Notes

I was setting up a OnePlus Nord CE 3 Lite 5G this morning (rolls off the tongue, that!) running Android (OxygenOS 14) with a May 5 SPL for testing, and found myself in a loop getting provisioning into AMAPI to complete with a password policy set.

The phone, when choosing to skip biometrics and just use a password, will fall back to the AMAPI ADP prompt asking for a password to be set up. No matter how many times it was tried, it'd fall back to ADP.

So I figured I'll just set fingerprint up to get through enrolment, only to be first prompted for a password and then offered a button to skip biometrics (setup later). With a tap then enrolment completed without biometrics. Great.

🤨

I do wish OEMs would test their implementations of Android with enterprise flows, or stop making changes to things AOSP does perfectly fine.

In any case, if you're (or your end users report) seeing a similar issue with Oxygen OS, there's the workaround. If you're reading this on LinkedIn, there's a GIF in the link (via) showing the loop.

#androidenterprise

Back to some regularly-scheduled programming (get it? Because AMAPI?)

Google have been on a pleasant tear as of late, with today's new API being another long-supported AOSP API our Custom DPC partners have been able to leverage for years now:

Display settings!

We have an API for Screen timeout (screenTimeoutSettings), and another for Display brightness (screenBrightnessSettings).

Admins will - whenever our AMAPI ecosystem partners implement them - soon be able to provide granular control over the brightness of a device (kiosk/POS/dedicated use thank you much!) as well as more control over how and when device screens time out. Again, definitely not new and you've likely seen them in the behemoths of the ecosystem for a long time, but AMAPI is still playing catchup on feature parity with the available DPM/user manager APIs we have available.

In other news!

ChromeOS is adopting components of the Android stack!:

🔗 https://chromeos.dev/en/posts/building-a-faster-smarter-chromebook-experience-with-the-best-of-google.

This isn't the threatened convergence the media have harked on about for the last several years; ChromeOS and Android continue to live separate, complimentary lives. No, this is a conscious decision to reduce the frequency of which the teams have to implement the same features in two different platforms.

It's a decision emerged in the context of AI, because of course it is, but will have far-reaching benefits over the longer term for both platforms. Yay ✨

.. and in semi-related news, the prospect of running ChromeOS on Android has returned, it seems Google either had a change of heart based on the outpouring of positive feedback to the idea, or they were playing smoke and mirrors the whole time.

An upcoming Ferrochrome launcher application appears to be bringing this to fruition, without the need for manual compiling and root access to leverage it we need today:

🔗 https://www.androidpolice.com/chromeos-on-android-project-ferrochrome/

I wonder if it'll support ChromeOS management. That's a project for another day.

Finally, Beta 3 for Android 15 is out! This marks platform stability and confirms the new API level of 35. Get to testing, if stability is what you've been waiting for!:

🔗 https://android-developers.googleblog.com/2024/06/the-third-beta-of-android-15.html

Lots of things happening in Googland 😎

#androidenterprise #chromeenterprise

Off the back of the news of NinjaOne launching MDM today (link: https://www.ninjaone.com/press/mobile-device-management/), I'm pleased to say I've made the jump back in to full time employment, leading Google Ecosystem product for NinjaOne MDM 🎉

I'm super proud of the work done by our teams to get this up and running so rapidly, and while today's announcement introduces Android and iOS support, work is already underway to expand modern management to other operating systems. Keep your eyes peeled 👀.

Read my blog here: https://bayton.org/blog/2024/06/joining-ninjaone

#androidenterprise #ninjaMDM

Did you hear? From Android 15, Samsung are restricting several Knox APIs for applications that aren't calling them as a device or policy owner, limiting capabilities previously open for non-EMM use cases to only those under management.

Samsung plan to fully restrict all Knox APIs with Android 16 next year.

While I haven't seen prolific use of non-AE use cases for Knox recently, I'm certainly aware of vendors leaning on the APIs for uses that aren't directly management-related. MTD, consumer AV, or remote desktop apps being some that come to mind.

Obviously it needed to be done at some point to finally fully phase out DA management, but I do wonder what sort of impact this will actually have.

More: 🔗https://bayton.org/blog/2024/06/knox-changes-android-15/

#androidenterprise

~~

NB: Formatting and embedded images aren't shown on LinkedIn, check out the full post on notes: https://bayton.org/notes/92

~~

AMAPI release notes for May were dropped last week, but nothing had hit the API so I opted to hold off on talking about it.

Until today 😁

As of this afternoon we have the following changes to AMAPI, including a couple of things referenced at the summit 👀

userControlSettings

Allows end users to undertake actions such as force-stopping or clearing app data. This is a per-app setting.

In testing the experience was a little mixed. I with user control disabled I was still able to go into app info > storage and clear cache, but as the GIF shows it's definitely doing something.

userControl.gif

PERSONAL_USAGE_DISALLOWED_USERLESS

Allowing personal use has been pretty binary from the start, however with BTE - or Customer sign-up, as Google will be referring to it publicly, some new options will be introduced.

I've referenced in What's new (so far) for enterprise in Android 15 (linked below) the inclusion of another allowPersonalUsage option, DEDICATED_DEVICE which will also allow provisioning customisation for dedicated devices, but that's not available to us just yet..

https://bayton.org/blog/2024/04/new-for-enterprise-android-15/#deeper-dedicated-device-experience-management

You'll be pleased (maybe?) to know setting PERSONAL_USAGE_DISALLOWED_USERLESS today has no impact on provisioning, at least ahead of BTE going live-live, it's more of a flag to tell AMAPI the device enrolling is userless - a kiosk or dedicated device with no capacity for personal use or corporate authentication, in fact I recorded the provisioning process in the following (low quality) GIF, sped up for convenience:

userless

Finally,

The get and list methods for enrollmentTokens now return populated value, qrCode, and allowPersonalUsage fields.

I don't see this happening, at least not yet via the API explorer. This'll be great when it does happen though; I'll gladly sacrifice a few additional calls to the API to fetch enrolment token details rather than fuss over storing and managing them within a database I have to maintain, so I'm happy with that 😁

#androidenterprise

AMAPI has recently added a new state for enrolled devices that indicates to EMMs/EMM admins a device has been locked by a finance solution.

DEACTIVATED_BY_DEVICE_FINANCE

Per Google:

"This is a financed device that has been "locked" by the financing agent. This means certain policy settings have been applied which limit device functionality until the device has been "unlocked" by the financing agent. The device will continue to apply policy settings excluding those overridden by the financing agent. When the device is "locked", the state is reported in appliedState as DEACTIVATED_BY_DEVICE_FINANCE."

I've talked about Device Lock infrequently here, which is Google's financing platform built upon AMAPI and zero-touch with a custom DPC (or DLC, L for Lock, as they call it) and partner-supplied Kiosk app supporting a limited subset of restrictions:

  • Disable date and time
  • Disable developer options
  • Disable unknown sources
  • Disable safe boot
  • Disable adding new users
  • Disable outgoing calls

With Google's Device Policy Resolution Framework introduced with 14, (notes here), you can see how this ties in behind-the-scenes, where DLC (finance) has precedence over DPC (EMM).

The name of the state AMAPI returns here is not ideal necessarily, as I think it could be easily confused with disabled, wherein the device is actually blocked from all work apps and data until the cause of disablement is addressed. Based on the description of the state nothing is actually being deactivated; rather a limited set of APIs are being overridden by a higher precedence Device Controller. I'd likely have gone with something more akin to LOCKED_BY_DEVICE_FINANCE or RESTRICTIONS_OVERRIDDEN_FINANCE_LOCKED.

But hey, I'm not the PM.

Anyway, Device Lock appears to be picking up steam. I was generously offered a sneak peek at a partner's implementation a couple of weeks ago to see the type of experience coming to market (as I understand it, there are already solutions in-life too). Gauging just how mature an offering it is is difficult because it's a rather hush-hush solution locked away in Google's partner-only documentation that only certain OEMs and partners can access. Equally, OEMs are rolling out their own solutions, with Motorola, Samsung, HMD to name but a few implementing this outside of Google's desired approach.. further fragmenting the financing experience until Google makes their mandates in GMS/CDD requirements at some point.

Those latter solutions obviously won't show up in EMM as "Deactivated", but as Device Lock picks up, admins benefit from a little additional insight into device state going forward.

#androidenterprise

Popping aside the product itself, because I haven't (and probably won't) had hands-on with the form factor..

This is a good lesson for Android OEMs especially - but products generally.

Someone will tear it down.

In ways you haven't considered, through means you may not know exist. It'll happen, and the inner workings will probably be pretty well mapped out when it does.

For the Rabbit R1, that was -

  • it runs Android 13 (AOSP), with a May '23 SPL
  • it's core function is via a custom launcher app which can run on other devices
  • it runs on a BSP, vs ground-up AOSP

How you handle this matters; don't goad the community with statements about the product being super bespoke, highly secure, or attempt to skew how it really works, because they'll treat it as a personal mission to prove the statements untrue.

