A lot of what I write about Android is geared towards corporate IT, CxOs, and other policy makers, to help them better the understand how Android enterprise can save time and money whilst offering a generally better experience for everyone involved. In this article, however, I’d like to focus on those arguably most impacted by corporate mobility strategies: the end users.
In 2018, users that take part in corporate bring your own device (BYOD) programs should no longer accept legacy device administrator management, due to the privacy and ownership issues associated with this outdated management model.
Next year, Android management will be changing forever with the deprecation of device administrator capabilities in Android Q/10. Jack has written about this here on BrianMadden.com, I’ve written about it, and you can read Google’s official announcement, too.
The following summarises the main problems you face with legacy management as a BYOD user bringing a personally owned device full of private applications and data into a business environment.
But before we go any farther, an important note:
The following points are based on multiple conversations with UEM vendors (Unified Endpoint Management, which may also be called the EMM or MDM server, or similar) and my own experience. It’s not intended to incite fear, uncertainty, or doubt—rather only to provide awareness.
The likelihood of the following actually affecting you or your device remains low, and it’s highly likely exactly what can be seen and done with your device will be explained in a corporate mobile device policy
However, knowing the power you hand over to administrators should reinforce why legacy management should no longer be accepted.
As I wrote in Google is deprecating device admin in favour of Android enterprise:
The device admin API is based on an all-or-nothing approach requiring full device administrative permissions in order to manage a device. This applies to both corporately-owned devices and BYOD, which is hardly ideal.
What this essentially means is when you enroll your personal device into a corporate UEM server, you are granting the administrators of that server full, complete control over your device.
They may lock it down more than you feel is acceptable (where did the camera go? Why is Bluetooth disabled?), wipe the entire device either accidentally or on purpose, prevent you from removing device management, reset your passcode, and more.
Because legacy device administrator management requires granting the UEM administrator rights over the whole device, once you’ve granted this power, it may not be easy (though it can be) to remove it again without resorting to a factory reset if permitted, or a reset via recovery if not.
This same logic can also apply to other apps such as email. By completing email account setup on the device, you’ll see the app request administrator rights.
Once activated, even the email app can wipe your phone, either via the UEM server or the Exchange server.
Although UEM solutions offer privacy settings to prevent it, it’s entirely up to the administrators as to what information from a device is synchronized. Privacy-conscious organizations may have combed through the settings to ensure only device details used for minimal identification and management are synced, and some may even choose to anonymise the devices and only base their management on device posture (the device has not been rooted, and there are no potentially harmful applications (PHAs) installed, etc.).
On the other hand, UEM solutions with full administrator rights can theoretically suck up a considerable amount of personal information from a legacy-enrolled device, such as the following non-exhaustive list:
Once again, before you accuse me of spreading FUD, it’s important to note that just because the above can be done doesn’t mean it will be done. Your device could be one of hundreds or thousands under management in your organization, and there’s very little need to assume IT have the time or inclination to monitor your device over any other. Again, this is just to demonstrate the capabilities you are enabling by enrolling your device into legacy management.
Unless you’re bringing a Samsung into work, there’s no guarantee your device will be fully supported by the UEM. You may struggle to get email working on your native client; some policies may not apply or may cause unusual behaviour; and when there are issues, the organization may not be comfortable troubleshooting your device.
This is because the differences between OEMs are great enough that IT won’t be trained to understand every single model and device. As a result, it’s common to see organizations adopt a supported devices list, and if yours is not on there, you’re on your own when things go wrong.
With so many exceptional alternatives across all budgets from the likes of Sony, Huawei, and HMD Global (Nokia), it shouldn’t be required to knee-jerk towards the first Galaxy you see, but the chances are this may be required with legacy management.
With an Android enterprise work profile, all of the above concerns are no longer relevant. Why is this?
In What is Android enterprise and why is it used?, I wrote:
Android enterprise is able to create a managed user profile that although sits entirely separately encrypted on disk (and as of Android 8.0, utilises completely different encryption keys for work/personal), integrates directly with the current user on the device in order to provide both personal and work applications in the same app drawer – the latter indicated by a briefcase.
