This is the second installment in a multipart series about Android device management in the enterprise. Be sure to read part one for the full story.

Q is the 10th version of the Android operating system (OS), and from consumer privacy to enterprise scalability, the platform has undergone a major evolution.

According to IDC, Google Android’s worldwide share of the OS market is poised to grow from a staggering 85.1 percent to 86.7 percent. In other words, if you work for any organization anywhere in the world, there’s a good chance you’re reading this on an Android device right now.

Let’s explore the new updates from the enterprise to the end user.

Q’ing Up App Privacy

If you’re reading this article as a curious IT or security professional, you may be wondering how Android app permissions operate. Fear not — Google answered that call and laid out a comprehensive set of new rules governing app installations and permissions on Q.

The worst-offending apps always seem to have their hooks in device location, but Android has plugged that hole by giving users the option to fully allow location tracking, deny it or “allow only while app is in use.” Beyond this, users can now limit app access to photos, videos and audio through these new runtime permissions.

Lastly, in the case of downloads, things get more granular, as apps are being forced to use the system file picker. This allows users to specify the download files that an app can access.

Of course, this is all well and good on a one-to-one, user-to-device basis, but what’s new in the rest of the enterprise world? I’m glad you asked.

Q in the Enterprise

As you probably know, Google announced the deprecation of Device Admin (DA) mode, effectively removing a large swath of legacy management APIs available to organizations relying on mobile device management (MDM), enterprise mobility management (EMM) or the current model, unified endpoint management (UEM), to stay on top of their user environment.

The bright side is twofold: This deprecation and the resulting new approach to management will help increase uniformity across Android devices enrolled in a UEM platform, regardless of a device’s manufacturer. This should provide a consistent user interface and experience no matter how an employee chooses to work. In addition, most prominent UEM vendors can already support this new standard because it is an evolved version of the already familiar Android enterprise approach.

The breadth of capabilities spans multiple use cases and deployments, from bring-your-own-device (BYOD) and choose-your-own-device (CYOD) to corporate-owned, personally enabled (COPE) and corporate-owned, single-use kiosks (COSU) through:

  • A self-contained work profile (profile owner) to isolate corporate applications from personal;
  • A company-owned, fully managed device (device owner) mode that can be set up exclusively for work use, only allowing for corporate applications and content;
  • A fully managed device with a work profile mode (COPE) intended for company-owned devices that are used for both work and personal purposes (available from Android 8.0 Oreo and above);
  • A dedicated device mode (COSU) to lock down devices to a limited set of apps for kiosk purposes;
  • Enterprise app approval and a distribution mechanism for managed devices and managed profiles through Managed Google Play;
  • Out-of-the-box, zero-touch enrollment for any device running Oreo and above; and
  • Automatic, mandatory device-level encryption.

Android Q for All: What Can Users Expect?

As far as user-side updates go, the most immediately noticeable change is the removal of the “back” button, opening up full gesture-based navigation on Q. The gradual removal of navigation icons reaches its logical conclusion with this newest OS version, putting Android on par with other leading device manufacturers.

In this new, buttonless world, it’s easy for a user to get distracted by the endless scroll of social media — even in the middle of the work day. Google thought of a way to combat this with an update called “focus mode.” The idea here is that an employee using a device for work and personal use should be able to segment those aspects of their day. Human nature says we can’t, but technology says otherwise. Focus mode allows users to specify apps they would prefer to have disabled as they work or perform critical tasks.

Dark mode and custom themes round out the major cosmetic changes, and while these themes in particular are highly popular updates, they will have little effect on user productivity or security. That stands in stark contrast to what, outside of enterprise changes, may be the most significant new feature as it pertains to user security, privacy and overall experience.

Go Green With Big Blue: How IBM Supports Android Q

Let’s end with what some may perceive as the “catch.” At the doorstep of Q, a primary concern for organizations that manage Android devices is that administrators will have to migrate and prepare already enrolled, DA-managed devices quickly to reap many of these new benefits and avoid the service interruptions that could come with the deprecation of DA mode.

This is an easy enough fix because many UEM vendors have risen to the deprecation challenge. For example, IBM built out a proprietary Android migration tool designed to automate the bulk of the process. It specifically targets devices in Profile Owner mode, enabling any device that is managed solely through a work profile to be switched from DA management to the new enterprise Android management with minimal admin intervention.

Beyond this migration tool, IBM MaaS360 with Watson Unified Endpoint Management stands ready with day-zero support for all new API changes that come with Android Q. But don’t just take my word for it — on Aug. 29 at 2 p.m. ET, experts from Google and IBM will host a live webinar to explore the world of Android Q, MaaS360 and what lies ahead for Android management in the enterprise.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today