In my last blog we looked at managing the legacy Android devices, like mentioned Google is investing in making Android safer and more enterprise ready. Today Google announced the deprecation of the legacy management of Android devices as of Android Q, like explained here in the blog of Chris Baldwin. One of the ways in making Android enterprise ready is by using Android Enterprise AKA Android for Work. Android for Work is available since the beginning of 2015, in Android 5.0 (Lollipop) and higher.
What is Android for Work? (Android Enterprise)
With Android for Work you are able to completely separate the personal part and the business part of a mobile phone. When enabling Android for Work a separate partition on the mobile device is created, this is called a work profile. To be able to have access to a work profile you need a EMM solution like Microsoft Intune to create and control the creation of the Android for Work partition.
So, in short with Android for Work we have a separate by the EMM secured partition especially for apps that you allow to access corporate data. For the user it looks seamlessly, apps that are managed by Android for Work “live” next to the apps that are used for private purpose, underneath the Android for Work managed apps and its data reside on the secured partition on the device.
Apps that are managed and controlled by Android for Work have an orange briefcase added to the icon. For the end user they are just apps that can be accessed from the same place where they have their own apps. With Microsoft Intune we are able to apply certain policies to secure the work profile, examples of policies are;
- Blocking or allowing copy and paste between work and personal profiles
- Controlling behavior of data sharing between work and personal profiles
- Require a password to access the Work Profile, or not. Also we are able to configure the rules to which the password needs to comply. (eg. Length, complexity, (alpha)numeric, etc).
- Allow or allow not smart lock or fingerprint to be used to access the work profile.
Next to the settings to control the work profile, we are also able to for instance force some settings on the device level, of course also impacting the personal profile.
Next to the security profiles/policies you are able to manage and deploy email(!), trusted/SCEP/PKCS certificates, VPN and Wi-Fi profiles. So, with Android for Work we are not bound to Samsung Knox to deploy email profiles to the email app.
So, what do you need to do to enable Android for Work?
First of all, on personal devices you need a Google Account to be configured on the device so that applications like the Company Portal(s) can be installed. Next to that you need to create a a Google Play for Work account and setup a connection between the Play for Work Store and Microsoft Intune with a Google Account which is used for corporate purpose. Do never use a personal account for this, when the owner of the account leaves the company you will most likely also lose access to this account.
After setting up the connection between Microsoft Intune and Android for Work we need to decide if all devices needs to be managed via Android for Work, only managed via Android for Work based on group membership or just all manage the devices in the legacy way. (which will be deprecated)
Device Restrictions
After setting up the connection the you are able to enroll the Android devices in Intune, but you should configure how Android for Work Device Restrictions before actually enrolling devices. To protect the work profile you are able to lock it with a passcode, which you are able to configure like you are used to for the device itself, but you can also control copy and paste behavior and if you can share data between the work and personal profiles and if you would like to receive notifications if the device is locked.
Conclusion Android for Work
When allowing Android devices to connect to your corporate resources and corporate data Android for Work is a really good solution to keep the private profile separate from the work profile. Work and private stuff are separated and one really big advantage is that the Android for Work / Workprofile experience is the same on very Android device, so no need to find out what devices you can apply which setting to.
In the next blog we will dive a bit deeper in the end user experience, and later on the other options you can take and other investments of Google to make Android safer and more Enterprise ready.
Great resources when managing Androids;
[…] Androids in the Enterprise, a blessing or nightmare? – part 2 […]
c’est génial!
magnifique !!