Rose
Google Community Team

Email Header_opt1.png

 

15th October, 2024

 

Flexibility and productivity go hand-in-hand in the era of modern work. But so can security risks.

 

Designed for the modern workplace, Android 15 introduces new ways to protect company devices and shield sensitive data - for both employees and companies - wherever the working day leads. Here’s how Android 15 can strengthen digital defenses.

 

Secure stolen devices with Android theft protection

 

Theft_Protection_DT_Obsidian_240424.gif

 

Too often the cost of theft extends beyond hardware. That’s why Android theft protection* focuses on locking down your device should it fall into the wrong hands, helping minimize the impact of stolen devices.

 

Theft Detection Lock offers automatic protection the moment a device is stolen. It uses machine learning to detect any motion associated with theft, like snatching or driving away, and quickly locks the device to protect device data.

 

Offline Device Lock is enabled once a device is stolen. If a stolen device is disconnected for a set period of time, the device screen automatically locks to prevent unauthorized access, even when off-grid.

 

Remote Lock empowers employees to act quickly once their devices are gone. As an extra, immediate precaution when a device is lost or stolen, employees can lock the missing device at android.com/lock using just their phone number. 

 

*Theft Detection Lock, Offline Device Lock, and Remote Lock requires Android 10+ and an internet connection. Android Go devices are not supported. Support may vary based on your device model. The user must be using the phone while it is unlocked. All theft protection features will be available in October.

 

Offer employees a private space within their personal profile

 

Private Space - Unlock with Power Button.gif

 

Personally enabled devices balance convenience and usability, with enhanced controls to protect business data. Now, employees are able to create a private space* for personal profile data - a folder locked with a separate password or biometrics - to store apps containing sensitive information, like banking or healthcare. 

 

Employees can work with peace of mind, knowing that personal apps and activities are hidden and secure when working on the go or when sharing the screen with co-workers. 

 

*Private space on COPE devices are subject to the same security requirements as the personal profile. Admins will be able to block the user from having a Private Space and remove an existing Private Space in COPE.

 

Review security logs easily with the latest NIAP logging requirements

 

Android 15 is enhancing device security with new logging capabilities that meet the latest NIAP regulations. Administrative changes are logged and stored in the SecurityLog - and data backup events are migrated from Logcat to the SecurityLog for easier upload and streamlined management. Now IT teams can more easily identify and address potential security threats. 

 

 

Read Stronger management of company-owned devices with Android 15 next.

Learn more about what’s new in our Help Center FAQ.

 

Register for the community to access and download these images and an Android 15 slide deck.

 

 

 

Enjoyed this introduction? Feel free to drop a kudos and join the discussion below - we’d love to know how these new features might impact your business strategy.

 

9 Comments
Moombas
Level 4.0: Ice Cream Sandwich

Hi @Lizzie,

regarding "Offer employees a private space within their personal profile" i guess this was the topic where i stated in the PES that this would also be nice to have for a fully managed device (with our use case described) to generate a secured ("private") space. Anything new to that or why this hasn't been implemented?

Lizzie
Google Community Manager
Google Community Manager

Hello @Moombas,

 

Thanks for your comment on this. I hope you don't mind, I've moved it to this article as it's relating to the 'private space' tool. 

 

This is a good question, I think at the stage you heard about this, the feature was pretty far along for Android 15 - as mentioned at the time, I think this is a really interesting Enterprise use case for 'private space' and so it's certainly something I think we should discuss more.

 

It would be great to hear if this would be useful to other members here in the community with fully managed devices, do you think you could provide a little more information on your idea here please? 

 

Thanks so much, looking forward to discussing this more. 💡

 

Lizzie

Moombas
Level 4.0: Ice Cream Sandwich

No Problem @Lizzie.

In general our use case is pretty easy to describe:

Our devices are used by store staff, including store manager (and maybe deputy).

So, storemanagers ahve a seperate mail which can contain personal data so shouldn't be accessible for the other staff. So, without a dedicaded space, they won't be allowed to use it on the store devices as all other employees have access to it.

If we could provide such private space for them where they can put in outlook as a seperated app (but keeping the original one for store staff mail) and maybe other apps like teams or so secured by a psk only known by them, they could use this the devices way better.

 

There are manufacturers who provide similar functionality like Motorola with Thinkshield + secured folder but thiose are isolated to manufacturer which is not nice as we wopuld need this as a functionaliity over all devices, manufacturer independent.