Like this - https://www.androidauthority.com/rabbit-r1-bespoke-android-3439760/

rabbit OS and LAM run on the cloud with very bespoke AOSP and lower level firmware modifications - rabbit CEO

As soon as I saw alps/BSP in the build fingerprint I assumed they were talking nonsense because they're the pre-built images chipset vendors offer requiring little work to get certified for GMS/Play Protect.. which then Mishaal & co tore down further and confirmed.

There's absolutely nothing wrong with this, many OEMs rely on these BSP/turnkey images, and I used them on the prior hardware I built for enterprise.. but now we know the team behind the product aren't transparent 🙃

If you're building on something, own it. In the case of Android, bespoke form factors are exciting and interesting. Could you have "just offered an app"? Sure.. but focus on the benefits of providing hardware and enhancing the overall experience with it. There's likely USPs of controlling the hardware/build image after all.

Oh, and don't ship with an SPL a year+ out of date while making statements about being secure with an internet-connected device, please.

Thank you for coming to my TED talk.

Perusing the AMAPI policies dev docs this afternoon I stumbled upon a new API, WifiSsidPolicy, that will offer organisations the ability to allow or deny certain Wi-Fi networks.

Neat!

I say "new", it's been in DPM as a device-level API since Android 13, so it's practically 2 years old. But.. that's AMAPI.

It offers two configs:

WIFI_SSID_ALLOWLIST prevents connection to all networks except for the SSID(s) explicitly set by policy.

WIFI_SSID_DENYLIST allows connection to any network except for the SSID(s) explicitly set by policy.

I tried it out this evening, because of course, only to be met unfortunately with absolutely no change in behaviour whatsoever, and my bug reports don't show any sign of new restrictions within the DEVICE_POLICY dump of service. I might have jumped the gun a little on full availability 👀.

Either way, once this launches (read: by the time release notes are live) I can see some pretty obvious use cases for it - Preventing access to all but the corporate/store network for location-bound hardware (dedicated, single use, etc) so it's an offline brick outside of this for Wi-Fi-only devices, or perhaps known risky network SSIDs*, or again those of a corporate network managed devices mustn't connect to should they otherwise have the opportunity.

*Not open networks necessarily, as we can already prevent this with MinimumWifiSecurityLevel to mandate a minimum of WEP/WPA or better.

.. but as with MinimumWifiSecurityLevel, WifiSsidPolicy only applies to company owned devices running 13 or higher, so unfortunately organisations running 12 or older devices without OEMconfig derived network policy restrictions are left to run amok joining every honeypot they find unless configuring Wi-Fi is disabled all together 😅.

Sidenote: I wrote this up in Project IDX - https://idx.google.com - which seems pretty new and gives me some access to Gemini in a limited context. Not bad for a VSCode clone without proper copy/paste support (that I've experience) so far 😁.

#androidenterprise

One of the most significant changes planned for Android 14 was the adjustment of the work profile to never fully turn off; it was going to leverage functionality not dissimilar to do not disturb and work towards ending notification-geddon for when the work profile has been off for a while, where everything comes through all at once upon turning it back on.

It didn't ultimately make the cut, (see https://bayton.org/blog/2023/09/work-profile-reverted-in-14/), and for good reason from what I recall. Issues around notifications when the profile was "off" were publicly documented.

Anyway, I thought I'd take a little peek at the 15 beta and, unfortunately, it doesn't look like work profile changes are on the agenda yet (if at all); I see the same pre-14 behaviour (Status: Shutdown/-1) when turning the profile off:

jasonbayton@Jasons-MacBook-Pro platform-tools % ./adb shell dumpsys user | grep -A 3 "Work profile"
  UserInfo{10:Work profile:1030} serialNo=10 isPrimary=false parentId=0
    Type: android.os.usertype.profile.MANAGED
    Flags: 4144 (INITIALIZED|MANAGED_PROFILE|PROFILE)
    State: RUNNING_UNLOCKED
jasonbayton@Jasons-MacBook-Pro platform-tools % ./adb shell dumpsys user | grep -A 3 "Work profile"
  UserInfo{10:Work profile:10b0} serialNo=10 isPrimary=false parentId=0
    Type: android.os.usertype.profile.MANAGED
    Flags: 4272 (INITIALIZED|MANAGED_PROFILE|PROFILE|QUIET_MODE)
    State: -1

It's something I'll keep my eye on, but in the shorter term Google introduced a notification cooldown in DP1, later removed in Beta 1, that will hopefully return and potentially land a middle-ground on maintaining the existing fully-off behaviour of profiles, while not overwhelming users with notifications when eventually turned on once more.

No idea why it was removed between builds, but another one to keep an eye on.

(BTW, a beta 1.1 is available with critical fixes, if you're interested - https://developer.android.com/about/versions/15/release-notes)

#androidenterprise

AMAPI release notes for March are out!

In addition to the constraints I mentioned previously, there are also new configs for WiFi security

...and...

The USB data access API default behaviour has now finally seen a change log reference, almost a month after it went live.

Check it out -

https://developers.google.com/android/management/release-notes

🎉

#androidenterprise

Android 15 DP2 is officially out, and so far it's a mixed bag.

The bug when pre-setting a Wi-Fi network within the provisioning payload that caused provisioning into management to fail appears to be resolved ✨

But.. it appears there's a bug with Google Play Services preventing the enrolment flow from provisioning a managed Google Play account during enrolment, seen by a crash of GPS as soon as the device lands on its home screen 😬

But hey, bugs aside it looks like Google finally pushed updates to docs (since I last checked)!

What's new (so far) in Android 15!?

- Content protection policy

This appears to offer control for the scanning of harmful applications on a device, perhaps allowing admins to explicitly prevent line of biz APKs sideloaded from being flagged up on end user devices as potentially harmful, unrecognised, or any other state that'd trigger a complaint to the admin helpdesk.

- Disallow NFC radio

As it says on the tin. If you're thinking "Don't we already have an API for NFC?" Yes we do, but that's to control the beam of data between devices. This is a full on radio disable and will probably live under DeviceRadioState in AMAPI at some point later.

- Disallow Thread Network

I'm assuming this is related to comms with thread devices (https://en.wikipedia.org/wiki/Thread_(network_protocol)), no additional context has been provided but you can assume what's coming.

- Disallow SIM Globally

This sounds like it's ticking off a long-desired feature request to fully disable all cellular on a device, but again missing any additional context I don't want to jump to conclusions.

These aside, I've noticed a few things removed from the DPM page which I'm not sure are intentional, like enrollmentSpecificID. There are a few bad links there at the moment.

Good stuff 😎

#androidenterprise

It's been a busy day! We have:

AMAPI release notes: https://developers.google.com/android/management/release-notes#jan-2024

An update on AMAPI DPC migration: https://bayton.org/blog/2024/01/amapi-migrations/#update

An update to TestDPC: https://github.com/googlesamples/android-testdpc/releases/tag/v9.0.3 (with release notes, AMAPI ADP devs take note)

And it seems we're settling on "OSes" being the most popular pluralisation of OS, after "OSs": https://www.linkedin.com/posts/jasonbayton_help-me-out-here-how-do-you-pluralise-os-activity-7157731854639382528-zqNu?utm_source=share&utm_medium=member_desktop (with a day to go, so that's up for debate still).

Tuesday has some big boots to fill 😁

• 29/365

#androidenterprise

I spy with my little eye, some new functionality in AMAPI 👀

The public developer docs were updated a few days ago, alas without the corresponding release notes as yet.

In any case, we have support now for DPC Migration! That incredible feature that Google introduced in 2018 for the seamless, wipe-free migration of devices from one EMM vendor to another.

..or so I thought, alas this appears to be a substantially watered-down implementation just for the migration of devices within a specific EMM vendor between the outgoing Play EMM API and the newer AMAPI.

More: 🔗 https://bayton.org/blog/2024/01/amapi-migrations/

At least it takes advantage of the extensibility SDK Google promised we'd see more functionality from at last year's summit! I'd hoped in the last year that might have been any number of the feature gaps AMAPI still hasn't plugged (ephermeral users? manual system update management? lower-level access to the device comparative to DPCs? remote debugging?) but it sets the groundwork for supporting DPC migration as it was to be 6 years ago, so here's hoping this evolves quickly.

Have a good weekend!

• 26/365

#androidenterprise

Back last year the topic of alternative Android OS's came up, and I popped it on my never-ending list of things to dabble with.

Today I figured I'd take the plunge, eyes-closed, and see what I could do.

I flashed GrapheneOS (/e/ isn't yet supported on the Pixel 7a) and had a poke around.

