can track cement deliveries. Drivers get electronic proof of delivery, so we know exactly when each delivery was made, leading to on-time payment for our delivery drivers. Orders are filled 10 percent faster now because the process isn’t paper-based. Customers and dealers know when they will be receiving orders so they can manage their own sales pipelines.
This app also streamlines billing. Previously, invoices were often delayed by up to a month and a half because everything was done via hard copy, and it sometimes took weeks for drivers to hand in the paper invoices. Now the invoicing process starts as soon as the delivery is made because the app verifies exactly when delivery is completed, triggering the payment process.
Building custom apps on Android helped improve every part of our business, starting with the sales process, going all the way through delivery and invoicing. Going mobile with Android has been a key piece of our growth, as we’ve become one of the fastest-growing cement brands in India. Our Android applications enabled us to provide service to more customers in a quicker fashion because our employees have information they need when they need it most—on the road. And by giving the most efficient routing information, workers spend less time driving and more time talking with customers. With Android, it’s a win-win for everyone.
Editor’s note: Today’s post comes from Jane Calder, General Manager of Marketing at Heritage Bank, Australia’s largest customer-owned bank with over 60 branches throughout Queensland. As part of a refurbishment of its branches, Heritage Bank used Chrome OS and Chromeboxes to power video walls and interactive touchscreens to guide customers in making key financial decisions.
As a customer-owned bank, we’re passionate about delivering great customer experiences. So when we set out to revitalize the design of our bank branch network, we wanted to remove barriers that come between staff and customers. Customers come to us to have life-changing conversations, like how to buy their first homes and how to save up for their children’s college education. The digital screens now in place across over a third of our network, along with the interactive kiosks in over a dozen branches, use Chrome OS and Chromeboxes to offer a modern and approachable way to kick off these important conversations.
Many of our branches are in shopping malls, so we want to appear as friendly, welcoming, and current (from an interior design standpoint) as any other store that our customers visits regularly. To achieve this, we’re removing security barriers that separate branch staff from customers. And we’ve added interactive touchpoints to help. But this is not the first time we’ve done this. In the past we’ve experimented with other digital methods to educate customers on our products and services. However, branch employees told us the time needed to perform tasks like updating software or screen content was detracting from their most important task, helping customers. Additionally, these screens offered no interactivity, so they didn’t let customers choose what they wanted to see.
As a solution, our technology partner, DAT Media recommended Chrome management and Chrome OS devices, such as Chromebases and Chromeboxes. With the rollout of digital signage, branch staff no longer need to worry about technical updates or screen content. Chrome management is so easy to use that my marketing team pushes out content ourselves. All we need to do is add content for a group or site, click, and the screens are updated. It’s that simple.
Using a touchscreen Chromebase, DAT Media created a custom self-service app for interactive kiosks, allowing customers to request PDF brochures via email and make appointments for future visits. Customers save time because they don’t have to wait, and they don’t have to sift through brochures looking for the right ones to take home. Our customers are even happier, and we save time—and money—as we’ve been able to reduce printing brochures and marketing posters. Branch staff no longer have to remove outdated brochures and posters, since the screens are centrally updated to ensure they are current.
While saving time and money is important, the best thing about the new signage and kiosks is that our customers get information about bank services—or about local events like summer movie nights—faster and easier. Our screens are not just telling customers what we sell, they’re showing that we’re here to help guide them through life’s big changes.
We hope our story helps other banks see how digital signage makes spaces like bank branches friendlier and more engaging.
Our screens are not just telling customers what we sell, they’re showing that we’re here to help guide them through life’s big changes.
Jane Calder
General Manager of Marketing, Heritage Bank
Android 8.0 Oreo is now available, bringing a sweet combination of improved productivity and enhanced security to enterprise customers. The new release builds on the consistent investments we’ve made to make Android stronger, easier to manage, and more productive for the enterprise.
Personal space on your work device
Android’s unique work profile creates the best of both worlds—separating work and personal data so IT has the security it needs and users have the freedom to use the personal apps and services they want. Only the work data is managed, giving IT full control of corporate information and keeping employees’ photos, apps, and other personal data separate.
