BACKGROUND IMAGE: stock.adobe.com
Google has been steadily adding enterprise management capabilities to the Android operating system, but it's not always clear how the tools and technologies differ from one another or how IT can effectively administer Android devices and apps with them.
This cheat sheet aims to clarify some of the differences between Android features specific to the enterprise to help administrators better understand the options for Android enterprise device management.
Android device management APIs and services
Device Administration API: Google introduced this API in Android 2.2 to provide developers with device administration features at the system level.
Although many organizations continue to use this API, it is no longer robust enough to meet today's security and management requirements. For example, the API cannot securely reset device passwords on encrypted devices or establish administrator-defined passcodes to lock a user out of a device.
Instead, developers should transition to newer Android technologies when interfacing with the Android operating system (OS). Google plans to start depreciating Device Administration policies in the next Android release.
Modern management APIs: Android provides several APIs for working with the Android and Google Play ecosystems. One of the most important is the Android Management API, which vendors can incorporate into their enterprise mobility management (EMM) platforms to provide customers with tools to provision, secure and help with Android enterprise device management.
Demonstrate your knowledge of enterprise mobile device security issues
As the mobile enterprise grows, so do cyberthreats. See how well you know the top mobile security risks, and learn how to better protect employees and organizations from them.
For strong Android enterprise device management, IT teams should look for EMM products that take full advantage of these APIs, such as Google Mobile Management, VMware AirWatch, MobileIron, IBM MaaS360 or other products.
Google Mobile Management: Administrators can use Google's EMM platform to secure and monitor Android devices, and to help with Android enterprise device management, similarly to third-party EMM products that use the Android management APIs.
Google Mobile Management is included with all G Suite editions and supports Apple iOS and Windows Phone devices in addition to Android.
Android Enterprise: Google renamed Android for Work Android Enterprise and expanded the product to include more robust enterprise features. Android Enterprise is an umbrella term that covers the wide range of security and management features available in the latest Android OS releases.
Android Enterprise Recommended: Google created the Recommended program to ensure that Android devices and their related services adhere to established requirements and best practices for Android enterprise device management. The program defines an elevated set of specifications for validating EMM products, cellular services and Android devices. Google provides a list of validated products and services on its Android Enterprise site.
Enterprise provisioning: Google supports several options to provision Android devices, such as using QR codes or near-field communication provisioning apps.
With the release of Android 8.0 Oreo, administrators can also configure company-owned devices for zero-touch enrollment, which enables a device to automatically enroll itself in EMM when the device is first turned on.
Device deployment scenarios
Work-managed: Work-managed deployments apply to corporate-owned devices that employees use exclusively for conducting business. Administrators control the entire device – including the data and applications -- and can restrict the device's usage to approved work-related operations. End users should not use work-managed devices for personal business.
Work profile: Administrators can use work profiles to support BYOD scenarios. A work profile is a self-contained, fully encrypted workspace installed on the user's device. The work profile limits administrative control to the workspace rather than to the entire device. It also contains corporate apps, data and policy settings within the profile separate from personal information and operations.
Corporate-owned, single use (COSU): The COSU approach targets corporate-owned devices used for single use cases, such as kiosks, package delivery services or inventory management systems. Under this model, administrators can lock down an Android device to a limited number of apps and functions, while preventing users from enabling specific features or taking other actions.
Managed devices with work profiles: In Android 8.0, Google added the ability to use work profiles in conjunction with work-managed devices to separate corporate data and apps from those for personal use. Under this model, administrators control the entire device, which enables them to protect corporate resources while providing users with a less restrictive workspace for personal use.
Android application management
Managed Google Play: The managed version of Google Play combines basic app store functionality with management capabilities to provide IT with a corporate app store option.
Administrators can deploy and approve apps, purchase app licenses, manage permissions and carry out other management tasks. End users can browse apps, view app details, install apps on their devices and take other actions, similar to how they might use the public Google Play Store.
Google Play EMM API: When the Google Play API is incorporated into an EMM product, administrators can specify which apps users can download, can control app installations, can manage bulk licensing and can perform a variety of other tasks. The API works in conjunction with Managed Google Play to support the entire app management lifecycle.
EMM application management: The Android Management API includes a number of features specific to app management. An EMM platform that incorporates the API makes it possible for administrators to provision work profiles, apply app-level management policies, secure apps and data, automatically install apps, prevent apps from being uninstalled, distribute public and private apps, and perform other administrative tasks.
EMM device policy controller: A device policy controller is an application installed on an Android device that enables administrators to manage access to corporate apps and data. The controller works in conjunction with EMM to provision work profiles on personal devices and enforce an organization's security policies.