Obviously there's no Google Set up Wizard (SUW) and so immediately on first boot I had no means of initiating a QR scan, zero-touch,.. provisioning was out of the question.

ADB is available (after enabling it) after setup completes, and TestDPC attained Device Owner with ease via a single command. From some light testing all of the on-device APIs for AE worked as intended.

I was also able to spin up a work profile through TestDPC and Shelter, and both worked in the testing I was doing, so cool.

Things took a turn when I started trying to shoehorn Android Device Policy into the mix. ADP appears to require a permission set much wider than that of what GrapheneOS will offer through their GMS sandbox, even with Google Play Services and the compatibility layer running atop, and while I got AMAPI all the way through to registering the token for a work profile (the WP was created, apps were populated from system) it ultimately failed in talking to the AMAPI backend with an authorisation error I wasn't able to get around.

Similarly, setting ADP as DO via ADB still had it asking for a token (expected), but then it behaved as if it's running on an already setup device, and would only attempt to provision a work profile.

Graphene do say, explicitly, AMAPI isn't supported; this was a year+ ago though so figured it was worth a look.

I'm sure AOSP/closed enrolment through EMM vendors that support it would work great given the basic API & functionality is there without Google services atop.

This was interesting, either way. I'll try /e/OS next once I find a supported device in my arsenal :)

• 25/365

#androidenterprise

Per the Android Enterprise Customer Community, a fix has been implemented for the widespread zero-touch outage Samsung has been facing for the last several weeks -

🔗 Prior post: https://www.linkedin.com/posts/jasonbayton_androidenterprise-activity-7143272738470756352-An0j?utm_source=share&utm_medium=member_desktop

🔗 AECC announcement: https://www.androidenterprise.community/t5/service-announcements/fixed-issues-during-zero-touch-enrollment-on-samsung-devices/ta-p/1898

Anyone currently impacted by the ZT outage with Samsung devices should install any available updates, and give ZT a whirl.

If it isn't working yet for you, it may still be pending release for your model.

That's one major Android 14 issue down, hopefully the permanent policy application bug will be close behind!

(🔗 ref: https://www.androidenterprise.community/t5/service-announcements/in-progress-some-management-policies-are-made-permanent-on/ta-p/1494)

• 23/365

#androidenterprise

It's been a while since I last ran a poll, so here we go - a precursor to a much larger survey I'll be releasing later this week.

Unfortunately LinkedIn polls are a little basic, so I hope you won't mind popping over to Google forms for me :)

📣 Tell me a little about your Android Enterprise estate - ownership of devices and primary deployment scenarios in use:

🔗 https://docs.google.com/forms/d/e/1FAIpQLSecmvrhmD9nPCx0D2_GjRc14eqb6-C9Dn5ne7WKvLgtVxVHBw/viewform?usp=sf_link

I'll publish the results of this in the next several days, hopefully with a sizeable response to garner a decent sample (please!)

• 22/365

#androidenterprise

Continuing the theme of communities, did you know Google has an official Android Enterprise community?

Run by community managers Lizzie & Reece, along with several dedicated community folks including myself, Jeremy, Rafael and a few others, the AE Community is a great place not only to have your pressing AE questions answered, but also increasingly to track - publicly - service announcements that were previously hidden away within partner portals.

As the community grows this year, we're aiming to fill it with more resources, videos, guides, and much more. It's a great place to be both as a customer leveraging AE, and a partner for keeping tabs on the goings-on in a public forum.

If you're so inclined, we'd love some additional experts to help out, too :)

Check it out:

🔗 https://androidenterprise.community

• 21/365

#androidenterprise

It's been quite some time since I last mentioned our Mobile Pros Slack group, now filled with over 1600 members working in the enterprise mobility ecosystem 🎉

It's gone a little quiet over the holidays, so here's a friendly 👋 to invite anyone and everyone working with MDM, EMM, UEM, MWM, or any other acronym you choose to use, to drop in and say hello. There are few groups with as many folks in our ecosystem today 😎, and it's one of the only groups I'm online in 24/7

Invite in the link!:

🔗 https://mobilepros.org

As an aside, if you're an organisation that would consider contributing financially to the group, I'd love to bump us up to Slack Pro and open up the archives of years of valuable contributions members new and old can benefit from. Get in touch if you're interested :)

• 20/365

#androidenterprise #mobilepros

Are you interested in the inner-workings of AMAPI? Fancy taking a look at the API and how EMMs create, delete, update devices, policies, and enterprises?

Perhaps you may be considering adding Android management to your existing project but haven't kicked the tyres just yet?

Take a look at the Android Management API Quickstart:

🔗 https://colab.research.google.com/github/google/android-management-api-samples/blob/master/notebooks/quickstart.ipynb

Quickstart takes you through a guided setup of AMAPI from enterprise creation to enrolment and provides helpful commentary as you go.

While its intention is to help prospective developers get quickly acquainted with the basics handling AMAPI, it's a great tool for getting yourself established with the various policies and APIs in a controlled environment without the extra fat of an EMM running atop.

I can't code my way out of a paper bag, but I've used it infrequently for testing new AMAPI APIs ahead of wider EMM adoption for my docs and resources. Hopefully you can, too.

• 19/365

#androidenterprise #amapi

Did you know you can check in on the Android ecosystem 🛡️ security transparency report whenever you want?

It's not updated all that frequently, but it does show trends from all the way back to 2019.

📊 Some interesting stats:

The percentage of all devices with a 👾 PHA as of Sep 2023: 0.153%, an increase of 0.08%, or double that of September 2022. The largest increase in one year since records began 📈. This corresponds with a similar increase in PHAs making it into the Play Store.

Enterprise devices by comparison came ⬇️ down from 0.005% to 0.003% over the same period 😎

I'm sure that 0.003% of organisations permitting sideloading, developer options access, or full access to Play (where the occasional PHA does unfortunately slip through) are well excited to become a statistic 😁

The percentage of devices with a declared security patch level no older than 90 days peaked in early 2023 with 93.5% of all devices launched within the last 24 months. This declined to 92.1% as of Sep 2023, suggesting a swathe of devices either running foul of their GMS obligations, or reflects the drop in effort in year two once the 90-day mandate lifts.

Maskware 🎭 leads as the most installed type of PHA in Sep 2023

(What is maskware? 🔗 https://developers.google.com/android/play-protect/phacategories#maskware)

Hopefully this is updated soon enough with new data, but it's interesting to see nonetheless!

Check it out, and get a copy of the data yourself, here:

🔗 https://transparencyreport.google.com/android-security/overview

• 17/365

#androidenterprise #security

With the Play Integrity API stepping in for SafetyNet link and AMAPI having already supported it for some time (though exactly when isn't provided by the release notes), I submitted a request to have the AMAPI docs updated as they were still referencing SafetyNet, and got confirmation over the weekend this has now been completed.

If you were at all thrown off by continued references to SafetyNet recently, now it's ready to go 😎

https://developers.google.com/android/management/reference/rest/v1/enterprises.devices#securityrisk

As an additional tidbit, if you're curious: AMAPI makes a STANDARD API request, not classic. ref.

• 15/365

#androidenterprise #security #safetynet #playintegrity

I noticed a LinkedIn contributor article this morning referencing AV for mobile devices, and left a comment - https://www.linkedin.com/advice/0/youre-always-go-how-can-you-make-your-mobile-device-lyboe?contributionUrn=urn%3Ali%3Acomment%3A%28articleSegment%3A%28urn%3Ali%3AlinkedInArticle%3A7141179861884137472%2C7141179863683461122%29%2C7151161297114472448%29

It reminded me of a MTD Android Enterprise consideration doc I wrote a few years ago:

https://bayton.org/android/mtd-and-android-enterprise/

It's been a good few years since I did my own MTD deployments, though I tinkered a fair bit with Wandera before they were bought up more recently. I should probably see if my old Lookout accounts still work and get myself refreshed on the topic :)

• 11/365

#androidenterprise #security #mtd

I've been taking a gander at the traffic to my website, and would you believe this Android 14 security requirement is one of the most visited pages since the new year?

As more devices get their Android 14 update, I'm sure the rate at which this error is popping up in logs is only increasing.

Apps need to be updated, folks. Google are making it harder and harder to rely on applications that target Android versions almost a decade old, and I can completely understand why.

🔗 Android 14 blocks apps targeting old Android versions: https://bayton.org/android/android-14-minimum-sdk/

I also understand why this situation occurs, particularly in enterprise; if this error is currently looking all too familiar within your organisation and you're struggling to bring your applications up to date, please get in touch. I can put you in contact with an excellent and affordable Android developer well-versed in the Android Enterprise ecosystem who may be able to help modernise your internal application library.