 

Also want to mention, it would be good to have the possibility from admin side to remove this private space (but not to unlock it!; just in case a store manager switched or has forgotten his passcode) from the MDM (of course the MDM has to use that API and implement it as well).

Lizzie
Google Community Manager
Google Community Manager

Massive thanks @Moombas for the additional detail. 

 

@jasonbayton@mattdermody@Michel@davidguill@Timmy@Alex_Muc thought you might be interested to hear this idea suggestion. 😀

Michel
Level 2.2: Froyo

Hi @Lizzie , i like @Moombas idea! 

 

But the idea description also sounds a bit like shared device usage, where you ideally are able to have multiple profiles on a devices, each user has their own profile. Samsung has developed it sort off with Knox Authentication manager, Apple is doing it with shared ipads (but they don't recommend using it..). The way samsung has developed this shared device usage seems to be the best i've seen so far. But its limited to just Samsung. 

 

In Android's vision, and Apple btw, every phone is personal. But in healthcare or education, and stores, thats not the case. We have so much customers with shared devices that it can't be ignored. 

jasonbayton
Level 4.0: Ice Cream Sandwich

I quite like the prospect of reversing the existing COPE model to fully manage the device, but have an inaccessible profile (private space) for workers. Maximum control of the device with a lower-perceived, but potentially acceptable level of privacy for workers. As indicated for pool/shared devices where you auth, but can pop a few personal apps for break/other reasons the admins can ultimately remove at will.. I like it.

Alex_Muc
Level 2.2: Froyo

I like the potential opportunities that could come with the private space. 😀


Despite COPE, we keep seeing cases where company data and personal data are getting mixed up. We are only allowed to release apps in the Work Profile that have been approved by our IT security and data protection department. Sometimes these processes take too long for users, are not worthwhile due to a very small number of users or are even rejected by security due to security concerns (e.g. potential data leakage). If there is still a need among users, such apps are simply installed and used in the personal profile.
Processing work data in a personal context is forbidden organizationally, but is still done by some users out of necessity.

As a first step, users could use such apps with the private space and separate their personal data from work-related data. Although the private space is not necessarily intended for this purpose, it would certainly help to separate personal data even better.
An “additional space” that can be managed with UEM in Work Managed and Work Profile would be awesome. We would assign apps there that should not interact with the rest of the apps and data in the work context.

If something like this were to be realized for Android Enterprise, I see a big obstacle in a transparent display of the available apps in Managed Google Play.

Moombas
Level 4.0: Ice Cream Sandwich

"...But the idea description also sounds a bit like shared device usage, where you ideally are able to have multiple profiles on a devices..."

@Michel, not really, as this needs a login/logoff of the entire device which is NOT needed and wanted on our end. All apps are used by both and the manager is allowed to see mails and so on send by store staff account but not the other way around. So they have just a secured area for 1-3 apps but the rest of the device stays.

 

This also saves time as the login and logoff on the entire devices costs time and can be forgotten. For example the secure folder, how Motorola provides, locks the secure folder (and all apps from there) already when device is locked. This is save and fast handling and no shared device needed which make sense in other environments but not ours.

Yann_ROLAND
Level 2.0: Eclair

Hello, great topic, in case my feeling on this brings something, I also have requests from managers for shared device usage in their teams but today I refuse to put it in place due to the fact that we never know who has the device when we want to tell to update it at a convenient time (and not force it when people maybe use them for example). When people call the service desk, it is also easier to provide the user name than the serial number or whatever reference of the device. Using devices as personal, we can also make the login easier with biometrics or smartcard / smart tokens for example. In case of multi-users, I don't know if it is possible to unlock the device with a finger / face and knowing if it is the one of user1 or user2 to be able to open the right area. Up to now, in my case, I prefer to increase all the possibilities users can do with a smartphone so that he / she uses it for everything and thus, having a shared one is less important. I remember a meeting at my bank, the operator only get out the tablet to make me sign a document and then go back to the PC, funny example to me who uses Samsung DEX and my phone as unique device.

However, as Michel told, the pressure is so high (for people working in 3*8h for example) that we'll need to look at it. Maybe get an easy login / logoff experience would also help to adopt shared devices and not create a new kind of setup. I'll follow this topic closely, interested to see what others do or would like to do around this "shared" or "halfly shared" devices.