Interesting stats on Android Security and AER Program [2019 Android Enterprise Summit]

During the Android Enterprise Partner Summit 2019 London (watch the link for the presentation decks when they come out) Google had shown some interesting graphs and charts based on their own stats and the research that HMD Global (Nokia) did in 2018. You can read the research for full details, and the rest of the pics are below. Sorry for the quality – those are photos from a fairly weird projection screen.

I don’t have much time to write long posts so will stick to the shorter format for the time being.


Android Q Enterprise Features for EMM Admin

This is a brief analysis on the upcoming Android Enterprise Features in Android Q. Read the full notes here. Google has a habit of silently updating those documents, so I expect to update this post once subsequent iterations of Beta are released. The below is my sole opinion, and I welcome hearing yours. NB: it starts slow, the really great stuff is towards the 2nd half 🙂


[iOS vs Android] OS and Application Updates

I frequently get this question from customers and partners: “How can I control Application and OS Updates in iOS and Android“. So I’ll drop a note here.

Update management includes:

  • Configuring the behaviour of OS upgrades (major), patches, public apps (via App/Play Store, VPP) and private apps (via App/Play Store or directly via EMM)
  • Scheduling updates to happen (or NOT happen) at specific times For example, do not update between 8AM and 6PM, when the user is working.
  • Manually pushing or rolling back an update to a single device or group of devices (troubleshooting, 0day immediate security patch etc)
  • Controlling the visibility of update to the user, or blocking an update to specific devices altogether (known compatibility issue with business/mission-critical apps)
  • Version control: i.e. upgrade to version X, not just to the latest version available. A very common case with public app stores.
  • Pre-release support: alpha/beta users, multiple adoption rings.
  • Controlling the updates delivery to that they only happen on Wi-Fi, or on Cellular.
  • Granular control of all of the above per device group/type, per user group/name/type, per app etc.
  • Controlling user ability to influence any of the above (allow costly cellular updates, defer/deny critical updates, update manually to an unsupported OS version etc)

Suddenly, things are not that simple, are they? Long story short, the winner is BY FAR the …Windows 10! 🙂 Watch the video on managing Win10 Updates with UEM here (tech and WorkspaceONE implementation and design/philosophy – much recommended). Now, let’s go back to iOS and Android an see what have we got there.

NB: This info may become out of date when new OS capabilities are released. If you notice anything outdated – leave a commend and I’ll update the post.


Google Play Managed iFrame in Workspace ONE UEM (AirWatch) – App Collections

In two previous posts dedicated to the Managed Google Play iFrame we have covered Private Apps and Web Apps. The last feature of the iFrame interface is called Collections and allows you to organize the Work Play Store app layout, as well as shoot yourself in the foot a few times…


Google Play Managed iFrame in Workspace ONE UEM (AirWatch) – Web Apps

In the previous post I have covered adding Private apps via the Google Play Managed iFrame for Android Enterprise. This time let’s deal with the Web Apps (links, web clips).


Does Android P private DNS really contribute to privacy? Or to Enterprise control?

Private DNS is a new feature in Android P, which allows you to globally override the DNS settings (received from your carrier, hotspot provider etc.). This means that the said carrier’s or provider’s DNS servers will not be able to log your browsing habits.

Read more here (Android Police).

Private DNS configuration (c) Android Police

This looks like privacy, but isn’t necessarily so…


Lockdown in Android Enterprise (Android P DP1)

I’ve previously covered the BYOD experience in Android P, now let’s delve into corporate-owned scenarios. My attempt to cover everything in a single long post had failed, so I’m splitting this into a series. Today we’re covering lockdown.