• 10/365

#androidenterprise #security

Check out what Google announced at #CES, including improvements to sharing, cast, and Android Auto:

🔗 https://blog.google/products/android/ces-2024-android-updates/

🔗 https://blog.google/products/android/android-auto-new-features-ces24

• 9/365

#androidenterprise

Happy Monday, ecosystem!

Have you spent your day staring at an Android device, wondering "gosh wouldn't it be interesting to understand what goes into certifying these things to run Google apps and services?"

Well you're in luck! ✨

For my first article of 2024, I present to you a concoction of context to clarify the conundrum that is GMS, or Play Protect, Certification.

Enjoy 😎

🔗 https://bayton.org/blog/2024/01/certifying-android-devices/

• 8/365

#androidenterprise #gms #certifiedandroid #aosp #playprotect

Does anyone remember the Astro Slide from Planet Computers?

I contributed to their Indiegogo campaign waaay back in Sep 2022 with the hopes of getting hands on with what would be the first clamshell Android device I've used.

Well here we are, years later, with them not responding to requests for updates after promising deliveries over and over.

Even if it did ship today, running a 5yo SOC with a years-old version of Android wouldn't inspire long-term confidence now.

Alas, I really wanted to support a home-grown company pushing back on the typical slab of glass.

🔗 https://www.www3.planetcom.co.uk/astro-slide-5g

• 6/365

#androidenterprise

Only a week into 2024 I've had 4 organisations so far reach out asking for guidance on becoming zero-touch resellers 🙂

This is one of the most common questions I've been asked for several years, so much so that I put together a simple doc (and kept it updated as guidance changed) in the hopes organisations Googling "how to become a zero-touch reseller" would find and follow it - it's a top 5 result on Google normally!.

To aid its visibility, here you go:

🔗 How to become a zero-touch enrolment reseller: https://bayton.org/android/how-to-become-a-zero-touch-enrolment-reseller/

• 7/365

#androidenterprise

We're throwing it back to the basics today.

Managing private applications and web applications via the Google Play iFrame, docs first published in 2018 that just received a 2024 update.

Would you believe in 5 years the asterisk against the Name field in WS1UEM hasn't been removed, despite not being required? I wonder how many customers that's caught out 😁

🔗 Private apps https://bayton.org/android/create-and-manage-private-apps-for-android-enterprise/

🔗 Web apps https://bayton.org/android/create-and-manage-web-apps-for-android-enterprise/

I'm well-overdue a doc that covers all application distribution methods across PlayEMM API, AOSP, and AMAPI. That'll come in due course too!

• 5/365

#androidenterprise

Another day, another Android 14* feature shoutout!

Are you taking advantage of quick-switching between work and personal versions of installed apps?

Obviously until wider adoption the target audience is somewhat limited to organisations that predominantly lean on Google applications, but those who can.. should!

I leveraged this frequently up to moving on late last year, it's a nice little timesaver - I whipped back and forth between work and personal calendars constantly, closely followed by Authenticator 🔁

*Technically around QPR3 in 13, but it wasn't official 👀

🔗 https://www.youtube.com/shorts/qu8NfIIDACM

• 4/365

#androidenterprise

It's my birthday today 🎉

After an eventful day and far too much good food, I put a little polish on a tool I've been working on over the Christmas holiday, and you lovely lot get an early view of what I plan to continue tweaking over the coming weeks.

It's a super-simple AMAPI QR code generator!

🔗 https://bayton.org/qr-generator/

Handy for EMMs that don't offer too much customisation (ie, adding Wi-Fi, setting locale, etc) with their generated QRs, you can opt instead to take the enrolment token generated by the EMM, paste it here, and add any additional customisation as desired.

When ready, hit the button and it'll generate a shiny new QR (full JSON code output to come soon).

Give it a whirl and let me know how it runs for you.

And also to note, issues and PRs can be raised over on GitHub if you've feedback or suggestions - https://github.com/jasonbayton/11ty 😁

• 3/365

#androidenterprise

This year I'm aiming to share one tip, tidbit, insight, tool, or otherwise helpful piece of content on Android Enterprise every day and across various mediums. Wish me luck.

Here's day 1: https://www.youtube.com/shorts/8BD7K9N0sMo

#androidenterprise

For anyone interested, here's a quick snapshot of my 2023 on LinkedIn.. LinkedIn Wrapped?!:

New followers: 908
Content views: 337214
Content engagements: 4765
Profile views: 1601
Android related posts shared: Over 100

Top 5 posts by reach (views):

New in Android 14 (9k) - https://www.linkedin.com/feed/update/urn:li:activity:7055245025873383424/

Getting Tom a new job (6.5k) - https://www.linkedin.com/feed/update/urn:li:activity:7139894074035052544/

COPE SIM management in 14 (6.4k, alas launched in a limited beta only) - https://www.linkedin.com/feed/update/urn:li:activity:7031692128967651329/

An awesome ChatGPT demo reshare (6.3k) - https://www.linkedin.com/feed/update/urn:li:activity:7066850240888233984/

Sales being sales (6.2k) - https://www.linkedin.com/feed/update/urn:li:activity:7077255337522655232/

Top 5 companies engaging with my profile, respectively:

Google
SOTI
VMware
Samsung
Microsoft

Achievements: Top Community Voice

Annnd, I got to sit down with Google for their first Android talks enterprise - https://www.linkedin.com/posts/jasonbayton_android-talks-enterprise-with-jason-bayton-activity-7035322344839487488-MrnO?utm_source=share&utm_medium=member_desktop

I'd call that a pretty decent year :)

#linkedin #androidenterprise #socialmedia #linkedinwrapped2023 #community

As the clock ticks towards midnight, I'd like to wish you all a Happy New Year.

Thank you, as ever, for your engagement here. To those who've ventured beyond LinkedIn to the catch up in person (or virtually) over the last 12 months, it's been a blast!

I'm going into 2024 with a whole new set of challenges and things to look forward to, and I wish the same for all of you :)

Catch you next year 😎

After weeks of speculation, Samsung have dropped a KB outlining the issue with zero-touch on their Android 14 builds.

🔗 https://docs.samsungknox.com/admin/knox-platform-for-enterprise/kbas/kba-1120-unable-to-enroll-device-with-zero-touch-enrollment/

In a nutshell a preloaded version of GmsCore (v23.34.14) is the culprit, and unfortunately has found itself present in the builds of several models running Android 14.

As expected, resolution will indeed be via OTA and ZT functionality will be restored when this becomes available for affected models. The ETA for this hasn't been published, unfortunately 🙄.

#androidenterprise

This will be a lovely little quality of life improvement.

I'm forever fiddling with desktop mode on larger tablets and it's wicked to see Google has taken note!

🔗 https://developer.chrome.com/blog/desktop-mode

#androidenterprise #chromeenterprise

Happy Sunday folks!

Are you a WS1 UEM admin still managing Android devices via the legacy, deprecated, and wholly unrecommended Device Admin approach?

You should check out their announcement for the retiring of support next month:

🔗 https://kb.vmware.com/s/article/95399

If you're wondering "where do I even begin with this?!", fret not! I've updated my Considerations when migration from device admin to Android Enterprise doc for late-2023, so you might consider taking a gander 🧐 and making some notes 📝:

🔗 https://bayton.org/android/considerations-when-migrating-from-device-administrator-to-android-enterprise/

Need a little more hands-on help and advice? Reach out at your leisure :)

#androidenterprise

AMAPI release notes are up for November 😊

🔗 https://developers.google.com/android/management/release-notes

We get some additional networking capabilities for Android 12+, and a change to how local device events are reported.

Thank you as ever to the Googlers keeping this going consistently over the past few months. Please resume adding ADP changelogs here also!

#androidenterprise

Google has acknowledged an issue with the management of Android 14 devices that renders restrictions applied to devices irremovable once set unless unenrolled and re-enrolled.

See more: Advisories

#androidenterprise

The Galaxy Fold 5G, the original from 2019, has been removed from Samsung's list of supported models for monthly security updates.

At a smidge over 4 years of security updates, that's not bad for the year it was released.

Like other models, I'm sure original Fold owners may see the occasional critical update, but now's a good time to start looking for a newer, supported model.

https://security.samsungmobile.com/workScope.smsb

#androidenterprise

AMAPI release notes are up!

🔗 https://developers.google.com/android/management/release-notes

A quiet month it seems, just the one new feature to mention.

But it's a good one 👀

Apps launched with SetupAction (with AMAPI, this would often be a Companion app) are now able to cancel enrolment. Device doesn't meet a particular criterion? Authentication issues? Fancy a big fat button that says "Cancel!"? Now you can cancel from the app and avoid the faff 😎

#androidenterprise

After more than 4 years with Social Mobile, diving deep into the waters of Android manufacturing, EMM development, and getting the opportunity to be the closest I've ever been to the "other side" of the Android ecosystem, today I'm moving on.

