How to create a mobile policy for Android devices

Android has become a viable enterprise platform and in some ways is beating Apple in terms of enterprise functionality. This means that IT departments supporting Android devices need to create and implement effective policies.

google android pixel 3 smart phone purple
Google / Getty Images

Although Apple’s iPhone and iPad make up the majority of mobile devices used in business, Android also makes a strong showing today. The notion that Android isn’t a viable enterprise platform, while maybe accurate a number of years ago, has become outdated. In some ways, Google actually tops Apple in terms of enterprise functionality.

Android fragmentation

Before we get into enterprise policies around Android devices, we need to talk about a problem that Google has yet to address successfully — fragmentation. This is the one major downside to Android in the enterprise, particularly when it comes to BYOD programs.

One of the things that has made Android so successful globally is that it was designed as an open platform that any manufacturer could use, modify and market. This is also one of its biggest challenges. Where Apple is the only manufacturer for iOS devices, and thus has complete control of the delivery of iOS updates and patches, Google has limited control over the Android update process. Each manufacturer can set its own update schedule and can determine which devices will even receive updates. Carriers can also play a role in the process.

This means there can be widely varying versions of Android in the marketplace at any one time, there’s little indication of when or if existing devices will be updated, and even devices running the same Android release can have wildly different user experiences. This can be an annoyance for consumers, but it generally isn’t a make or break problem. For enterprise IT, however, fragmentation introduces two very big concerns and issues:

  • The first of these is security updates and patches. With no uniform schedule across manufacturers and devices, security patches can be slow to propagate and some may never reach a large number of devices. This means that there is an inherent security concern for the platform as a whole.
  • The second is that most existing devices will not receive the latest version of Android when it’s released. This means that core Android functionality - most notably for our purposes, those that impact enterprise deployments - may take months or years to become common across devices. A simple look at the widely varying adoption rates for new Android and iOS releases confirms this. Most users get the most recent version of Android when they upgrade their devices rather than via a software update.

Google has made strides over the years to improve the situation. However, its efforts have made some gains but haven’t eliminated the problem, particularly in the enterprise.

What this means for IT departments supporting Android is that policies should be made without the expectation that you will have universal access to the current release of Android. IT organizations should select a sort of floor for Android - the earliest version of the OS that will be sanctioned and supported for devices that access corporate resources or are eligible for a BYOD program. This selection will vary depending on security and mobility management needs, but it should be designated and adhered to as much as possible.

The good news is that Google has tried to make it easy for businesses to make these selections with Android Enterprise Recommended, a resource that allows companies to browse, search, and filter devices based on requirements including specific manufacturers, hardware attributes and Android release and update policies. This makes it relatively easy to create a selection criteria for supported devices as well as purchase decisions for company-owned devices.

Note: Android Enterprise Recommended also allows enterprise IT leaders to browse and research enterprise mobility management (EMM) vendors and products.

Lollipop onward

Although some EMM capabilities have been built into Android for a number of years, Lollipop (released in 2014) is a critical release for business. This was the version where Google began to integrate enterprise and EMM capabilities in a meaningful way under the moniker Android for Work, now known as Android Enterprise thus Lollipop should generally be the oldest release that IT supports. Needless to say the releases since then have improved enterprise management capabilities with Android Oreo or Pie (released in 2017 and 2018 respectively) being the most recent and ideal choices where possible.

3 tiers of mobile management

Like Apple, Google separates Android Enterprise across the three major deployment models:

  1. BYOD
  2. Company owned for knowledge workers: Company-owned scenarios in which the user may elect to perform personal as well as work tasks on a device.
  3. Company owned for dedicated use: Dedicated company and task focused devices.

Within each of these tiers, Google implements a work or personal profile, or both, to achieve enterprise-ready deployment solution

Work and personal profiles

Beginning in Lollipop, Android supports both work and personal profiles. The work profile contains any enterprise apps and business content while the personal profile stores personal content and any apps installed by the user. An Android Device Profile (DPC) is installed during enrollment that manages storing and accessing information between the two profiles.

When implemented in a BYOD environment Android Enterprise prevents IT from having any visibility into the personal profile, meaning personal content, contacts, apps and configurations aren’t accessible or monitorable by IT. The contents for the work profile are fully accessible to IT and IT can manage the environment and any enterprise apps. The device itself is not considered “fully managed” in this scenario, which allows this division of apps and data.

One notable difference between Android and iOS is that Android supports multiple instances of the same app - one managed and one personally installed and thus unmanaged. This means that each instance will store content within the appropriate profile and each can be configured differently. If the device’s work profile is removed, as when a device is unenrolled, the personal instance of the app and all its data are unaffected.

Managed device with or without a personal profile

For company-owned devices, a device can be enrolled as a fully managed device. This means that all apps and data are accessible to IT and device-level features can be restricted or managed, there is no personal profile to store personal content that is separate from business data. This model assumes that the device is only used for work and is given to a dedicated user, who can customize the device to their needs and wants within whatever parameters are set by IT.

With Android Oreo and later, a device can be enrolled as fully managed with a work profile. In this situation, the device is treated a bit more like a BYOD device. A work profile is installed by the EMM console and a personal profile is also created. As in a BYOD deployment, there is separation between the two and the work profile can be more heavily managed than the personal profile.

Dedicated work devices

Dedicated devices are those used for specific tasks or job functions and are often shared or checked out by multiple users. This could be a kiosk device or one used for field service workers, nurses in a hospital unit, or students. The device is intended only for its specific tasks/functions and it is not intended for any personal use. This is the most locked down version of device deployment. Only specified enterprise apps are installed on the device and single-app mode for kiosk or other limit-used scenarios is supported. Android Marshmallow and later devices support granular restrictions for several Android user interface elements like the lock screen and status bar.

Managed Google Play

For either BYOD or company-owned devices, Android supports Managed Google Play. This functions as an enterprise app store and allows users to install Google Play apps into a work profile. The contents are curated and licensed by IT. For fully managed devices, this is the only accessible app store, replacing the standard Google Play store. Android also supports licensing and provisioning apps to a device using EMM policies.

Copyright © 2019 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon