Blog Post

Community blog
3 MIN READ

Managing Google system updates with Android Enterprise

Rose's avatar
Rose
Google Team
10 months ago
It's more important than ever to keep your fleet of devices secure and optimized for work. That’s where Google system updates come into play.   Delivering updates from Google to the Android oper...
Published 10 months ago
Version 1.0
Management
Security
System updates
Rose's avatar
Google Team
Joined November 13, 2023
View Profile
Community blog
Explore curated guides and tips from the Android Enterprise team and community members.
Alex_Muc's avatar
Alex_Muc
Level 2.3: Gingerbread
10 months ago

Hey Rose 😀

 

We use compliance policies to keep devices up to date. We do not use any OEM-specific services.
Our organization primarily has COPE devices for knowledge workers and uses system update policies primarily in combination with compliance policies.

 

 

The default usage of the system update policies can be rather problematic for knowledge workers:

  • Automatic: As soon as an update is downloaded, the update process starts immediately. The policy does not check whether the device is currently being used. Unsaved work could be lost or you could be thrown out of an ongoing meeting accidentally.
  • Windowed (let's assume that we configure it to 1-4 o'clock at night): In order for non-system apps to send notifications, the device must be unlocked for the first time after rebooting. (e.g.: third-party alarm clocks, diabetes apps) If the device restarts at night, users may not receive important push notifications in the morning. The restart also means that a SIM PIN must be re-entered, which means that the person cannot be called until the PIN is entered. If users regularly switch off the device at night, the updates are not installed. The updates cannot be installed automatically outside of the time window. If we set the time slot in the middle of the day, we may interrupt someone's work.

 

As admins, we want to keep devices as up-to-date as possible without annoying users. In the compliance guidelines, users are gradually informed about the issue, update policies are set and, most recently, connections to company services are temporarily blocked until updates have been installed.

 


I would like to wish for a new, additional update policy

  • Dynamic”: Updates are downloaded automatically. The user is informed about the update and can either install it or postpone it. Admins can use the EMM to configure how often updates can be postponed and how long the period can be. After the update has been postponed to the maximum, the update is installed automatically.

Such a policy would save us some configuration effort and knowledge workers would not be caught off guard by an automatic installation. At the same time, it is ensured that the update is carried out in a timely manner. 😀