It's been a rollercoaster; from the ad-hoc meeting with Rob at MWC that led to a there-and-then invite to join Social Mobile, starting out with just a handful of people in the earliest days of the company's transition from consumer OEM to being the Enterprise-first services organisation it is today, I will fondly remember jumping pillar to post, touching everything from product development to enterprise strategy to IT process improvement, QA, and so many other facets of the business for which there are now dedicated teams taking care of countless customers and projects.

I'm happy leaving knowing I've made lasting contributions to the organisation, and wish them all the very best in their future endeavours.

Stay tuned for what's next 🙂

This is hands-down one of the clearest, cleanest technical product posts I've read in ages, and it just so happens to be announcing the beta of AMAPI management on VMware WS1 UEM 🎉

🔗 https://blogs.vmware.com/euc/2023/10/vmware-workspace-one-unveils-next-evolution-of-android-device-management-with-amapi-beta.html

Like many other Custom DPC-backed EMMs running on the Play EMM API (which has rejected new applicants for some time now, directing prospective vendors to AMAPI instead), the big switch is looming as Google pushes to deprecate the Custom DPC experience and go all-in on AMAPI, with Google's native-feeling, integrated Android Device Policy baked in to many modern Android devices today.

It's a big step, AMAPI still has a lot of catching up to do in offering feature parity for vendors, but the sooner big names transition, the sooner pressure increases to fill the gaps, so it's exciting to see.

I'm going to get hands-on with this beta tomorrow and see what it's all about 😁

Again, kudos to Manuel for a great read!

#androidenterprise

Head's up for customers running Android versions 11 and below, there's a bug in Google Play affecting fully managed devices.

The full breakdown of the issue is here: 🔗 https://www.androidenterprise.community/t5/service-announcements/mitigated-amp-researching-some-fully-managed-devices-unable-to/ta-p/1047

Google have a mitigation in place, but for devices impacted already, there's further work to be done to rectify this.

It doesn't appear to be anything too major at the moment, a version of the Play Store has been pushed with a signature mismatch to what is expected, preventing newer versions of the app from updating (package signatures must match at install time for an app to be able to update). Longer term this can pose a problem, however currently since Play is still able to perform all normal functions, you may not even notice the issue.

Keep tabs on the linked page above for continued updates, hopefully it's resolved soon 🙂

#androidenterprise

Howdy ecosystem! 👋

The Customer Community is running a poll for Financial Services customers using Android Enterprise.

Is that you? Take a look: 🔗 https://www.androidenterprise.community/t5/general-discussions/survey-mobile-device-management-for-financial-services/td-p/1003

You don't even need to register to fill it out (but it'd be great if you did!)

#androidenterprise

Have you seen? 👀

The 2023 Android Security Paper has been published 📖

69 pages of security goodness is waiting for you, right here: https://services.google.com/fh/files/misc/android-enterprise-security-paper-2023.pdf

I lean on these documents a lot to supplement my knowledge, they're fantastic resources to have to hand.

#androidenterprise

In case you missed it yesterday, AMAPI announced day-zero support for several new Android 14 features:

🔗 https://developers.google.com/android/management/release-notes#android-14

Expect these to show up pretty soon in AMAPI-based EMMs, vendor roadmaps permitting 😁

In related news, the AE team have popped together a handy FAQ for features just released:

🔗 https://support.google.com/work/android/answer/14112390

Who's seeing 14 show up in their estates already? 🙋‍♂️ Conversely, who's popped in a freeze period to avoid it landing just yet? 👀

#androidenterprise

Today's the day!

Android 14 is officially released 🎉

Dev: 🔗 https://android-developers.googleblog.com/2023/10/android-14-is-live-in-aosp.html
Public: 🔗 https://blog.google/products/android/android-14/

I don't know about yourselves, but the 14 cycle felt much longer than previous versions. There was a delay, sure, but even so. In any case, 14 is rolling out to Pixels as we speak, with the wider ecosystem in line with their own schedules 🚀

Need a reminder of what's new in 14 for enterprise? Say less: 🔗 https://bayton.org/blog/2023/04/android-enterprise-in-android-14/

Looking for help & advice on Android 14 in your organisation? You're welcome to get in touch, as always :)

#androidenterprise

Hello, Chromebook Plus 🤩

Announcement: 🔗 https://blog.google/products/chromebooks/chromebook-plus/
More info: 🔗https://www.google.com/chromebook/discover/chromebookplus/
In education? Check out the dedicated EDU blog here: 🔗 https://blog.google/outreach-initiatives/education/chromebook-plus-education/

"All Chromebook Plus laptops offer faster processors1 and double the memory and storage1, giving you the power to get more done, easily. All Chromebook Plus laptops also come with a Full HD IPS display — which means you get a full 1080p HD experience when watching streaming content, and crisp, clear viewing for reading, creating content or editing photos and videos. Finally, there’s a 1080p+ webcam with temporal noise reduction for smoother, more lifelike video calls."

Obviously higher-end ChromeOS devices are nothing new, so Plus features will be extended to several existing devices also:
🔗 https://support.google.com/chromebook/answer/14128000?visit_id=638319303122892544-4063569079&rd=1

Unfortunately the Chromebooks I have don't make the cut for Plus, including the IdeaPad 5 Duet kiddo uses for school, but I know what I'll be shopping for when it comes time to replace them!

Coupled with the recent announcement of 10 years of support, ChromeOS is becoming ever-more compelling as a platform for all walks of life.

#chromeos #androidenterprise

September AMAPI release notes are live!

🔗 https://developers.google.com/android/management/release-notes#sep-2023

Nothing too crazy, just the coming to fruition of some previously announced features.

Nice way to close out a weekend 😎

#androidenterprise #releasenotesforever

Happy Friday folks 😊

Just in time for the weekend, Google are currently investigating an issue with applications not showing in the managed Google Play Store on devices.

Customer community 🔗 https://www.androidenterprise.community/t5/general-discussions/service-announcement-available-work-apps-missing-in-managed/td-p/811

There's an open request in the above link for any customers experiencing the same to reach out; I don't believe it has been widely reported just yet.

If you have the opportunity, please grab a managed device with applications deployed and take a quick look in Play. If any or all of the deployed apps are missing (even if they install on-device without problems), please sound off in the community!

#androidenterprise

Happy Monday!

Last week Intune suffered a bug that saw the security patch level (SPL) of BYO (Work Profile) Android devices disappear.

Reported by Jarmo via the Android Customer Community, MS appear to have now fixed it.

🔗 https://www.androidenterprise.community/t5/general-discussions/the-security-patch-level-data-missing-ms-intune/m-p/704#M194

Just in case anyone noticed, but didn't opt to take action :)

If you're not perusing the customer community just yet, this is a really nice use case for it and I'd encourage more customers (and partners) to hang out there.

#androidenterprise

Chromebooks are getting 10 years of updates 🎉

"Starting in 2024, if you have Chromebooks that were released from 2021 onwards, you’ll automatically get 10 years of updates. For Chromebooks released before 2021 and already in use, users and IT admins will have the option to extend automatic updates to 10 years from the platform’s release (after they receive their last automatic update)."

Applying both to modern, and older* devices, this is fantastic news considering their prevalence in budget-constrained markets where they're already chosen for their lower cost. TCO drops even further when devices are supported longer.

🔗 https://blog.google/outreach-initiatives/education/automatic-update-extension-chromebook/

*On pre-2021 devices Google doesn't commit to supporting all features and functionality.

#chromeenterprise

Some interesting and valid points raised concerning WearOS.

🔗 https://www.xda-developers.com/relaunch-wear-os-failure/

I share the sentiment to a degree. It's a decent platform marred by at least some self-imposed fragmentation. Feature lock-in, mandated OEM apps and more make it, to me, a frustrating platform to really fully invest in.

I don't want to use TicHealth, Samsung Fit, Fitbit, or really anything outside of Google Fit and occasionally Strava for health and sport tracking, but each brand forces their bloatwear in order to get the full breadth of functionality offered, and it's annoying. More so when you have more than one WearOS device; I have collected a few over the years, so I've done the migration between OEM apps and suffered the loss of some historical data when switching to yet another walled garden one too many times.

Health Connect sounds promising, but it's several years late and not yet fully baked (IMO). It also doesn't necessarily solve the problems, just assists in helping it suck less.

The largest missed opportunity with Wear I think though was getting a foothold in the enterprise space (surprise!). Wear could have followed closely as the Android team built out Android Enterprise and thoughtfully baked in enterprise functionality from the get-go rather than only starting to look at management for the platform more recently. The enterprise wearable market is decent, and also dominated by AOSP where Android is used due to Google's restrictions with Play Protect (GMS) certification.. which means big, fat, rarely well-optimised Android builds (or completely unoptimised Android Go builds!) running on feature/size restricted hardware and all the disadvantages that come with it.