In Android Oreo, we’re now bringing work profiles to corporate-owned devices. Now, organizations can enable company devices for personal use with a work profile. While the organization still retains control of the device, work apps and data can be put in a work profile, keeping personal apps and data outside the profile.
This brings the benefits of the work profile to company-owned devices, such as removing the need for a complex device-wide passcode, and allowing employees to turn off work notifications when they’re away. The improved usability and clear separation makes this management mode ideal for corporate-owned, personally-enabled (COPE) deployments.
Get up and running in seconds
With zero-touch enrollment available in Android Oreo, organizations can deploy corporate-owned Android devices with enterprise mobility management settings pre-configured, so team members can start using their device right out of the box. Devices can be configured online and drop-shipped to employees who will have management enforced from the start.
With the work profile in Oreo, we’ve made it easier than ever for employees to set up their personal device for work, with 10x faster work profile setup. We’ve even reduced the enrollment steps required so users can get their work profile set up with a single tap—no complicated instructions required.
Robust security that stops malware in its tracks
We continue to invest in Android platform security, giving IT more advanced capabilities in managing their fleet of devices. With Project Treble in Oreo, we’re improving security by separating the underlying vendor implementation from the core Android framework. This modularization isolates each hardware abstraction layer (HAL) into its own process so each HAL only gets the hardware driver and kernel access it needs. This improves sandboxing and makes it harder for framework compromises to exploit the kernel.
We’re also enabling stricter enforcement of Google Play Protect, our always-on security service that scans for malware and blocks potentially harmful apps. Now, admins can block unknown or risky apps from being installed across the whole device, outside the work profile. We’re also providing new APIs to enable administrators to verify the security posture of their fleet including details on which apps are installed.
With the inclusion of secure password reset, it’s now easier for admins to securely help users recover from forgotten passwords on fully encrypted devices. Admins can also enable network logging for corporate-owned devices to record DNS lookups and TCP connections, helping companies detect suspicious network behavior or remotely debug problematic apps.
Improved privacy and transparency
It’s important for employees to have visibility into management policies, particularly when considering a device for personal use. To help employees stay informed, we’ve made it easier to see management actions taken across the device, such as the installation of a new app or enforcement of a lock screen. We’ve also improved notifications for connectivity changes, like always-on VPN and network logging.
These are just a few of the new and improved enterprise features in Android Oreo, with more updates coming soon. To learn more, check out the What’s new in Android 8.0 page.
Companies around the world deploy Android to mobilize employees and transform their businesses. No matter the use case, we know that a successful deployment is about more than just selecting the right devices; it’s about getting them configured and rolled out into the hands of users as quickly and easily as possible.
Today we’re launching a new deployment method called zero-touch enrollment to make Android rollouts more seamless and secure. With zero-touch enrollment, companies can configure the devices they purchase and have them shipped with management and settings pre-configured, so employees can get up and running out of the box.
For administrators, zero-touch enrollment removes the need for users to configure their devices manually and ensures that devices always have corporate policies in place. Support is also much easier, with no extra steps for end-users; they just sign in and get access to their work apps and data.
Zero-touch is available on devices purchased from our zero-touch carrier partners, and we’re excited to partner with Verizon to offer zero-touch enrollment on the Pixel, phone by Google, starting today.
“For our business customers, deploying new devices and services securely with the ability to enforce device-specific policies is critical for protecting proprietary information and an organization’s brand,” says Ryan O’Shea, vice president of National Business Channels with Verizon Wireless. “The Android zero-touch enrollment program allows our business customers to get up and running seamlessly and securely, and we are excited today to introduce this initiative on the Pixel phone and other future Android devices.”
We’re working with our device partners including Samsung, Huawei, Sony, LG Electronics, HMD Global Oy Home of Nokia Phones, BlackBerry smartphones, HTC, Motorola, Honeywell, Zebra, and Sonim with additional OEMs to be added soon to deliver the zero-touch experience to enterprises. The Huawei Mate 10, Sony Xperia XZ1 and XZ1 Compact specifically will be among the first devices to support zero-touch in the coming weeks and of course, other devices from our OEM partners will launch soon.
