May 8th marks the first day of the Android Enterprise Partner Summit, offering attendees a wide array of talks, demos, and information across two dedicated tracks (technical & go to market).

Given the success of 2017’s summit (see reference for that here) I’m super excited to be attending.

As a bit of an experiment and a first of its kind for the site, I’m going to be live-blogging the event (not religiously, but certainly highlights) throughout day one and two. The feed for that is below!

For live updates without refreshing the page and to get involved with questions or comments, head on over to the Discuss topic. I’ll do my best to direct questions to the right people or answer accordingly!

Want to get in touch via other means? I’ll be on Twitter throughout the event also.

Updates | View live on forum

  1. Day 1 highlights:

    1. Zero-touch EMM integration, offering the capability to view and managed zero-touch enabled devices right from within your EMM console, no logging in to required!

    2. OEMconfig is potentially huge news, for the whole ecosystem. Enough so that I’ll likely put a blogpost together on this, but essentially this means OEMs can declare their APIs via an app with escalated privileges which can be configured using managed app configurations as with any other Android enterprise application utilising the Play API. No more waiting for EMMs to integrate APIs!

    3. 30% more devices are being patched for security updates year-on-year. Android devices are becoming more and more secure all of the time.

    4. “Project treble makes it easier to adapt new releases much faster” I said, this couldn’t be any truer seeing Android P beta released simultaneously to several devices across a range of OEMs today. When has that happened so effortlessly before?

    5. There’s a lot of discussion around DA deprecation for good reason. Google have resources to help, but customers need to be migrating sooner rather than later.

    6. Big push on the Android Management API (AMAPI). Zero-day support for platform management features and really nicely built into the device. Looks slick and should help partners across the globe spin up their own management platforms.

    Day 2 highlights

    1. DA deprecation was everywhere, more so than day 1

    2. Expanded AER programme for more device types and partners

    3. New features in P - big changes to accommodate advanced user management and actions

    4. New deployment scenarios being considered for lighter-touch deployments (and others)

    5. Android P beta hands-on, with the new navigation as well as the work-profile and other features. Farewell orange work badge. I’ll remember you (mostly because I’ll need to change my own AE colour schemes in docs). Profile switching in-app is super slick and just what we need. AND thanks to Project Treble it’s available on multiple devices!

    6. A new kiosk (locktask) solution baked right into the device natively, no need to rely on EMM kiosks after P!

    7. Managed Google Play iFrame updates bring more features whilst making it easier to use

    Read on for the full breakdown update-by-update!

  2. In and waiting.

    Welcome to the Android enterprise Partner Summit 2018!

  3. David Still opens the event!

    Zero-touch growing organically, as is Android enterprise recommended (I didn’t get the figures before the slide changed).

  4. 10x growth of Android enterprise activations in the last year.

    No public figures available as Google doesn’t make them available, but 10x something is pretty good.

  5. 380m Android phones ship in 2018 for business use.
    65% corporate liable! Corporate liable doesn’t mean under management, that number is smaller.

  6. Google say Android security is now outpacing iOS.
    An obviously controversial statement :sweat_smile: (backed by Gartner though!)

  7. More device types coming to AER, rugged, tablets… and wider ecosystem (SI’s and other partners).

    Topical, here’s a pie chart of Android Enterprise Recommended status within organisations:

  8. We’re talking about device admin deprecation now. This is going to be a key topic across the event.

  9. Finishing off the intro and splitting into sessions shortly.
    I’ll likely stick to the technical track mostly…

  10. Andrei and Travis arrive on stage

  11. IT spend on devices in 2018 estimated: $783B!
    There’s a huge opportunity for AE and the partners to manage these devices.

  12. The expectation of using multiple devices for business and personal is disappearing. This is why Google focuses so much on the work profile and data separation.

  13. Google strongly believes work profile is the best way of managing BYOD deployments today (and I’d 100% agree!)

  14. Lockscreen brute force can now require hardware-level compromise to be successful on Oreo devices due to improved hardware trust.

  15. Talking up zero-touch… I’ve got my own write-up on that here -

  16. And touching on Samsung.

  17. Looking forward to the deep-dive on P tomorrow. Big focus on shared devices.

  18. Google Play Protect, scanning 50Bn apps per day on and off the Play Store.

  19. Exchange in Gmail is a big focus for enterprise. Making the best enterprise native email client possible.

  20. Android management API - always up to date as it’s built by the people who develop the Android operating system.

  21. As of 2017, 85% of devices with a fingerprint sensor running 8.0 had a secure passcode.

  22. Users are the last line of defence against PHAs and security incidents.

    To counter this, Android focuses first on making sure only those authorised have access with lockscreen tools.