In other words, when you enroll your BYO device into a UEM solution that supports Android’s modern set of management features (called Android enterprise), instead of it taking complete control of your device, it creates a separate, work-only space (this is called the work profile). The UEM management policies are confined to this isolated area, and you’re free to use the rest of the device as you like.
There are exceptions, such as the enforcement of a passcode on your device, monitoring for a signs of compromise, and other arguably reasonable capabilities ensuring basic security, but the most important ones (factory reset, app sync, remote access, etc.) are simply not possible on your personal apps and data, and instead are limited to the isolated work profile (i.e. all your work apps) that the UEM manages.
One additional benefit to the work profile, over and above the obvious privacy and ownership benefits, is the focus on work/life balance. You can simply turn it off during evenings, weekends, and holidays, which means you are able to completely disengage from work with the tap of a button.
On a recent holiday I took, I used the opportunity to turn my out of office into another means for demonstrating this message:
Thanks for your mail,
I am not in the office this week and my Android enterprise work profile has been switched off to promote a healthy work/life balance, so emails will not be seen.
You can learn more about Android enterprise and how to promote a similar healthy approach to work here – bytn.uk/ae
Please forward your email to support for a faster response.
A little cringe? Perhaps. But it certainly demonstrates the capability of simply clocking off and enjoying life without the interruption of work when you’re not in the office, and I think more people should do the same.
Whether you pick up the latest flagship phone or something a little more budget-friendly, you can guarantee your device will work and behave the same way. There may be some visual differences in the UI (skin) of each OEM, but the actual flow? Reliable and consistent. If you’re on a budget, previously, the only choice may have been a low-end Samsung, but now you are able to widen your search to a far greater selection of devices with no concern.
Right now, roughly half-way through 2018, over 66% of all Android devices in the wild are running Android 6.0 Marshmallow or greater.
Android platform distribution, July 2018, via developer.android.com
Why is this important?
From Android 6.0, which came out in October 2015, Google made Android enterprise support mandatory, so 2 in 3 devices currently in the wild already support it. (Arguably, this number is even higher if you count the so-so capabilities of 5.x, but I would avoid Lollipop in 2018).
In other words, there’s really no reason any modern device you pick up today with a reasonable spec won’t support the necessary functionality to support a dedicated work profile.
There are some exceptions—if you buy a no-name device from eBay, or something that is very low end (like with less than 1BG of RAM, or something that isn’t GMS certified, it might not work with Android enterprise work profiles. However, in 2018, for most BYOD users, encountering this situation should be extremely rare.
If you want to undertake due diligence before making the case to your employer for work profile support, there are easy ways to test this for yourself without needing to enroll your device into a UEM platform. Generally speaking, any GMS certified Android device running 6.0 or later with more than 1GB of RAM will be supported by default. A non-exhaustive list of examples can be found here, but just in case you wish to test for yourself:
Enabling Android enterprise on any of the leading UEM solutions today takes only a few steps, after which IT need only create some basic configurations to define how the work profile functions, and then push out applications. They may decide you aren’t allowed to take screenshots within work profile apps, or share data from a work app to your personal WhatsApp account, for example.
Compared to legacy management, Android enterprise setup is a breeze, but if there are concerns, feel free to point your organization to my Android enterprise technical documentation to learn more about what it is any why it’s used.
It should be clear that legacy Android management is no longer suitable for the modern BYOD workforce when an obviously superior option is available, and as of 2018, now widely supported.
If your organization doesn’t support Android enterprise today, ask them why! With the minimal effort required in enabling it and the vast improvements to user privacy and device management (not to mention the upcoming deprecation of legacy management) all organizations should be seriously looking at Android enterprise.
Until that point, ask yourself if you’re willing to forego the privacy and control you currently have over your device to access email or internal business resources. I certainly wouldn’t enroll my own devices into legacy management today, instead opting for a corporate-owned handset which can be as locked down as the organization desires until Android enterprise becomes available.
Are you enrolled in legacy management today? Have you heard about Android enterprise already? Is your organization embracing or fighting the change? Let me know in the comments, Twitter or connect with me on LinkedIn. Feel free to reach out with questions across any medium also!