Organizations can use software from leading enterprise mobility management providers (EMMs) including VMware AirWatch, BlackBerry, MobileIron, IBM, SOTI, GSuite and others to specify configurations and device policies that are automatically applied to employees’ mobile devices during the initial setup.
If your company already uses other enrollment methods, don’t worry — you can mix enrollment methods to suit your particular needs. Samsung will continue to offer Knox Mobile Enrollment (KME) on Samsung devices, including pre-Oreo devices. Samsung devices that upgrade to, or ship with, Android Oreo will have zero-touch as an additional option. Other existing enrollment methods like QR code and NFC bump will continue to be supported across Android.
Keen to get started with zero-touch? Talk to our carrier partners who plan to offer zero-touch:
-
USA: Verizon, AT&T, Sprint, T-Mobile
-
Europe: BT, Deutsche Telekom
-
Asia-Pacific: Softbank, Telstra
To learn more, visit our zero-touch page.
Online security has never been more critical to businesses, and the tools used to access the web are a major factor to evaluate. Choosing an enterprise-grade web browser that offers the right security features keeps businesses’ data protected while enabling employees to take advantage of the open web. But knowing which browser to choose often requires a deep understanding of security design and implementation tradeoffs that enterprise IT decision makers don’t have the time or resources to fully identify and investigate. Furthermore, well-researched, independently-verifiable data on enterprise browser security is in short supply. And in its absence, many IT administrators resort to guesswork and experimentation in their decision-making.
This complex landscape of enterprise browser security is the topic of two white papers recently published from security engineering firms X41 D-Sec GmbH and Cure53. Both firms have extensive industry experience and expertise in information security, application security, web application security and vulnerability discovery. These two papers leverage that expertise to examine the relative security strengths of the three most popular enterprise browsers: Google Chrome, Microsoft Edge, and Microsoft Internet Explorer (IE).
We sponsored this research, which was conducted independently by the research firms, to help enterprise IT administrators evaluate which browser best fits their security and functionality needs. To be most useful for enterprises and the public, Cure53 and X41 performed their research and testing using only publicly available information, and clearly documented their comparison methodologies. This enables anyone to recreate their tests, validate their methodologies, and verify their conclusions.
Although Cure53 and X41 produced these white papers in isolation from each other, both came to similar conclusions when it came to enterprise browser security. Here are their findings in a few key areas:
Phishing and malware protection is critical to staying safe on the web.
The prevalence of phishing to steal credentials and deliver malicious payloads makes protection more critical than ever. X41 found that Safe Browsing on Chrome and SmartScreen on Edge and IE offered similar protection, with Safe Browsing performing more accurately than SmartScreen in some test results.
Isolating application components through sandboxing reduces risk.
Sandboxing isolated application components from one another, and from the rest of the system, limits the potential impact of vulnerabilities. Cure53 and X41 both found that Chrome renderers have significantly less access to the operating system than Edge or IE, including revoking access to win32k system calls in Chrome renderers and plug-in processes. Cure53 and X41 also found that Chrome has more types of sandboxed processes, for finer-grained privilege separation. Edge uses out-of-process JavaScript compilation, enabling Edge content processes to drop the privilege to create executable memory.
Modern browsers that eliminate legacy functionality are more secure.
Browser Helper Objects (BHOs) and plug-ins like ActiveX have been a go-to choice for client-side attacks. Cure53 and X41 found that Chrome and Edge do not support these vulnerable technologies. IE supports both, making it more susceptible to attack than either Edge or Chrome. Additionally, Cure53 and X41 found that IE is still vulnerable to attacks via signed Java Applets, and more susceptible to malicious Flash content. While Chrome and Edge can both be configured to fall back to IE to support legacy compatibility, administrators can exert more control over Chrome’s fallback mechanism.
Web security is one of Google’s primary concerns, and has been a guiding principle for Chrome since day one. We’re pleased that these papers independently confirm significant improvements in the enterprise browser security landscape overall. We think strong security safeguards, regardless of which browser you choose, make the web better, and safer, for everyone. We hope these white papers can help you find the right solution for your business.
Take a read through the white papers linked above to learn more about their findings. If you’d like to take a deeper look at the security controls available in Chrome or download the Chrome enterprise bundle, visit the Chrome enterprise website.