    Then all data is encrypted (has been since 5. Transitioned from full disk to file based more recently).

    PIN+HW are used to generated encryption keys. Plus with rollback protection it’s possible to prevent downgrading in order to get around the security policies in place.

  23. Talking again about Play Protect (well, it’s important :blush:) scans on the device to protect against PHAs. Play Protect can forcibly remove PHAs from devices.

    PHAs have dropped dramatically in recent years!

  24. Sandboxing makes sure PHAs can’t access any data outside their own allocation without permission.

    This is why we see so many PHAs asking for device admin permissions.

    Work profiles take this further… sandboxing the profile the apps run within.

  25. Touching on security updates.

    30% more devices patched YOY. Well done OEMs.

  26. Patches are important (duh) but with SELinux again sandboxing prevents damage.

    That’s no reason to not place a huge focus on OEMs pushing patches though.

  27. Touching on Treble since we’re talking about patches.

    “Project treble makes it easier to adapt new releases much faster”

    Treble also provides much better hardware isolation

  28. It’s no longer possible to dip into different HALs openly as it historically has been possible to do so. With HAL isolation Android is even more secure.

  29. Fighting root with verified boot!

    Making root persistent requires changing the underlying OS. VB runs through multiple checks of the partitions to ensure Iintegrity before allowing boot. Verified block-level, cryptographically.

    VB is strictly enforced as of 7.0

  30. Android P will add more capabilities for verified boot :slight_smile:

  31. That perception is not reality.

    Bugs =! Exploits

  32. Google haven’t seen a single exploit based on Stagefright.

  33. Lots of talk about P… check out my post which summarises it -

  34. Open Source is one of Android’s biggest strengths. It makes it so easy to find and fix bugs, no reverse engineering required.

    As a result Android platform hacks are harder to find.

  35. Time for a break!

    Just in time… RIP my thumbs.

  36. Thanks a lot so far Jason! Enjoy your break!

  37. And we’re back! I’m now on the tech track (those reading on the GTM, feel free to upload a few photos and make comments)

    Mike & Glen are up!

  38. Managed Google Play accounts. Super easy account provisioning and takes a whole heap of work out of the legacy G Suite enrolment (which, for G Suite customers is still the viable option).

    Talking of device considerations…

    If it’s 6.0(.1) and above, and GMS ceritied it should be good to go.

    I’d recommend not dropping below 7.x however.

  39. Considerations continued.

    I was not aware there were any real issues outside of China!

    The China story is being worked on, no updates today.

  40. Device admin best practices? Stop deploying it.

    Thank you

  41. Gmail accounts and FRP.

    Worse case option, have users remove the account in front of you [responsible person at the organisation]. Doesn’t need to be IT.

    Do not ever use one Gmail account to manage many devices.

    Best would be to use managed Play Accounts anyway.

  42. James Nugent is onstage now, going to lay some zero-touch on the audience. Again I’ve covered ZT here -

  43. In the meantime, check out this multi-device display

  44. Well this is new to me! Similar to DEP ZT will offer integration from the EMM. No more dual consoles!

    You can list devices, set configs and more as soon as an EMM integrates!

  45. Ooh the dreaded “Samsung + zero-touch” question! :grin:

    Still nothing to share, but they confirm discussions with Samsung are ongoing to integrate the two portals.

    Don’t hold your breath.

  46. First zero-touch tablet to come “in a matter of weeks”!

  47. One more tidbit that’s good to point out -

    Devices purchased today can be retrospectively added to zero-touch by the zt reseller.

    Arguably any reseller could do this if ownership is validated, but I wouldn’t count on resellers agreeing to this generally.

  48. Imran is up next, let’s talk about device admin deprecation…

  49. To summarise -

    • DA was never supposed to be used in the way it is today.
    • AE is more secure, flexible and robust.
    • There’s no way to ensure there’s only one device admin, unlike WM
    • Each OEM added their own APIs atop DA, making EMM integration difficult (shout out to SOTI for sticking with it)
    • Gmail account requirement
    • More battery intensive for management… so on

    I’ve written far more about DA deprecation here -

  50. There’s a lot of focus on the talks about informing customers about DA/AE - particularly for SI’s

    Promote AE first in the EMM (defaults to DA will only result in more DA!)

