Introduction

Prior to Android Enterprise the market was flooded with inconsistent management capabilities across various Android manufacturers and app developers. Android Enterprise now offers a set of consistent features and APIs for device management and app management. Additionaly it securely separates corporate and personal data, or enables a purely corporately-owned profile without a user space (so called Containerization). Once provisioned, an Android Enterprise-enabled device no longer needs a Google account in order to install applications. More features are coming to Relution in future to expand capabilities and enable more management types. Google has been steadily adding enterprise management capabilities to the Android operating system, but it's not always clear how the tools and technologies differ from one another or how IT can effectively administer Android devices and apps with them.



Benefits of Android Enterprise

  • - Seperate work container for apps, mails and data
  • - Reliable experience, in which all configurations pushed, are supported by all devices, indepedently of the manufacturer
  • - A managed Google Play Store only with explicitly allowed apps
  • - Silent app installation without the need for a Google account on the device
  • - Managed configurations, similar to iOS Managed App Configuration, a way of deploying corporate settings to managed apps (e.g. Exchange profiles, configurable in Gmail)
  • - Mandatory device encryption
  • - Further deployment scenarios like (fully) work managed or single use (COSU) or several comibnations



Terminology

Android Enterprise

Google renamed Android for Work Android Enterprise and expanded the product to include more robust enterprise features. Android Enterprise is an umbrella term that covers the wide range of security and management features available in the latest Android O



Device Administration API

Google introduced this API in Android 2.2 to provide developers with device administration features at the system level. Although many organizations continue to use this API, it is no longer robust enough to meet today's security and management requirements. For example, the API cannot securely reset device passwords on encrypted devices or establish administrator-defined passcodes to lock a user out of a device. Instead, developers should transition to newer Android technologies when interfacing with the Android operating system (OS). Google plans to start depreciating Device Administration policies in the next Android release.



Modern management APIs

Android provides several APIs for working with the Android and Google Play ecosystems. One of the most important is the Android Management API, which vendors can incorporate into their enterprise mobility management (EMM) platforms to provide customers with tools to provision, secure and help with Android enterprise device management. For strong Android enterprise device management, IT teams should look for EMM products that take full advantage of these APIs, such as Relution.



Enterprise Provisioning

Google supports several options to provision Android devices, such as using QR codes or near-field communication provisioning apps. With the release of Android 8.0 Oreo, administrators can also configure company-owned devices for zero-touch enrollment, which enables a device to automatically enroll itself in EMM when the device is first turned on.



Managed Google Play

The managed version of Google Play combines basic app store functionality with management capabilities to provide IT with a corporate app store option. Administrators can deploy and approve apps, purchase app licenses, manage permissions and carry out other management tasks. End users can browse apps, view app details, install apps on their devices and take other actions, similar to how they might use the public Google Play Store.



Google Play EMM API

When the Google Play API is incorporated into an EMM product, administrators can specify which apps users can download, can control app installations, can manage bulk licensing and can perform a variety of other tasks. The API works in conjunction with Managed Google Play to support the entire app management lifecycle.



EMM app management

The Android Management API includes a number of features specific to app management. An EMM platform that incorporates the API makes it possible for administrators to provision work profiles, apply app-level management policies, secure apps and data, automatically install apps, prevent apps from being uninstalled, distribute public and private apps, and perform other administrative tasks.



EMM device policy controller

A device policy controller is an application installed on an Android device that enables administrators to manage access to corporate apps and data. The controller works in conjunction with EMM to provision work profiles on personal devices and enforce an organization's security policies.



Device Deployment Scenarios

Work Profile

Administrators can use work profiles to support BYOD scenarios. A work profile is a self-contained, fully encrypted workspace installed on the user's smartphone or tablet. The work profile limits administrative control to the workspace rather than to the entire device. It also contains corporate apps, data and policy settings within the profile separate from personal information and operations.
Work Profile - Source: https://developers.google.com/android/work/overview



Company-Owned Device

Formerly known as corp-liable device
A device owned and fully managed by an employee's organization. Company-owned devices can be set up exclusively for work use (fully managed), or to allow both work and personal use (fully managed with a work profile). For more information, see Company-owned devices for knowledge workers.



Dedicated Device

Formerly known as corporate-owned, single use (COSU)
A subset of company-owned devices that are locked down a limited set of apps to serve a dedicated purpose, such as a check-in kiosk or digital signage. For more information, see Company-owned devices for dedicated use.



Android Enterprise Work Profiles and Relution

Requirements

  • - Android version 6.0+ on the devices you want to manage the work profile on
  • - Relution version 4.43 or newer (Android Enterprise Work Profile)
  • - Google Account which has not been associated with an enterprise so far. No domain verification required takes practically minutes to set up and the EMM manages the individual Android Enterprise accounts on the managed devices, meaning there’s no need for additional Google accounts or GSuite user management.



What you can do

  • - Set up and connect your Google Account/Organization with Relution
  • - Enroll a Work Profile container on an Android device
  • - Currently supported policies
    • - Passcode
    • - Work profile passcode
    • - Work profile restrictions
    • - Runtime permission management
    • - Manage work apps



How to

We have documented the whole process in detail in the manual in your Relution (version 4.43 or newer) by pressing the ? button in the main menu and navigating to "Documentation" - Chapter 2 - Android Enterprise. Here is a short version: First of all, you need an unmanaged Google account which is not associated with an organization within Google. Then you navigate to Settings - Android Enterprise in the Relution Portal as an Organization Administrator and follow the described steps.

Android Enterprise Setup Step 1

Android Enterprise Setup Step 2

Android Enterprise Setup Step 3

Now you can create an enrollment with the type "Android Enterprise", like you know it from Relution. As before, you will receive a notification or you can see the link and QR code in the Relution Portal, which is needed to enroll the device. After navigating through the enrollment process on the device itself, you will see a couple of apps with a suitcase icon at the bottom of the app icon. These are the work apps, which are separated from the user profile.



Conclusion

Android Enterprise is a great way to manage devices or the business data on Android devices. We, as the Relution team, started with the most desired use case, the work profile as the first supported scenario, but we are working hard to support all of the above mentions scenarios. Continuously we will add more policies and actions for these types of devices.



Usefull links