The opportunity is still there obviously, wearables are probably more in demand today than ever before, but the platform needs far more flexibility around form factors and enterprise use cases than is currently on offer (as far as I know). I have more thoughts on this, but I'll reserve them for an article another day.

#androidenterprise

Some small changes to the What's new for enterprise in Android 14 were published today that address two things -

  1. Work profile behaviour changes for when it's paused (turned off)
  2. Acknowledgement of a scenario where applications may still notify connected devices (ie, WearOS) when applications are paused

It's not often I get to take credit for something, but I may have contributed to Google adding these updates 😅

🔗 What's new for enterprise in Android 14 - https://developer.android.com/about/versions/14/work
🔗 Android's work profile gets a major upgrade in 14 - https://bayton.org/blog/2023/08/work-profile-in-14/

New in 14 update

It looks like Google has responded to the earlier-reported issues with Android devices accidentally calling emergency services frequently with a small change.

This was opt-in for me, but as I understand it the long press to initiate is default for users who have not configured their emergency SOS settings.

#androidenterprise

Spotted running the Krispy Kreme display at Cribbs today.

10 internet points for anyone able to identify the version based on the app drawer there (hint, it's a 4.x dessert).

If anyone knows who's responsible for KK's mobile/digital signage estate let me know.. I just want to talk 😁

#androidenterprise

For a couple of years I've been thinking about adding audio to my articles; some of them can be rather long and adding the option to listen to content rather than read it seems appealling.

Maybe not, I'm not committed one way or another.

Either way, I update content often to align with the latest and greatest to ensure information stays relevant - which is a quarterly job at minimum normally - meaning if I recorded my articles, I'd have to re-record them frequently.

I could swap in a TTS generator and let it do the work, but those voices - like the reddit voiceover voices you see on social media and the like - are less than desirable. Annoying, even.

Just today I stumbled upon this (beta) service below, recorded a few clips of myself speaking, and provided a snippet of one of my recent docs. The idea being an AI cloned version of my voice may bridge the gap, and allow some automation around regenerating clips on the fly when I build the site.

Here's the result, including some AI generated contextual video clips it decided to add to the content also, which has had me cackling.

I, err, might wait a bit before exploring this option any further 😅

MobileIron Core has been in the news due to some rather gnarly vulnerabilities recently.

Patches are available, though Ivanti customers probably already know, and have hopefully patched by now!

Notable from the article below is the sheer number of public facing Core instances - 5500 according to a scan undertaken by Palo Alto Networks' Unit 42 🤯.

I can't think of any MI Core deployment I'd been involved with that didn't have Core safely tucked away from public access - as it should be - but of course I can't account for all use cases and scenarios that would justify it. I recall Vodafone had some open instances back in the day due to the nature of their hosted offering, for example.

Check out the link for full details.

🔗 https://www.theregister.com/2023/08/03/ivanti_cisa_norway_attack/

In news that should shock absolutely no one, forced back-to-office mandates increase employee attrition and make it harder to recruit, in addition to dampening employee happiness, motivation, and excitement towards being in the office, according to studies linked below.

Flexible working is the way for organisations that want to succeed 😎

🔗 https://fortune.com/2023/08/01/research-damaging-results-mandated-return-to-office-worse-than-we-thought-rto-remote-work-careers-leadership-gleb-tsipursky/

Google are rolling out long-promised features to Google Play that better highlight high quality tablet apps, and optimise the store itself for tablet/foldable use.

This seems like a reasonable way of gently pressuring developers to better design for large screen form factors, and I'm here for it!

🔗 https://android-developers.googleblog.com/2023/07/introducing-new-play-store-for-large-screens.html

Mini OS 9, based on Android, and running on a circular display is absolutely 😍

Launching on their next gen vehicles, they've done a hell of a job on so many aspects of the UX/UI, coming from someone who likes their Android mostly unskinned!

It's not entirely clear if it's Android Automotive or "just" Android AOSP from the press it's generated so far; as it's the primary vehicle display it could be either.. but I'd lean towards AAOS based on what I've seen of BMW's strategy elsewhere. (BMW Group, MINI UK?)

Given the lack of Google apps in the promo and highlight on BM's in-house work, looks unlikely to be a Google certified OS when it comes out either way.

I don't know how practical it'd actually be, but I'd absolutely throw money at a round tablet based on what I see here.. if OEMs fancied branching out from the standard rectangles 😄

#androidenterprise #android #automotive

This is a nice, simple datasheet that offers some AE benefits while not getting bogged down with detail, provided by Ivanti.

🔗 https://cdn.bayton.org/download/ivi-2743-en-android-enterprise-in-supply-chain-operations.pdf

#androidenterprise

This is an interesting study, that actually doesn't come across as bad as I'd have expected.

The note on better transparency for updates is one I agree with. Release notes matter, and linking to them directly from the update prompt is unbelievably simple; it's just not that common.

🔗 https://www.bitkom.org/Presse/Presseinformation/Smartphone-Updates-werden-meist-schnell-installiert

#androidenterprise

From nothing to twice in two months. The team is on fire!

Check out the latest AMAPI release notes below.

🔗 https://developers.google.com/android/management/release-notes#jul-2023

😎

#androidenterprise

It's nice to see incremental progress, but this still doesn't go far enough.

The whole premise of requesting flexible working being able to be shot down by an employer with hollow or arbitrary justification appears like it still stands, and will continue to happen to folks today as it did to me back in ~2015 when my commute was 3 hours to the office.

Of course there's been a mindset shift since COVID and some prior objectors have seen the benefits for themselves, so it'll hopefully never go back to what it was..

But still today the mentality of a worker not being productive unless someone can see them sat in an office chair remains. The lack of trust for the adult hired to do a job remains inexplicably high, and helicopter managers feel lost if they're not hovering close by.

All said, govt could have done absolutely nothing, so credit where it's due.

🔗 https://www.gov.uk/government/news/millions-to-benefit-from-new-flexible-working-measures

#remotework #workfromhome #hybridwork

Android Beta 4 is live!

Here's the link: 🔗 https://android-developers.googleblog.com/2023/07/android-14-beta-4.html

Get to testing!

#androidenterprise

I was thrilled to have been invited as Google's guest at the McLaren Paddock Club for the British GP last weekend.

And what an event it was 🤩

Thank you to Michael in the AE team for setting it up, and the Google events team for organising such a wicked day!

#androidenterprise #britishgp

Selfie at the Pit lane

The mambo EMM team got a cheeky little shoutout on the Android Enterprise blog today!

(Along with the OEMConfig-enabled tablets I developed and deployed to market as CPO, also 😁)

🔗 https://blog.google/products/android-enterprise/android-tablets-doordash/

The DD deployment is not insignificant in size (or demand!), and has helped us stress-test our solution considerably over time. Everything we support across the platform has been met with both very simple, but also rather complex scaling challenges. From things like how we optimise heartbeat & checkin for hundreds of thousands of devices at a time to supporting multiple concurrent remote control sessions to a location (and needing to optimise traffic accordingly to facilitate the environment).

And obviously the bigger the platform gets, the more impactful the smallest of changes become. It's a lot of fun.

The food on demand industry poses some interesting, if not entirely unique, challenges in how devices are used, secured, deployed, and supported. Being dedicated, single-use devices almost entirely remote to the DD Team, having the ability to remotely monitor, control, and if necessary quickly break devices out of their Kiosk experience on-demand is a must, and we've worked closely with them over the last few months to really beef up our Remote Control tool to facilitate smooth support experiences on the best and worst of networks.

Of course, some of the best benefits come simply from leaning on Android Enterprise, with zero-touch deployment handling provisioning and enrolment in-store, consistent management experiences across all OEMs they leverage, and OEMConfig for additional bespoke functionality on devices to name but a few.

AE deployments at this scale are exciting 🤩

Well done team! cc: Arran, Gabriela, Snehanshu, Kadir, Neha

#androidenterprise #emm #mdm #uem #enterprisemobility

AMAPI RELEASE NOTES ARE UP! Count: 6 months & 21 days after the last update in December :)

https://developers.google.com/android/management/release-notes

  • Added support for the DomainSuffixMatch field in Open Network Configuration to configure enterprise Wi-Fi networks for Android 6+. Enterprise Wi-Fi configurations without DomainSuffixMatch are considered insecure and will be rejected by the platform.
  • Added UsbDataAccess policy setting that allows admins to fully disable USB data transferring. usbFileTransferDisabled is now deprecated, please use UsbDataAccess.

EAP is a hot-topic at the moment, since either the May GPSU or June SPL has been causing a significant number of EAP policy failures following enforcement of the domain field (I found commits in both that could be related, but nothing concrete).

I guess we won't get retrospective release notes for everything up to June though?

