Android in an enterprise environment
EMM technology - part of Android and Google Play Services and now a common part of enterprise security solutions in large organisations - is used to control devices in enterprise environments.
Enterprise Mobility Management (EMM)
This is a technology for centrally managing user profiles and settings, installing applications on Android devices. This technology allows you to impose settings and programs on the device to make the device compliant.
The technology allows device management in different scenarios depending on the usage of the device:
- The device is owned by the user but used for work (BYOD).
The device contains 2 profiles. One personal, which does not have access to corporate data and applications (corporate applications and data are not visible and accessible at all), the other corporate with the necessary applications. Physically, the applications and data are stored in an encrypted space that is unlocked only after logging in to the corporate profile. Through EMM management, the organization has full access to control the data and security in this profile. This functionality is only available from Android 5.1 onwards. - The device is company property - users can use it for personal use
The primary user profile is fully remotely managed by the organization through EMM - application installation and setup. The user can have their personal profile set up (up to Android 8.0), which contains personal data that the organisation cannot access (but can delete - delete profile). However, the user cannot install applications and change their settings themselves unless the EMM security policy allows it. - Dedicated devices
Used for work purposes only - typicallymobile terminals, often with one default application running and restrictive settings (locked settings). Since Android 6.0, it is possible to define permissions for different users to different parts of the settings and system. The device is completely managed via EMM.
How EMM technology works:
Google provides EMM services via the EMM API, which is part of Google Play Services (Managed Google Play). The EMM Console is required for operation - this is part of various existing security solutions and is not provided by Google itself or as part of its G Suite for Business solution. A list of vendors and their solutions that provide EMM Console services can be found here: https://androidenterprisepartners.withgoogle.com/emm/
Devices must have Google Play Services installed. In order to install apps, the business must have Managed Google Play enabled.
The device must have the Device Policy Controller (DPC) installed - an agent/service that enables EMM policy applications (standard service is already part of Android), but the Android SDK also allows the development of custom solutions. Here's how it works: https: //developers.google.com/android/work/dev-options and https://developers.google.com/android/management/provision-device.
The DPC service is initialized on the device for the organization's needs either by uploading a configuration file to the Android filesystem directly from the manufacturer or by scanningconfiguration QR code, via NFC, by installing a customized DPC agent, or by logging the user in via their corporate Google Play account.
The EMM Console administrator then has over 80 security settings and other tools for managing and configuring applications, see: https://developers.google.com/android/work/requirements
Android Enterprise Recommended Certification:
A smartphone, or other Android mobile device, that passes the Android Enterprise Recommended certification program assures businesses that it meets the set conditions and is therefore suitable for use in a work environment. Obtaining Google AER certification requires a certain level of resilience, such as a five-year product lifecycle and regular security updates.
Key benefits of Android Enterprise Recommended certification:
- Automatic security updates no later than 90 days after release on Google for 5 years after purchase
- The ability to upgrade to all future versions of Android for 5 years, plus an additional two years of guaranteed Android patches
- Easy installation of software on many devices at the same time using zero-touch enrollment