Rose
Google Community Team

It's more important than ever to keep your fleet of devices secure and optimized for work. That’s where Google system updates come into play.

 

Delivering updates from Google to the Android operating system, Google Play Store, and Google Play services, Google system updates make your Android devices more secure and reliable, whilst introducing new, useful features.

 

But these need to be delivered in a timely way that works for your business and employees. So with that in mind, let’s cover the two main tools that can help you manage your Google system updates.

 

System update policies

 

Ideal for: Dedicated devices

 

Pros: Keeps devices up-to-date, without relying on end-users to accept update prompts.

 

Context: Between kiosk mode and digital signage, some devices are constantly running, and don’t necessarily have an assigned end-user to accept update and reboot prompts. In these cases, system update policies offer the perfect solution. 

 

They update the device either as soon as the update becomes available, or during a pre-set maintenance window to avoid active hours, so devices remain up-to-date and secure, without user input. There are also options to postpone updates, and freeze updates for a set period for particularly busy times of the year. 

 

Google Play system updates (also referred to as Mainline updates) are automatically downloaded as soon as they become available, but are not installed until the next device reboot - whether that’s prompted by user, admin or policy.

 

Compliance policies

 

Ideal for: Knowledge workers

 

Pros: Gives users the flexibility to update on their own terms, whilst making sure devices don’t fall out of compliance.

 

Context: For devices that are assigned to a user, pushing updates as soon as they become available may not always be practical. There’s nothing worse than joining an important client-call flustered and embarrassingly late, after an ill-timed system update. But, then again, companies want to make sure they’re making the most of the new features and security patches that come with each update. 

 

Compliance policies offer a balance between security and usability. They ensure that devices remain current against a pre-set standard, whilst giving workers the flexibility to apply updates at a time that suits their work schedule. The device will be tested according to certain signals, such as when the last update was made, or what version OS is being used, and prompt the user to update within a certain time-frame. 

 

Next steps

 

These policies can be layered to make sure updates across your fleet are handled securely, in a way that works for your business. For more details on these tools, check out this Help Centre article.

 

You can see what’s new to Google System update policies here

 

Make sure to also explore the documentation from your EMM provider for support on how these tools can be configured. Let’s get those system updates up-to-date!




 

Have you got a system in place to manage updates? Does your business use one of these methods or a combination of the both?

 

Let us know if and how you leverage these tools - we’d love to hear how they work for you!

 

 

3 Comments
Alex_Muc
Level 2.2: Froyo

Hey Rose 😀

 

We use compliance policies to keep devices up to date. We do not use any OEM-specific services.
Our organization primarily has COPE devices for knowledge workers and uses system update policies primarily in combination with compliance policies.

 

 

The default usage of the system update policies can be rather problematic for knowledge workers:

  • Automatic: As soon as an update is downloaded, the update process starts immediately. The policy does not check whether the device is currently being used. Unsaved work could be lost or you could be thrown out of an ongoing meeting accidentally.
  • Windowed (let's assume that we configure it to 1-4 o'clock at night): In order for non-system apps to send notifications, the device must be unlocked for the first time after rebooting. (e.g.: third-party alarm clocks, diabetes apps) If the device restarts at night, users may not receive important push notifications in the morning. The restart also means that a SIM PIN must be re-entered, which means that the person cannot be called until the PIN is entered. If users regularly switch off the device at night, the updates are not installed. The updates cannot be installed automatically outside of the time window. If we set the time slot in the middle of the day, we may interrupt someone's work.

 

As admins, we want to keep devices as up-to-date as possible without annoying users. In the compliance guidelines, users are gradually informed about the issue, update policies are set and, most recently, connections to company services are temporarily blocked until updates have been installed.

 


I would like to wish for a new, additional update policy

  • Dynamic”: Updates are downloaded automatically. The user is informed about the update and can either install it or postpone it. Admins can use the EMM to configure how often updates can be postponed and how long the period can be. After the update has been postponed to the maximum, the update is installed automatically.

Such a policy would save us some configuration effort and knowledge workers would not be caught off guard by an automatic installation. At the same time, it is ensured that the update is carried out in a timely manner. 😀

Kala
Level 1.5: Cupcake

Tal vez deberían mejorar un poco los ajustes pero increíble 

mattdermody
Level 2.2: Froyo

What I would really like to have is better version control with the ability to lock in on a specific version indefinitely. I work with Fully Managed Android Enterprise devices and the automatic updates of system components are largely unwelcome. The Freeze option is nice start but ultimately we would much rather have more comprehensive control and the ability to stay on a consistent version longer, possibly only upgrading once a year or less frequently. System component upgrades like the updates to the System WebView have been very disruptive historically given their potential to negatively impact the functionality of line of business applications that are hybrid web apps dependent on the System WebView. It is incredibly frustrating that it is not possible to implement true version control over critical system apps. Our desire is not to always be updating to the latest because stability and consistency is more important to most of my end customer environment than being on the latest version all of the time. 

Within my management use case, there is much less of a focus on end user security. These are line of business fully managed devices that are not personally enabled at all. To protect the company that owns these devices and needs these for their mission critical operations we need to be able to stop system updates indefinitely so we can lock in a version for an extended period of time and only upgrade those components on our terms. Google seems to continue to ignore this management use case by implementing consumer protection features like automatic updates that negatively impact the stability of fully managed devices. In the words of one of the larger customers I support "Sometimes I don't know if we own these devices, or Google does".