Private DNS is a new feature in Android P, which allows you to globally override the DNS settings (received from your carrier, hotspot provider etc.). This means that the said carrier’s or provider’s DNS servers will not be able to log your browsing habits.
Read more here (Android Police).
Trustjacking is a new “scary” attack on iOSnew “scary” attack on iOS devices, exploiting user’s lack of understanding or what’s going on. When plugging into an unknown computer or charger user may choose to “trust” it, which allows the remote device quite a degree of access to iPhone/iPad data. Many don’t realize that this trust remains after the device is disconnected and may be exploited, for instance, via Wi-Fi, if Wi-Fi sync is enabled. Many others also think that this trust is necessary for charging.
Basically, Apple should have looked at how Android 6+ has a “charge only” USB mode by default, fixed the wording and be done with it.
Protecting from this attack is extremely simple on Supervised (DEP) devices via EMM.
Here’s how it’s done via AirWatch, but any other major EMM will have something similar – this is Apple’s standard OS feature.
As a bonus, this will prevent not just the Trustjacking attack, but many other threats and leaks, since it blocks everything.
Wondering, how many had this configured before the Trustjacking news?
Those of you who follow me on LinkedIn may have noticed that I have a new workplace, which comes with a Digital Workspace.
This means less wireless, but even more on Enterprise Mobility, EMMs, mobile security Android, iOS, Windows 10 and MacOS (did you know that both MS and Apple made their desktop OSes manageable by EMM ?)
If you are not following me in LinkedIn and Twitter, you are probably missing 90% of the stuff! So, please consider (or save yourself lots of noise and unsubscribe – fair enough 😉 )
This is going to be a long-ish and exalted neophyte read, purely optional.
If you prefer a less-neophyte approach, here’s a post of a very influential EMM expert (I follow brianmadden.com for quite a while) that did the same thing around the same time as I.
OK, now my version.. You’ve been warned 🙂
Given the events in the last two years, I think that UEM solutions are ripe for conquering whatever remaining market is left there, and VMware is surely spearheading the charge with AirWatch (market-dominant) and the new WorkSpace ONE (watch the cool 7-min demo here). I am personally really sold on this story and here’s why:
So, where else to be in the EMM world? 🙂
Or do you disagree? Let me know your thoughts here or on LinkedIn/Twitter!
P.S. Bonus point to those who recognize the cover image 🙂
After publishing my post regarding tightening the screws on non-GMS devices and gradual move towards all-GMS in the Enterprise, I have received a response, which was very representative of what I was thinking last year, when digesting all the Android Enterprise news [formatting and edit by me]:
AOSP was or still is the major [vendor] differentiator. With all these Android changes
1) it will be almost no matter what devices will be engaged
2) the role of 3rd party EMMs will go down. Google will be everywhere.
Do you feel it as a positive news?
Before looking any further, please pause and consider, how do you feel about that? Now, read on!
Google had taken a long way to make GMS (Google Mobile Services, i.e. Play Store etc) acceptable, useful and then essential for the Enterprises. Now, the final nail in the coffin is being prepared…
I’ve previously covered the BYOD experience in Android P, now let’s delve into corporate-owned scenarios. My attempt to cover everything in a single long post had failed, so I’m splitting this into a series. Today we’re covering lockdown.
Early Android ideology assumed that device lockdown should be impossible. After all, here’s how ransomware works 😊 User is King and should always be able to regain control of the device. Earlier versions of Compatibility Definition Document even mandated that Home button and Factory Reset were always available to the user. The closest one could get to a locked down (kiosk/single application mode) device was to write a custom launcher that would then auto-launch or provide access to a limited set of apps. But even then user could simply pull the notification share to access quick settings, use the Recents screen to switch between tasks etc. In general, lockdown was not possible unless one used undocumented APIs and hacks or had custom OS extensions and special tools such as Zebra MX combined with Zebra Enterprise Home Screen. Needless to say, such tools were vendor (and sometimes even OS build!) specific and had their limitations.
In Android 5 Google began addressing the issue by introducing two new modes.
Screen Pinning (also sometimes called App Pinning in documentation) is a simpler “user-facing” and user-initiated scenario. This one enables you to give your phone to someone else, locked down to a single app (browser, game etc, but not your emails or phone book).
User enables screen pinning in settings, selects an app, performs a special gesture – voila! Similarly, to end the mode user performs a gesture, and there is an optional lock screen protection. There are countless tutorials in the Internet, and here’s a simple animated GIF I had created.
Note, however, this is 100% user-controlled. How about Enterprise Admin?
Another mode introduced in Android L was called Lock Task. This one allowed the app itself to enter a lockdown mode and control what user can or cannot do. Sounds like the right thing to do? There were, however, complications:
There were of course good things – you (well, the app) could quite precisely (well, in Android M+) control which UI elements to hide (well, only combined with other DPC features). Anyway, most importantly, this at least allowed the EMM vendors to finally write reliable lockdown plugins as part of their EMM suites (provided uses had work-managed devices).
Android N and O added a few bits here and there, but overall, the flexibility and ease of use were still quite far away from the aforementioned Zebra MX+EHS combination, for instance.
Until Google NAILED it in Android P!
Android P adds a few missing pieces that finally complete the puzzle:
Below are a few screenshots of Lock Task mode in Android P preview. Since there are no official EMM agents supporting P yet, I have been using the TestDPC app from the Google Android Enterprise team. Note that the Play Store version (at the time of writing this post) is still old – you’d have to download and sign the APK from GitHub instead.
LockTask general demo:
Kiosk features:
Screen Pinning
Lock Task (Android P)
So I think that Google did indeed NAIL it firmly and decisively!
As a bonus, lockdown solution developers can focus on providing value-add (SSO etc) vs fighting the OS, especially when combined with ephemeral user support in P!
What are your thoughts? How do you like my blurry videos?
Android P Developer Preview One has been released this week. Among many features, there are Enterprise enhancements in both UI/UX as well as under the hood. Seems to be a good time to try some of them out!
Today we will be discussing the BYOD user experience: device enrollment, work/personal separation, compliance etc. Later, I am planning to cover the COBO/COSU (fully Work-Managed device) use case as well as some more advanced features.
Warning, many pictures!