    BYOD should be switched over to work profile today. There’s little reason not to since DA to WP is relatively non-disruptive. WM is more challenging.

    You know, I’ve talked about this before, too -

  51. A very much expected question - “so if we don’t upgrade we won’t have any DA deprecation problems?”

    Look at the bigger picture. 2020 onwards you’re not going to have a choice with new devices. Putting AE first now will save a LOT of effort and time later.

  52. Took a break, coming back in on OEMconfig.

    Pretty cool, Google take the effort out of supporting additional device APIs with a universal-style OEMconfig app!

    This is going to make adding and managing additional device managemeny APIs over the base AE APIs crazy simple!

    • Import the OEMconfig app(s) (one per OEM)
    • This will generate a managed Play API config the same as Gmail would allow you to set an server URL for mail
    • Tick the boxes for the bespoke APIs you want to enable
    • Boom! Done.

    No more EMM API integration per OEM, as soon as the OEM publishes the app the admins can configure it! Same with new features, just an app updated with a new schema will push a new option in managed app config for the app and can be applied immediately.

    This will save so much time.

    Zebra example:

  53. Talking about the Android management API now and why it is, quote:

    • The AMAPI will be fully EMM Android Enterprise Recommended.
    • Zero day support for new management APIs as soon as an Android update drops.
    • Fully integrated with the OS, limited end-user visibility, settings integration

    I’m mostly just impressed by how excited this guy is.

  54. It is looking legitimately so much easier to build a management experience

  55. Touched on ephemeral users in P while doing the AMAPI demo. SO slick!

  56. Integrating zero-touch.

    We’ll be able to see both provisioned and unprovisioned devices. Push configs and more. They’re doing the EMM integration I mentioned above!

    Also they’re bringing work profiles on fully managed devices to the API. Yasssss.

  57. More demos. This session is my favourite.

    The AMAPI being baked into settings is super slick. Open the menu item and see when the device last checked in.

    This is what all Android management should look like.

  58. Will the EMM management libraries be deprecated?


    To expand on their answer - Google last I checked were even requesting existing EMMs don’t switch to the AMAPI. There’s still more customisation to be had by rolling your own DPC. Super fast to get off the ground for new solutions though.

  59. That’s all for day one! Got caught up in some conversations and forgot to close out. Until tomorrow! :slight_smile:

  60. To very briefly touch on some Android P, I/O 2018 updates, I present to you:

    1. New navigation:
    1. Adaptive battery:
    1. Digital wellbeing:
    1. App slices:

    Some seriously good stuff coming out!

  61. And we’re back for day 2!

    Good luck finding a seat…

  62. David’s back on!

    People from 31 countries here… looks like it :slight_smile:

  63. Talking a bit of IO, picking up on my above post last night.

  64. #teamCWSI are in the house today. Keep an eye on Colm’s Twitter later too for more GTM goodness!

  65. We’re taking an early break a moment due to a hotel power issue. My 4G isn’t strong enough to get pics uploaded so will be back in a moment!

  66. We’re back.

    The work profile badge is changing colour and I’m a little sad to see the gaudy orange disappearing (but actually it can be OEM customised anyway)

  67. Recapping P features.
    I’ve covered them here -

    App switching between profiles isn’t in the beta but is coming later this year.

    Seamless QR provisioning, locktask mode, etc already covered.

  68. To recap this session, here’s what’s being covered

  69. Oh this is new though! Great “kiosk” (locktask) features coming in P. EMMs won’t need to build their own kiosk in future.

  70. Here’s some clarification on DPC migration!

    Switching between EMMs or DPCs without losing management. This is powerful.


  71. ADB can’t access work profile data in P, and a global intent block.

  72. Yesss this is the first time a beta is available on non-Google devices.

  73. Matt’s onstage now and we’re going to talk about the “next generation of management”

    2 principles:

    • Minimise integration cost for EMMs
    • Minimise number of consoles for admins

    We saw a taste of this with ZT EMM and AMAPI integration yesterday.

  74. Talking up to AMAPI again - I wonder what this will mean for existing EMMs? Talking to a few yesterday, they’re all looking to find out how to possibly integrate at least to some degree.

  75. Demo time - AMAPI ZT enrolment was SLICK. A video of that will come later (unless I get hands-on later)

  76. For EMMs not using the iFrame for managed Play apps, this may be the time to reconsider.

  77. Big updates to the iFrame! WebApps too! (Pic quality suffered here sorry)

  78. On-device machine learning next.

  79. Google translate is a great example of what they’re doing with this today.

    Adaptive battery is a new one coming :slight_smile:

    Very cool.

