Android management improvements in newer versions of the operating system could change the perception that the devices aren’t fit for enterprise use.
Android doesn’t have a great enterprise reputation, thanks to its fragmented ecosystem, the threat of malware and widespread lack of hardware support for encryption. But recent operating system updates have helped make Android more suitable for use in the corporate world. Application program interfaces (APIs), for example, have added some Android management capabilities, including remote-wipe and encryption options. These features don’t make Android completely enterprise-safe, but they’re on the right track.
Rocky Android management roots
Like many consumer devices, Android smartphones emerged without enterprise features. By the middle of 2010, Android 2.2 Froyo added APIs for basic device administration remote wipe capabilities through Microsoft Exchange ActiveSync. But these early hooks were still relatively limited.
For example, with Exchange mailbox policies, IT could require a PIN or password and allow mailbox access only from devices meeting those specs. Device Administration APIs went slightly further, letting Android applications lock phones and prompt for password changes, but each make/model of Android device supported different ActiveSync and API attributes. Those using version 2.2 welcomed these Android management essentials, but other versions of the OS still needed more Android enterprise features.
Honeycomb: Android management for tablets
Android 3.0 Honeycomb significantly expanded the Android management capabilities of Device Administration APIs. It added features that allowed IT to enforce more detailed password policies. More importantly, the new APIs let IT require that users encrypt stored data.
But these new APIs only affected devices with hardware support for these new capabilities -- that is, tablets such as the Samsung Galaxy 10.1 Tab and Motorola Xoom. Android smartphones continued to run Froyo or Android 2.3 Gingerbread, which couldn’t support complex passwords or encryption.
Ice Cream Sandwich brings unity
New Android 4.0 Ice Cream Sandwich phones such as the Samsung Galaxy Nexus not only support Android management features such as complex passwords and hardware encryption, but they add API control over features such as facial recognition and camera disablement. They also support ActiveSync version 14, which can control mailbox access by certificate and device make/model. Organizations that require virtual private network (VPN) security have a choice of native Internet Protocol Security and Layer Two Tunneling Protocol clients and third-party VPN clients in Ice Cream Sandwich.
Ice Cream Sandwich smartphone rollout has been slow, but experts expected the pace to quicken later this year. By the end of 2012, IT should have a less fragmented collection of Android devices to manage and secure, but some devices will still be more enterprise-friendly than others. For example, Samsung and Motorola added proprietary attributes to their APIs to give IT more granular control.
Making the most of Android management
Unlike native iOS MDM features, Android phones and tablets must have applications installed to use management APIs. Organizations can either develop their own Android management apps or download them from Google Play (formerly the Android Market). During installation, users are prompted to grant the MDM agent administrative rights. Thereafter, IT can use Android management products or services to:
- authorize Android smartphones and tablets, typically based on authenticated user, device make/model, OS version and ability to support defined policies;
- enforce API-defined policies and device restrictions (disable a device’s camera, prevent use of facial recognition unlock);
- configure native VPN and Wi-Fi connections, such as adding an enterprise wireless LAN by name, security settings and user password/certificate;
- monitor device status and attributes such as OS version, model, ID, hardware capabilities and installed applications;
- request a password reset, device lock, device find, data wipe (i.e., reset to factory default) or MDM remove action.
Some Android management agents also support application management, application blacklisting and whitelisting and rooted device detection. Some also incorporate features to fill security gaps in older devices, most notably software-encrypted storage to rigorously protect and more easily erase sensitive data.
Dealing with diversity
More on Android management
Android security issues in IT
Android app security FAQ: Keeping devices safe from Android threats
Why Android malware protection is so important in the enterprise
Ice Cream Sandwich offers major improvements over older versions of Android, but it still doesn’t address every enterprise need. In particular, Android devices may never be as uniform as Apple devices. Manufacturers want to differentiate their devices from others, which leads to Android fragmentation. One way to increase Android’s enterprise appeal is proprietary management: IT may want to permanently incorporate make/model in policy, if only to delineate “acceptable” and “unacceptable” devices.
Android devices are currently experiencing a malware surge, due in large part to a lack of app vetting in Google Play. (Google Bouncer, a new app-scanning program, attempts to police the market better.) To address this risk, employers can utilize whitelist/blacklist controls on Android devices or run routine scans for malware or rooted devices. IT cannot use MDM to remove risky apps, but it can use MDM to disable enterprise access or de-enroll noncompliant devices.
Finally, don’t assume that every Ice Cream Sandwich device either is or is not acceptable. For example, remote wipe on an Android device may not actually scrub data, especially on removable storage. Ice Cream Sandwich raises the bar, but employers should still compare needs, policies and practices against what Android MDM can and cannot accomplish for each device.