In addition to the well-known management of Android devices via the function of the device administrator, also called “classic mode”, in which the Relution client is required as device administrator for the device enrollment and the other MDM functions, Relution also supports the Android Enterprise Enrollment. In this case, there are the variants Work Profile and Fully Managed Device.
With Android Enterprise, Relution communicates with Google’s Device Management Server and no longer directly with the device. Enrollment and all MDM functions can therefore be performed without the Relution client. No private Google IDs are required to install apps from the Managed Google Play Store on the devices.
In order to use Android Enterprise with the Mobile Device Management Relution, the corresponding Relution organization must be linked to a Google organization. A guide for the linking is available in the following Insight: Android Enterprise setup in Relution.
In contrast to the Android “Classic Mode”, where only native apps can be distributed as .apk files, Android Enterprise installs apps from the Managed Play Store. No Google ID is required to install apps, as the unique technical ID is automatically used in the background. This also automatically distributes app updates to devices via the Managed Play Store. This eliminates the need to manually update the app via new versions of an .apk file.
If the Relution organization is linked to a Google account, the type “Work profile” can be selected in addition to the platform “Android” during enrollment:
The Android work profile allows companies, administrations or schools to set up a container on employees’ private devices, so-called Bring Your Own Devices (BYOD), which contains exclusively business apps, content and functions. Business and private data on the device are thus strictly separated. This can be, for example, the separation of private and business emails. These can be used independently of each other via the Android Enterprise work profile, without private and business content mixing when receiving and sending emails on the device. The business email account only has access to business contacts, while the private email account only has access to private contacts.
If the Relution organization is linked to a Google account, the type “Managed device” can be selected in addition to the platform “Android” during enrollment:
In contrast to the work profile, managed devices are intended for corporate owned devices (COD). The company, administration or school thus has complete control over the device and can control all functions of the device in addition to the app installation. For example, it is possible to set up WLAN connections and install apps or prohibit access to the settings.
Enrolled Android Enterprise devices can be given specific settings via policies that can be applied to compatible devices. Here, Android Enterprise configurations are differentiated into “Working Profile” and “Managed Device”:
The following configurations are identical for both types, but each refers to the specific application area:
» Manage apps
» Manage runtime permissions
With “Work profile”, the settings only affect the work profile, as there is no control over the entire device. Restrictions that relate to the device therefore have no effect on the work profile. With “Managed device”, the settings always apply to the entire device.
Furthermore, there are advanced configurations that are only available for “Managed Device”:
» Advanced Keyguard Management
» Advanced location sharing settings
» System radio management
Apps from the Managed Play Store can be loaded onto the devices via the Manage work apps configuration:
On the respective app detail page, the app can be added to the configuration via the “Select” button:
For each app added, the following parent settings can be made:
» Pre-installed means that the app is installed on the device, but may be removed by the user unless this is globally prevented in the restrictions.
» Forced installation means that the app is installed on the device and cannot be removed by the user.
» Blocked means that the app cannot be installed or, if already installed, cannot be used. The app will be hidden if necessary.
» Available means that the app is available to the user in the Managed Play Store on the device and can be installed by the user as needed.
» Disabled (checkbox) means that the app, if installed, may not be used. The app is not uninstalled, unlike blocked.
» Minimum required version code specifies which version of the app must be installed as a minimum.
Further specific settings can be made for individal app
If an app asks for permissions at runtime, e.g. access to camera or GPS, the user usually has to decide whether access is granted or not. Via this setting, the administrator can specify how the app’s request is answered. In this case, the user is no longer asked for consent.
The following settings are possible:
» Use global default means that the same setting applies to all apps, which is controlled separately via the "Manage runtime permissions" configuration.
» Ask the user means the device behaves as normal and the user is asked for authorization.
» Giving permissions means that the app gets the permission without asking the user.
» Deny permissions means that the app is not given permission without asking the user.
The default response for runtime permissions applies to all permissions of an app. In contrast, with the standard Android permissions, it is possible to specify separately for each permission which response is to be used. Here, the administrator has the option of specifying which response should be given for a particular permission in order to proceed in a more differentiated manner. For the respective permission of this app, the global setting is thus overridden. This reduces support efforts, since permissions can no longer be set incorrectly. In addition, data protection can be ensured and, for example, access to GPS position data can be prevented centrally.
If an app uses additional app-specific app permissions that require approval, it can be configured here.
If an app supports the managed configuration, it is possible to query and maintain it from Google. The interface comes from Google and cannot be influenced by Relution. The setting options that are available here are defined by the developer of the respective app. If an app does not offer a managed configuration, no options are available here.
In addition to public apps, private apps and web apps can also be added and installed:
Private apps are apps that have been uploaded to the Play Store by the company but are not available to the public. The package name used for a private app must not be used by an app published to the Play Store.
In the Managed Play Store, links to any web content can be made available via the Web Apps menu item in addition to apps. Different options can be selected here:
In addition to configuring permissions at app level, global settings can be made via this configuration. These apply accordingly to all apps for which no special settings apply. This reduces support efforts, since permissions can no longer be set incorrectly. In addition, data protection can be ensured and, for example, access to GPS position data can be prevented centrally.
The password configuration can be used to specify that a password must be used by the user on the device. In addition, the administrator can specify that no company apps can be used until a password of the corresponding strength has been assigned.
Individual functions of the device can be switched on or off via the Restrictions configuration. Settings for the following categories are available for this purpose:
» Preset restrictions
» User account restrictions
» App Restrictions
» Restrictions for adjustments
» Device restrictions
» Multimedia restrictions
» Network restrictions
» Restrictions for storage
» Telephone restrictions
The “Extended keyguard management” configuration can be used to manage functions that are available while the device is locked. These include functions that unlock the device as well as the camera.
Location services can generally be disabled or restricted via the “Advanced location sharing settings” configuration. For example, locating via GPS can be deactivated (battery-saving).
The System Radio Management configuration can be used to turn on or off functions of the device that are related to wireless network technologies (Bluetooth, WIFI, cellular).
With the “WIFI” configuration, networks are predefined and made available to the Android Enterprise “Managed Device”:
In summary, Android Enterprise offers extensive settings and is continuously expanded and optimized by Google/Alphabet. The increasing standardization makes it possible to use devices from different manufacturers. The uniform procedure ensures that all configurations work independently of the device manufacturer. The advantages at a glance:
» Direct communication with Google's Device Management Server
» Apps no longer need to be deployed natively as .apk files, but are installed directly from the Managed Play Store
» No Google ID and thus no user interaction is required when installing the app on the device
» Via the work profile (Workprofile) it is possible to provide an independent work container for apps, mails and data with strict data separation.
» Managed devices (Fully Managed Device) can be fully controlled and all functions of the devices can be controlled analog to the Apple Supervised Mode
» A managed Google Play Store enables the provision of only allowed apps
» Managed configurations can be defined, similar to Apple iOS Managed App Configurations
» Enforced device encryption
Nevertheless, Samsung still offers a variety of additional configurations with its Knox program, which currently still offers the largest range of options.