  80. Far more about ML can be found with MLKit and IO announcements…

  81. Random observation: taking photos with tablets is popular.

    Courageous, folks.

  82. James is back on!

    What’s new in P

  83. Talking about the app separation in P.
    Brings up the common “why are there duplicate apps in the app drawer”


    Interestingly, the orange work badge failed usability tests due to the high contrast. Blue is also more in line with AOSP.

  84. There’s a lot of duplication to the earlier keynote so not a lot to comment on here.

  85. Shared devices is going to be very useful though. Persistent users with login/logout is awesome. Ephemeral users clearly a big deal too

  86. Have you seen the “switch to work” (or switch to personal the other way around) option when sharing something on a work profile device? P will add the ability to disable that. Mentioned above but James added some useful context there.

  87. Just about to get stuck into DPC migration deep dive and… hotel lost power.

    Will pick up in a bit.

  88. These are all excellent usecases, making migration between EMMs easy is a massive time saver for orgs.

    And topical with the push for AMAPI - there’s a migration path there too!

  89. I might’ve missed it, but it does seem like both DPCs will need to offer some support. I wonder if this could therefore be blocked…

    Green, old DPC
    Light blue, Android
    Dark blue, new DPC

  90. Grabbed a video of the demo migration I’ll edit and upload later. It’s super slick though!

  91. Andy is on stage next. Going into detail for dedicated devices!

  92. This slide is a great reference for the QR provisioning in P.

    Someone asked about supporting certificates in the QR flow. This isn’t supported for security reasons, ideally need the user to be provisioned before storing certs in the device keystore.

  93. APNs - they call the APIs “override APNs” to make it absolutely clear that’s what happens. APNs typically set by the carrier are being overridden and this can help troubleshooting.

    This feature is very much accepting feedback from the public.

  94. This is one of the biggest changes to Android in recent memory. Definitely worth giving it a test!

  95. Back after lunch! Ken and Eugene talk about AER.

  96. Making file based encryption mandatory will be great to see in P.
    Introducing AER for rugged and tablets (covered this earlier)
    Android academy coming for partners.

    Some interesting, and different, requirements coming for rugged devices. More will be announced publicly later.

  97. Here are the key initiatives for this year

    Now covering, or recapping, DA deprecation, zero-touch and “Android enterprise first”. All covered off above but as I mentioned, clearly very much popular topics this year :slight_smile:

  98. Exploring the device demo area!

    Android enterprise recommended:

  99. I’m totally ok with this new nav layout. Will take some getting used to though and I’m not keen on how quickly/accurately I had to gesture at the moment… would get used to it though.

    When too many apps are open you sort of just hold the home button one side or the other. If that’s too awkward a quick swipe up reveals it all normally and you can swipe left and right as is currently the case.

  100. Checking out the final session of the day!

  101. Google to OEMs: “how can we make your lives better?”
    Later: Project Treble is announced :grin:

    Enabling OEMs to push security updates and OS updates quicker definitely works towards improving the ecosystem as a whole.

  102. Google to partners: “When you’re successful, we’re successful. Let us know what we can do to help”.

    Speaking from experience, Google are always happy to help whenever I’ve been in touch!

  103. For government - Android is undergoing PCI compliance certification, even if some OEMs do this, getting this certified at the source would be very cool.

  104. Someone asked about the 30 names for every deployment type!
    They’re working on unifying internally to better that communication.

    Dear Google:

    • Work profile (BYOD)
    • Work-managed (COBO)
    • Managed work profile (COPE)
    • Single use (COSU)

    Simple! :wink:

  105. AE growth competitive across all regions (no clear winners)
    They do best in diverse hardware markets (customers needing handsets, rugged, COSU, etc).

  106. Key takeaways:

    • Be prepared for DA
    • Application API level targeting for apps
    • The Android Management API is going to be important going forward (but existing DPC admin isn’t going away)
    • There are more deployment scenarios being considered in future for lower-friction deployments!
  107. Thank you very much for a fantastic event, folks!

    Android is ready for the enterprise and they’re just getting started :slight_smile:

    For those who’ve followed this to the very end, thank you for tuning in!

    Did you find this valuable? Should I do these more often?
    Your feedback would be excellent!

Something to say?