My AMAPI tracker has been reset, either way - 🔗 https://bayton.org/amapi-tracker

#androidenterprise

If you haven't heard, the Android Enterprise Help Community is evolving 🎉

From the end of June, the old community will go read-only for new questions. Instead, customers and partners alike are invited to join the new customer community, androidenterprise.community.

The new community boasts better separation of topics with dedicated sub-forums, a more flexible & inclusive layout catering to a wider array of content types, private messaging, and much more.

With almost 300 recommended answers and 700 replies to community questions over the last few years, I'm proud of the contributions I've been able to make in the Help Community, and look forward to continuing to support customers and peers as the new community gets up and running.

Check it out, get registered, and say hello :) - 🔗 https://www.androidenterprise.community

#androidenterprise

We've had a Lenovo IdeaPad Duet 5 Chromebook for a little over a year I believe, primarily to support Kiddo with homework and whatnot. Because ChromeOS does Android app support pretty well it's a nice hybrid of Android tablet (wherein we lean on several apps for education) and the full device experience you only get with a "desktop operating system". Managing it is an utter nuisance since ChromeOS isn't nearly as friendly as Android for management (IMO), but for our particular use case, network-limiting it through my Ubiquiti console does the job.

Well after a valiant and unrelenting effort, it succumbed to the trials and tribulations of being used by an 8-year-old boy and the display ceased to function.

I did some calling around, but getting it repaired wasn't as quick and easy as I'd hoped. The Lenovo website was naff for trying to arrange a repair, sending me to partners instead with little success. Currys initially promised the world over the phone, but unsurprisingly fell short when I turned up with the device due to confusion over whether it was a PC or a Tablet.. and some local shops turned me away also.

Since we got it through Amazon, I reached out and requested a repair. They approved it after a quick chat and I sent it via DHL the next day.

TWO days later the device turned back up at the house working perfectly.

Honestly I would not have even considered Amazon as a route to repair before this experience, and not only was it done quickly with very little effort on my part, they assigned a human to oversee the repair process and keep me updated throughout. Credit where it's due!

So I suppose this is a PSA that Amazon do repairs (for things you order from them, obviously), and my sole experience with them was excellent. Just in case someone happens to need to get something fixed now or in future also :)

Righto, so I received the Pixel Fold this afternoon and spent a bit of time pondering whether I should keep it or send it immediately back because it's super expensive, and I still haven't made myself a YouTube channel for PR companies to lavish with swag, thus have to buy things myself 😅.

Given it was in front of me I figured it worth a look either way, so cracked it open (figuratively and literally?) and had a bit of hands on.

As positives go, it's very nicely made, feels great in the hand, the stainless steel is a lovely material, the hinge works wonderfully in every angle, and from what I gathered in half an hour of fiddling, the software is quite well adapted to the form factor. The form factor itself is also massively improved over the long, slim candy bar front displays of other folds on the market and makes it much nicer to use without having to unfold the device to be productive.

But.. the plastic screen is still no better than anything else to date, which is a disappointment given we're coming up on 5(?) years of bendy screens. If anything the crease is more pronounced than any Samsung foldable I've dabbled with, and my Fold came with bonus "dimples" towards the top of the screen for additional distraction during use. The battery is far too small for the hardware as well; I 100% would not get a full day of use out of this given I struggle to achieve the same on better-equipped devices with fewer screens.

"You already said you don't like foldable displays Bayton, why even bother!?" - I hoped I might be swayed with Google's foldable, in particular the Pixel Android experience, to a point where I could overlook first gen hardware but.. nah. It's outlandishly expensive for what it is, and I won't enjoy using it based on my thoughts above.

I'll go back to waiting for a well-supported (read: not Surface) multiple glass display device to hit the market one day.. or for a foldable that figures out the creases and such.

Back to the Fairphone 4 for now :)

What's new for enterprise in Android 14?

As it turns out, a LOT more than earlier discovered, including what appears to be one of the most significant changes to Android Enterprise since inception - let me know if you see what I'm referring to :)

Check out my updated article on this here: 🔗 https://bayton.org/blog/2023/04/android-enterprise-in-android-14

What an exciting release!

#androidenterprise

It's been a quick minute since I last shared these, but in case anyone needs them -

These two lists consist of the latest available information I've been able to gather from around the ecosystem.

If you're an EMM vendor and want your information on either of these pages, get in touch :)

#androidenterprise #enterprisemobility #emm #uem #mdm

I've shared this previously, but now I have a document covering it!

🔗 Application min target API: https://bayton.org/android/android-14-minimum-sdk

With platform stability achieved and general availability just around the corner, be mindful that for the first time in Android 14, applications targeting very old versions of Android (6.0) will no longer install, and there's no API or exception to this policy.

If you're running legacy Android apps, or even modern apps that target less than API 23 (6.0) for a particular reason or another (presumably avoiding newer restrictions that come with targeting newer versions of Android?) you will need to update them to guarantee they'll continue to be useful on your Android 14 fleet, as and when it gets up to that version.

#androidenterprise

There's an issue today with both AMAPI and PlayEMM API vendors struggling with application installs.

It appears applications set to either REQUIRED_FOR_SETUP or FORCE_INSTALLED are not installing.

In some cases this simply means the app doesn't silently install, but it may be present in managed Google Play for end users to install themselves manually, however for EMMs that lean on REQUIRED_FOR_SETUP specifically, this can delay or prevent enrolment of devices all together.

Google are on it, so it's a matter of time, but until they confirm a fix this'll likely have far-reaching impacts for Android Enterprise deployments.

For those with access to the EMM Partner Community, here's the link to the issue: https://emm.androidenterprise.dev/s/feed/0D55G00007stRMnSAM

#androidenterprise

I've been slowly moving some of my more important domains (I own far too many) to Google domains over the last few years.

Yesterday's news will see me moving them all back out again -

🔗 https://support.google.com/domains/answer/13689670#zippy=%2Cfor-customers-who-purchased-a-domain-directly-from-google-domains%2Cfor-customers-who-purchased-a-domain-in-the-google-workspace-sign-up-flow

Nothing against Squarespace, but I don't particularly want to be a customer of theirs; my existing registrars (namecheap, name) have decent track records and I'd sooner my business goes back there.

For anyone considering the same, here's the process to transfer out:

🔗 https://support.google.com/domains/answer/3251178?sjid=13442222087065356428-EU

LinkedIn's collaborative articles are a great idea, but not very well executed IMO.

If I don't go actively looking for them, I don't see them.

If I want to contribute to one, I have to manually browse through all the topics until I find it.

LinkedIn sent me a mail t'other day asking to do more of/with them, which I'd like to on particular topics, but the barrier for entry ATM outweighs my enthusiasm.

With better UX these would be a really nice, easy way of building excellent community articles that are always current and relevant, so I'd like to see this improved.

#linkedin #community #ux

I'm aware of a few 404's across the website at the moment, this is mostly due to reorganising content from the old tags (getting started, diving deeper, resources, etc) to a new suite of tags that better align with Android Enterprise terminology.

Until I'm finished, you'll see some tags (like fully managed) show blank/404.

I'm working on it.

In the interim, if you're looking for something that isn't where it used to be (I'll fix redirects, too) then jump over to full-text search and you'll find it quick as a flash.

Android 14 has reached platform stability with beta 3! 🎉

Now's the time to finalise app testing, enterprise validations, and anything else required ahead of general availability in the coming months!

🔗 Announcement: https://android-developers.googleblog.com/2023/06/android-14-beta-3-and-platform-stability.html

Have you seen what's new for Android 14 in Enterprise? I popped together an article some weeks back:

🔗 New for Android Enterprise in 14: https://bayton.org/blog/2023/04/android-enterprise-in-android-14/

#androidenterprise

WWDC kicked off yesterday and saw some interesting developments.

I'm looking forward to the updates to MacOS, and fair play to iOS with the contact cards and airdrop improvements, amongst other things. Google could definitely find a bit of inspiration in how effortlessly Apple's ecosystem is #bettertogether 😉

It's the management updates that have piqued my interest though:

🔗 https://support.apple.com/en-ca/guide/deployment/dep950aed53e/web

In particular the updates to Watch management, which though still required tethering to an iOS device, are starting to do what Wear should have a few years ago.

I have an AE feature request list for Wear, in fact, here:

🔗 https://bayton.org/android/android-enterprise-feature-requests/#wear

Oh and Vision Pro is interesting, I can imagine the benefits it'll bring to my woeful posture. The form factor is a little too.. encompassing though. Give me smart glasses and I'll be happy.

#androidenterprise

For those who don't know, I spend my working hours building an AMAPI based EMM with a small dedicated team of folks across the world.

My biggest gripe, after the ever-present lack of functionality compared to PlayEMM/on-device APIs (that hopefully extensibility will fix one day), is the absence of release notes since last year.

It is such a pain having to sift through the public docs manually before each cycle looking for new or updated (or deprecated!) functionality.. and it shouldn't be the case for such a critial solution.

