According to IDC, Google Android is expected to capture 86.7 percent of the worldwide operating system market by the end of 2019, continuing to show growth from the already eye-popping 85.1 percent reported last year.

The popularity of Android lends itself to not only consumer usage, but also its massive adoption in the enterprise. Now more than ever, the secure and convenient management of devices running this operating system is of global importance.

With this trend mind, let’s explore the evolution of Android management from the early days of Gingerbread to Lollipop to today, right at the doorstep of Q — while discussing what steps need to be taken by IT and security leaders to ensure a successful rollout of the latest management techniques for Android.

Join IBM and Google for a webinar on August 29th at 2pm ET

Do Androids Dream of Endpoint Management?

The first thing to note about managing Android is that historically, it was (and still is) a highly customizable operating system for manufacturers due to Google providing Android as an open source operating system —  allowing manufacturers could build atop the platform. Although an organization with a unified endpoint management (UEM) tool can manage all of its devices in one console through traditional Device Administrator API’s (introduced in Android 2.2) — from Samsung, to Motorola, to LG, to OnePlus, to Google’s own Pixel and beyond — each different piece of hardware came with its own take on the Android OS and introduced its own set of considerations.

As enterprises began adopting Android, each manufacturer created custom application programming interfaces (APIs) for their platform that could be managed, creating a less-than-cohesive overall user experience — especially for companies that had adopted a bring-your-own-device (BYOD) policy or provided employees multiple flavors of corporate Android devices.

This all changed in 2014, when Google decided it was time to consolidate Android management. With the release of Android 5.0 Lollipop, manufacturers were given the option — originally called Android for Work, now Android Enterprise — to include additional APIs from Google that would provide a level of uniformity across devices.

Some manufacturers did not immediately integrate this new functionality. In 2016, Android made its enterprise-ready capabilities a standard addition to OS versions, beginning with 6.0 Marshmallow. Android’s breadth of enterprise-grade functionality included and still includes:

  • A self-contained work profile (Profile Owner) to isolate corporate applications from personal and BYOD devices;
  • A company-owned managed device (Device Owner) mode that can be set up exclusively for work use, only allowing for corporate applications and content;
  • A fully managed device with a work profile mode, also known as corporate-owned personally-enabled (COPE), intended for company-owned devices that are used for both work and personal purposes (available from Android 8.0+);
  • A dedicated device mode, also known as corporate-owned, single-use (COSU), to lock down devices to a limited set of apps for dedicated kiosk purposes;
  • Enterprise-only app approval and distribution mechanism to managed devices and managed profiles through Managed Google Play;
  • Out-of-the-box, zero-touch enrollment for any device running Android 8.0 and above; and
  • Automatic, mandatory device-level encryption.

The Future of Android Device Management

Android has aligned its platform to modern-day security best practices, so why haven’t all organizations adopted the cutting-edge configuration? Most organizations that adopt Android give users the flexibility of the container-like work profile, but transitioning into Profile Owner (PO) mode has typically been a time-consuming endeavor.

Historically, UEM platforms, while able to support all types of Android management, could not easily migrate an already-enrolled device from traditional Device Admin management and enroll into modern Android Enterprise management. The process included unenrolling then re-enrolling with a code specific to the management platform — all done one device at a time, unless previously provisioned by a carrier or managed service provider.

Many organizations simply do not know the shortcuts that now exist to move hundreds or thousands of devices to the new format. And with Google recently announcing the deprecation of several APIs in the legacy Device Admin mode upon release of Android Q, now’s the time to get in the know.

The goal of an effective UEM platform must be to strike a balance between security and productivity. Android strikes that balance with its work profile, challenging management vendors to follow suit and provide a secure, convenient way for a business to quickly provision large fleets of devices in PO mode — out of the box and with minimal admin involvement.

An Android Enterprise Recommended solution, IBM MaaS360 with Watson, announced a new migration tool aimed at smoothly transitioning Android devices in Device Admin mode to PO mode to get ahead of Android Q. Check out the migration tool for yourself in the MaaS360 Knowledge Center and join IBM and Google on August 29 at 2 p.m. to learn from the experts about Android Q and how MaaS360 addresses modern Android management.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…