Early Android ideology assumed that device lockdown should be impossible. After all, here’s how ransomware works 😊 User is King and should always be able to regain control of the device. Earlier versions of Compatibility Definition Document even mandated that Home button and Factory Reset were always available to the user. The closest one could get to a locked down (kiosk/single application mode) device was to write a custom launcher that would then auto-launch or provide access to a limited set of apps. But even then user could simply pull the notification share to access quick settings, use the Recents screen to switch between tasks etc. In general, lockdown was not possible unless one used undocumented APIs and hacks or had custom OS extensions and special tools such as Zebra MX combined with Zebra Enterprise Home Screen. Needless to say, such tools were vendor (and sometimes even OS build!) specific and had their limitations.

In Android 5 Google began addressing the issue by introducing two new modes.

Screen Pinning (Android L)

Screen Pinning (also sometimes called App Pinning in documentation) is a simpler “user-facing” and user-initiated scenario. This one enables you to give your phone to someone else, locked down to a single app (browser, game etc, but not your emails or phone book).

User enables screen pinning in settings, selects an app, performs a special gesture – voila! Similarly, to end the mode user performs a gesture, and there is an optional lock screen protection. There are countless tutorials in the Internet, and here’s a simple animated GIF I had created.

Screen Pinning example


Note, however, this is 100% user-controlled. How about Enterprise Admin?

Lock Task mode (Android L,M)

Another mode introduced in Android L was called Lock Task. This one allowed the app itself to enter a lockdown mode and control what user can or cannot do. Sounds like the right thing to do? There were, however, complications:

  • To avoid the ransomware threat, the app had to be first whitelisted by the Device Owner (i.e. your EMM agent). So the setup process was not that simple.
  • And yes, if your device was not enrolled into Device Owner (work-managed) mode (using old Device Administration API etc) – you could not use that feature.
  • The admin could not choose any app – the app had to be built with Lock Task support. Otherwise, you could not use that feature.
  • The app itself had to provide mechanism to end the Lock Task mode. If the app got frozen, you had to reboot the device.
  • Since Android L had very little in terms of UI control (Notifications, Recents, etc) the whole thing only made sense with Marshmallow or later.

From Google developer documentation

There were of course good things – you (well, the app) could quite precisely (well, in Android M+) control which UI elements to hide (well, only combined with other DPC features). Anyway, most importantly, this at least allowed the EMM vendors to finally write reliable lockdown plugins as part of their EMM suites (provided uses had work-managed devices).

Android N and O added a few bits here and there, but overall, the flexibility and ease of use were still quite far away from the aforementioned Zebra MX+EHS combination, for instance.

Until Google NAILED it in Android P!

Android P Enhancements

Android P adds a few missing pieces that finally complete the puzzle:

  • Admins can lock down any app to a device – no more the Admin depends on the Developer!
    • The app still has to be whitelisted, as a security precaution
    • Similarly, if the app is frozen or just has no “Exit” option, it can be terminated remotely (think kiosks)
  • Admins can choose which UI features to display: again, no Developer dependency and those restrictions are only for the duration on the Lock Task mode (previously they were very much global). Here are the features available:
    • LOCK_TASK_FEATURE_NONE (shortcut for “Disable everything”)
  • Error dialogs may be suppressed as well (think kiosks again). Those are, of course, system error messages, not what the app shows within itself.

Below are a few screenshots of Lock Task mode in Android P preview. Since there are no official EMM agents supporting P yet, I have been using the TestDPC app from the Google Android Enterprise team. Note that the Play Store version (at the time of writing this post) is still old – you’d have to download and sign the APK from GitHub instead.

LockTask general demo:

Kiosk features:


Screen Pinning

  • User-initiated
  • Simple and easy, no app support required
  • No admin control
  • Makes little sense w/o password

Lock Task (Android P)

  • Admin/app controlled (requires EMM support, also app support pre-P)
  • Admin/App-initiated
  • Much more flexible (especially in P)
  • Makes full sense for COSU

So I think that Google did indeed NAIL it firmly and decisively!

As a bonus, lockdown solution developers can focus on providing value-add (SSO etc) vs fighting the OS, especially when combined with ephemeral user support in P!

What are your thoughts? How do you like my blurry videos?