This is the second installment in a multipart series about Android device management in the enterprise. Be sure to read part one for the full story.

Q is the 10th version of the Android operating system (OS), and from consumer privacy to enterprise scalability, the platform has undergone a major evolution.

According to IDC, Google Android’s worldwide share of the OS market is poised to grow from a staggering 85.1 percent to 86.7 percent. In other words, if you work for any organization anywhere in the world, there’s a good chance you’re reading this on an Android device right now.

Let’s explore the new updates from the enterprise to the end user.

Q’ing Up App Privacy

If you’re reading this article as a curious IT or security professional, you may be wondering how Android app permissions operate. Fear not — Google answered that call and laid out a comprehensive set of new rules governing app installations and permissions on Q.

The worst-offending apps always seem to have their hooks in device location, but Android has plugged that hole by giving users the option to fully allow location tracking, deny it or “allow only while app is in use.” Beyond this, users can now limit app access to photos, videos and audio through these new runtime permissions.

Lastly, in the case of downloads, things get more granular, as apps are being forced to use the system file picker. This allows users to specify the download files that an app can access.

Of course, this is all well and good on a one-to-one, user-to-device basis, but what’s new in the rest of the enterprise world? I’m glad you asked.

Q in the Enterprise

As you probably know, Google announced the deprecation of Device Admin (DA) mode, effectively removing a large swath of legacy management APIs available to organizations relying on mobile device management (MDM), enterprise mobility management (EMM) or the current model, unified endpoint management (UEM), to stay on top of their user environment.

The bright side is twofold: This deprecation and the resulting new approach to management will help increase uniformity across Android devices enrolled in a UEM platform, regardless of a device’s manufacturer. This should provide a consistent user interface and experience no matter how an employee chooses to work. In addition, most prominent UEM vendors can already support this new standard because it is an evolved version of the already familiar Android enterprise approach.

The breadth of capabilities spans multiple use cases and deployments, from bring-your-own-device (BYOD) and choose-your-own-device (CYOD) to corporate-owned, personally enabled (COPE) and corporate-owned, single-use kiosks (COSU) through:

  • A self-contained work profile (profile owner) to isolate corporate applications from personal;
  • A company-owned, fully managed device (device owner) mode that can be set up exclusively for work use, only allowing for corporate applications and content;
  • A fully managed device with a work profile mode (COPE) intended for company-owned devices that are used for both work and personal purposes (available from Android 8.0 Oreo and above);
  • A dedicated device mode (COSU) to lock down devices to a limited set of apps for kiosk purposes;
  • Enterprise app approval and a distribution mechanism for managed devices and managed profiles through Managed Google Play;
  • Out-of-the-box, zero-touch enrollment for any device running Oreo and above; and
  • Automatic, mandatory device-level encryption.

Android Q for All: What Can Users Expect?

As far as user-side updates go, the most immediately noticeable change is the removal of the “back” button, opening up full gesture-based navigation on Q. The gradual removal of navigation icons reaches its logical conclusion with this newest OS version, putting Android on par with other leading device manufacturers.

In this new, buttonless world, it’s easy for a user to get distracted by the endless scroll of social media — even in the middle of the work day. Google thought of a way to combat this with an update called “focus mode.” The idea here is that an employee using a device for work and personal use should be able to segment those aspects of their day. Human nature says we can’t, but technology says otherwise. Focus mode allows users to specify apps they would prefer to have disabled as they work or perform critical tasks.

Dark mode and custom themes round out the major cosmetic changes, and while these themes in particular are highly popular updates, they will have little effect on user productivity or security. That stands in stark contrast to what, outside of enterprise changes, may be the most significant new feature as it pertains to user security, privacy and overall experience.

Go Green With Big Blue: How IBM Supports Android Q

Let’s end with what some may perceive as the “catch.” At the doorstep of Q, a primary concern for organizations that manage Android devices is that administrators will have to migrate and prepare already enrolled, DA-managed devices quickly to reap many of these new benefits and avoid the service interruptions that could come with the deprecation of DA mode.

This is an easy enough fix because many UEM vendors have risen to the deprecation challenge. For example, IBM built out a proprietary Android migration tool designed to automate the bulk of the process. It specifically targets devices in Profile Owner mode, enabling any device that is managed solely through a work profile to be switched from DA management to the new enterprise Android management with minimal admin intervention.

Beyond this migration tool, IBM MaaS360 with Watson Unified Endpoint Management stands ready with day-zero support for all new API changes that come with Android Q. But don’t just take my word for it — on Aug. 29 at 2 p.m. ET, experts from Google and IBM will host a live webinar to explore the world of Android Q, MaaS360 and what lies ahead for Android management in the enterprise.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…