So obviously, I've started a tracker:

https://bayton.org/amapi-tracker

It solves nothing of course, but hopefully highlights the issue enough that Google will sort it out 😁

#androidenterprise

It's that time of year again, the Android Enterprise Partner Summit is upon us!

Who's popping into London tomorrow then?

I'm super excited to see what's new, and look forward to catching up with some new and old faces in the ecosystem.

If you see me wandering around please feel free to say hello :)

#androidenterprise

A few new #FAQs for your Tuesday afternoon, based on a bunch of recent interactions across the ecosystem!

🔗 Configure Google Workspace permitted domains: https://bayton.org/android/android-enterprise-faq/configure-google-workspace-permitted-domains

🔗 Configure Google Chrome managed bookmarks: https://bayton.org/android/android-enterprise-faq/configure-chrome-bookmarks

🔗 Configure Google Chrome URL allow/block lists: https://bayton.org/android/android-enterprise-faq/configure-chrome-allowlist-blocklist

Happy managing!

#androidenterprise

A question popped up on the Help Community yesterday asking how one might change the Google account associated with their EMM bind.

For years this wasn't possible, so it was exceptionally important you didn't use an account you didn't want to be tied to for any extended period of time, as well as obviously ensuring it was a company-owned Google account and not Bob's personal account he'd take with him into retirement.

More recently however, a permissions system akin to that we find in zero-touch and other solutions has been implemented, allowing multiple accounts to now manage the bind complete with basic user permissions.

I popped a FAQ together to address it:

📎 https://bayton.org/android/android-enterprise-faq/manage-bind-account/

Happy Saturday!

#androidenterprise

Another quick note to cover off a gap in documentation, much like the whitelisted domains in Google Workspace I posted about some weeks back..

If you're trying to block a selection of URLs in Chrome managed config and find it's not working, add brackets:

[“http://www.bbc.co.uk”, “facebook.com”, ".example.com/?etc"]

It had completely slipped my mind brackets were needed with some EMMs when I was configuring this yesterday, and Google's documentation makes no mention of it. Everything else on that page regarding formatting and URL examples is valuable, though :)

🔗 https://support.google.com/chrome/a/answer/9942583

#androidenterprise

👀

Google I/O just got a little more exciting..

🔗 https://store.google.com/intl/en/ideas/pixel-is-open/

The proportions look more in line with what I'd consider usable vs the Fold(s) I've tried, with a properly-sized front screen the need to unfold to do anything meaningful may not be so strong.

That said, if this screen is as soft and fragile as every other foldable on the market today I'm probably going to give the Pixel a pass also. I guess we'll find out soon enough!

Pixel Fold

#androidenterprise #googleio #pixel

H/T to Mishaal for the deep dive on the fixes pushed in the May '23 SPL rolling out now.

🔗 https://blog.esper.io/android-system-app-downgrade-vulnerability-fix/

Although limited to local access with debugging enabled, it's nevertheless a vulnerability capable of being exploited, and is now one fewer avenues for attack.

Get May pushed ASAP admins! 📱

#androidenterprise

Way back in 2018 I was gifted a drone through work. a decent one at the time for someone who'd never touched a drone before, and I was excited to use it!

Except I never did. I charged everything up ready to go and popped it in the cupboard for a sunny day, and subsequently forgot about it until my spring clean this weekend.

Luckily one(!) of the batteries worked and after a quick registration with the CAA, kiddo and I had an absolute blast with it all weekend.

So much so in fact I got an itch and picked up a Mini 3 Pro today to compare the tech, and honestly I'm blown away.

This picture it captured of my neighbourhood is 🔥

Aerial view

To pivot back to my regularly scheduled programming, the remote controller I got with it runs Android, AOSP naturally for the use case here. It wasn't clear until a familiar chime played on boot and I'm going to dig into what and how it's running once the "new shiny" feeling wears off a bit.

I look forward to going places and capturing some of the imagery I've only seen on TV for myself 😎

#android #drone

Google have published a new article on their security blog highlighting their Play performance in 2022. It's a refreshing counter to the daily drivel oozing from tabloids about occasional apps making it through the net.

In 2022, Google Play:
• Prevented 1.43 million policy-violating apps from being published on the store
• Banned 173k bad actors from publishing apps
• Added more requirements for developer sign-up to deter the attempted publishing of bad apps
• Added more requirements for app types known for being abused
• .. and more

Tying in to the annual targetSDK requirements, and the newer changes that block very, very old apps from being installed in Android, and the last year was pretty good.

I will absolutely take a moment to call out the policies though. At least one of those 1.43m policy violations was an app I worked on that got blocked for 3 weeks across 10+ revisions and involved multiple escalations to AE and Play support because of a wording issue for a permission. Legitimate developers get caught up in Google's nondescript and super granular policies frequently, and seeing numbers like that has me wondering how many of those are genuinely bad apps..

Very good read though, check it out!

Source: https://security.googleblog.com/2023/04/how-we-fought-bad-apps-and-bad-actors.html

#androidenterprise

It looks like Samsung has added yet another device to their lineup benefitting from 4 major OS updates and 5 years of security.. and it's the one of the most budget-friendly offerings available with that longevity!

The Galaxy A24 comes in at under $300/£240 (converted) and is pretty well-specced for the price. Regional availability is limited but honestly that makes it even more impressive to me; seeing commitment to a 5 year lifecycle for a device that isn't globally available - it's the same amount of effort to support this after all whether you sell a hundred or a million.

I am absolutely here for the consumer market setting the bar higher for security and longevity. Long may this trend continue!

Samsung: https://www.samsung.com/africa_en/smartphones/galaxy-a/galaxy-a24-black-128gb-sm-a245fzkvafc/ Source: https://www.androidauthority.com/samsung-galaxy-a24-four-years-android-updates-3317791/

#androidenterprise

FYI, there are multiple reports on the Android Enterprise Help Community (https://support.google.com/work/android/community?hl=en&sjid=8020794700293409791-EU) as well as reseller partner community of zero-touch enrolment issues at the moment.

If you see the error "Zero-touch isn't available", it's not just you.

Google haven't (that I can see) acknowledged it just yet, but it's been logged so should hopefully be resolved soon.

Edit:

Confirmed (11am GMT+1) Google are working on it.

Edit2:

Google state it is now resolved (~7pm GMT+1)

#androidenterprise

Google today announced an update to Google Authenticator - https://security.googleblog.com/2023/04/google-authenticator-now-supports.html

This is the first update in a very long time, and adds OTP account sync to your logged-in Google account (with the ability to still use it without an account if desired).

The lack of account backup is what's kept me on Microsoft Authenticator for so long; I'm terrible for swapping phones frequently and adding the 10s of accounts back in manually to authenticator is nightmare material.

I know what I'll be doing now this week :)

Grab Google Authenticator via Google Play. The update is still rolling out so may not be visible just yet - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

If you're UK based and not particularly interested in receiving emergency alerts tomorrow, there's a straightforward way to turn them off:

Android

#

Catch-all

#

Since these settings can vary between OEM and Android version:

  1. Head to Settings
  2. In the search bar, type Emergency alerts
  3. Jump in to the relevant page
  4. Toggle off Allow alerts for everything, or the individual alert types as desired

Modern Android

#
  1. Head to Settings
  2. Tap into Safety & emergency
  3. Tap into Emergency alerts
  4. Toggle off Allow alerts for everything, or the individual alert types as desired

Huawei

#
  1. Head to Settings
  2. Tap Sounds & vibration
  3. Tap More settings
  4. Tap Cell broadcasts
  5. Toggle off Emergency Alerts or Extreme threats and/or Severe threats depending on your EMUI version

Xiaomi

#
  1. Head to Settings
  2. Tap Passwords & security
  3. Tap Emergency alerts
  4. Toggle off Extreme threats and/or Severe threats as desired

iOS

#
  1. Open Settings
  2. Tap Notifications
  3. Toggle off Emergency Alerts and/or Severe Alerts (near/at the bottom)

Windows Phone

#
  1. Open Settings
  2. Tap System
  3. Tap Messaging
  4. Tap Change emergency alert settings
  5. Toggle off Extreme threats and/or Severe threats as desired

As promised, here's my overview of what's new in Android 14 for enterprise:

🔗 What's new for enterprise in Android 14

Now beta 1 is up and live, the likelihood of additional features sneaking in to core Android is low, but should anything else pop up I'll be sure to add it.

What features are you looking forward to?

Today I launch notes, a social-inspired, short-form content feed that broadcasts from my website to my various social media accounts. Currently this goes out to Twitter and LinkedIn, and once I get RSS to Mastodon set up, there too.

What are notes?

These are short-form posts for small updates and quick thoughts. They are automatically published to social channels, and have their own RSS feed, too.

mail Reply by email | edit_note Edit this page.