Out with the Old In with the New: Google Deprecating Device Admin with Updated Enterprise Recommended Program

by Connor Collier | 11/7/2018


As mentioned in our blog on Apples Device Enrollment Program Sour Apple: Vulnerability Issues with Apples Device Enrollment Program firms are looking for new ways to implement enrollment programs for their mobile devices. As companies transition to devices supported by the likes of industry pillars Apple and Android, methods for large scale Enterprise Mobility Management are becoming a premium for those that wish to expedite and simplify the device configuration process. Apple introduced their new Device Enrollment Program in 2014, and while it hasn’t come without its share of missteps (see above blog link) their push for company friendly device configuration highlights a trend that other suppliers undoubtedly will look to compete with.

Google is one such company that has updated their enterprise device management recently. In December of 2017, Google finally announced that after eight years, they will be gradually deprecating their Android device administration IPIs. Taking its place? Android Enterprise. First introduced with 5.0 Lollipop in 2014, Android Enterprise is a robust set of management APIs built right into GMS-certified devices that allow for universal and consistent management. Android Enterprise is set to offer upgrades and enhancements to security, usability, and enrollment, features that will create a safer and more fluid configuration experience for Google & Android equipped enterprises.

The Enterprise Implications of Apple’s 2018 WWDC The Enterprise Implications of Apple’s 2018 WWDC

Android Enterprise is a clear upgrade over the former Device Admin in large part due to their improvements in the local administration, security model, malware abuses, and mitigating the OEM API challenges. What ultimately did Device Admin in, were shortcomings relating to an inability to securely reset device passwords on encrypted devices and perform factory resets. In addition, the ability to sideload applications – while convenient – presented a malware exposure vulnerability. Android Enterprise will mitigate these shortcomings, in addition to an updated and more secure configuration process. The benefits to employing the Android Enterprise are in large part due to zero touch provisioning, a feature used by Apple in their DEP. Similar to Apple’s pre-purchase device configuration, Android devices have management APIs built directly into GMS-certified devices that allow for universal and consistent management. These pre-configured devices will cease the use of unknown sources on company devices and will only allow administrative approved applications.

Additionally, another area that Apple’s DEP neglects involves Bring Your Own Device (BYOD) users. Within the Apple DEP, only new or completely reset devices can be configured to access the appropriate company applications. With the new Android Enterprise, BYOD users will have access to corporate resources without the organizations full control of the device. Essentially, personal devices will have a work profile authentication, or a secondary passcode authentication, which will allow users to access corporate applications on their own personal devices. Additionally, the ability for employees to pause or turn off their work profiles for things like weekends, vacations, etc. promotes a healthy work/life balances that has become essential within progressive corporate cultures.

While Android Enterprise Recommended utilizes a similar configuration Apple’s DEP, they have distinguished themselves by creating a rugged device “track” which is separate from the knowledge worker device portfolio. Rugged devices from Zebra, Honeywell, Sonim, Point Mobile, Datalogic and Panasonic are all included as part of the AER program. Unique to the rugged portfolio is that these devices are guaranteed five years of security updates instead of the three years for other Enterprise Recommended Programs. The key requirements for devices to be included in AER are:

  • Minimum hardware specifications for Android 7.0+ devices.

  • Support for bulk deployment of Android devices including zero-touch enrollment.

  • Delivery of Android security updates within 90 days of release from Google, for a minimum of three years (or five years for rugged devices).

  • Availability of unlocked devices, direct from manufacturer or reseller.

  • Consistent application experience in managed profiles and on managed devices.

The AER program further solidifies Google’s enterprise efforts with Android. A glaring omission to the program, however, is Samsung, the leading Android OEM. With KNOX Samsung has developed in-house capabilities that overlap with much of what Google is doing with AER. Moreover, KNOX’s security capabilities in particular in highly regulated markets extend well beyond what is addressed with AER. The omission of Samsung in the AER program is obvious. However, it should also not impede Google’s efforts to taking more of an active role in addressing enterprise requirements.

If there is any down side to Google’s employing the new Android Enterprise, it might be in its unclear plan to phase out device admin and transition to Android Enterprise. While Google has unveiled Android Enterprise with the intention of deprecating Device Admin altogether, this is a process that will take time, and thus, will not see Device Admin disappear overnight. In fact, there is a large chance that many of the devices under management today will see no immediate change to their existing device management. This is the one area of concern surrounding the implementation of the new Android Enterprise.

While any new or reset device can easily be configured to utilize Android Enterprise work-managed enrollment, companies with Oreo or earlier devices will need to figure out a way to transition from the former, to the newer enterprise. This leaves room for concern as Android devices as a whole tend to lag when I comes to OS upgrades. This is particularly acute in the rugged market segment which tends to have a “set it and forget it” mentality when it comes to managing their mobile estates. This is one of the issues that Google and its OEM partners will have to address moving forward.

View the 2018 Enterprise Mobility & Connected Devices Research Outline to learn more.