Managing Google system updates with Android Enterprise
It's more important than ever to keep your fleet of devices secure and optimized for work. That’s where Google system updates come into play. Delivering updates from Google to the Android operating system, Google Play Store, and Google Play services, Google system updates make your Android devices more secure and reliable, whilst introducing new, useful features. But these need to be delivered in a timely way that works for your business and employees. So with that in mind, let’s cover the two main tools that can help you manage your Google system updates. System update policies Ideal for: Dedicated devices Pros: Keeps devices up-to-date, without relying on end-users to accept update prompts. Context: Between kiosk mode and digital signage, some devices are constantly running, and don’t necessarily have an assigned end-user to accept update and reboot prompts. In these cases, system update policies offer the perfect solution. They update the device either as soon as the update becomes available, or during a pre-set maintenance window to avoid active hours, so devices remain up-to-date and secure, without user input. There are also options to postpone updates, and freeze updates for a set period for particularly busy times of the year. Google Play system updates (also referred to as Mainline updates) are automatically downloaded as soon as they become available, but are not installed until the next device reboot - whether that’s prompted by user, admin or policy. Compliance policies Ideal for: Knowledge workers Pros: Gives users the flexibility to update on their own terms, whilst making sure devices don’t fall out of compliance. Context: For devices that are assigned to a user, pushing updates as soon as they become available may not always be practical. There’s nothing worse than joining an important client-call flustered and embarrassingly late, after an ill-timed system update. But, then again, companies want to make sure they’re making the most of the new features and security patches that come with each update. Compliance policies offer a balance between security and usability. They ensure that devices remain current against a pre-set standard, whilst giving workers the flexibility to apply updates at a time that suits their work schedule. The device will be tested according to certain signals, such as when the last update was made, or what version OS is being used, and prompt the user to update within a certain time-frame. Next steps These policies can be layered to make sure updates across your fleet are handled securely, in a way that works for your business. For more details on these tools, check out this Help Centre article. You can see what’s new to Google System update policies here. Make sure to also explore the documentation from your EMM provider for support on how these tools can be configured. Let’s get those system updates up-to-date! Have you got a system in place to manage updates? Does your business use one of these methods or a combination of the both? Let us know if and how you leverage these tools - we’d love to hear how they work for you!Enhanced Factory Reset Protection in Android 15
Factory Reset Protection: A Shield for Everyone Smartphones and tablets have become integral to our work and personal lives, however, they can also be easily lost, and on occasion, stolen by opportunistic thieves. Many times these bad actors will simply wipe the device to remove any personal and business data, with the intent of selling or using the device themselves. That's where Factory Reset Protection (FRP) steps in as a crucial line of defense. FRP is an Android security feature designed to prevent the reuse of a lost or stolen Android device. It requires your Google account or lockscreen credentials after a factory reset, ensuring that only the rightful owner can access and use the device once it has been wiped. Enhanced Factory Reset Protection Building on its initial purpose, FRP has evolved significantly with the release of Android 15. In the past, tech-savvy thieves and users found ways to bypass FRP, but Android 15 closes those loopholes with powerful new protections. These enhancements were added to combat unauthorized access and make stolen devices much less appealing to thieves, whether they're targeting personal or company-owned devices. Prior to Android 15, the Setup Wizard was responsible for determining whether FRP should be activated, and for enforcing it, including determining whether you have authenticated with the correct credentials to get out of FRP mode and proceed with setup normally. But the Setup Wizard was designed to be a user-friendly tool to walk through setting up a device, not a security enforcement barrier. In Android 15, FRP enforcement has been moved deep into the system, where it’s much harder to overcome. Benefits You Can Count On These enhancements translate into real-world benefits for everyone: Individuals: Deters Theft: FRP makes stolen devices far less valuable, as thieves can't bypass the Google account login or lock screen credential check. This significantly reduces the incentive for theft. Peace of Mind: Knowing that your Android device has this robust security feature gives you peace of mind. You can rest assured that if your device falls into the wrong hands, it cannot be used for anything. Enterprise and Managed Devices: Enhanced Device Security: Factory Reset Protection makes it much harder to reuse or sell stolen devices, which discourages thieves from stealing them in the first place. Simplified Device Management: FRP integrates seamlessly with enterprise mobility management (EMM) solutions, allowing IT administrators to enforce FRP policies and ensure devices are protected. With Android 15, FRP has evolved into a powerful deterrent against device theft by making stolen devices unusable.Securing your Business: Checklist for Android device offboarding
Modern workplaces are full of digital footprints. From day one, employees leave a digital trail, from corporate email accounts to VPN access and social media updates. So, to ensure a secure exit, it's vital to have an offboarding process in place. Companies must carefully decouple an employee's digital footprint to mitigate risks like data breaches and unauthorized access. To help you with this, we've created a checklist of things to consider when offboarding an employee. While the exact process will vary from organization to organization, read on for some handy tips. IT Admins: Checklist for a Secure Exit Once the employee offboarding process has been initiated, you’ll need to consider the level of remote access the employee should retain. It may be a good idea to reduce this in stages, affording the employee enough time to backup personal and corporate data appropriately. Or depending on the level of sensitivity, more immediate restrictions may be appropriate. Identify the user’s device(s): Use your MDM solution to locate the employee’s device. Limit access: If your company leverages SSO, you can immediately revoke a user's access to all apps by revoking their SSO tokens. Otherwise, you will need to consider the following: Email: Disable the user's email account. Redirect incoming emails to an appropriate recipient or archive them. Company Apps: Remove the user's access to company-specific apps, or third party apps that were previously authorized. Revoke app licenses, if applicable. Cloud Storage: Revoke the user's access to cloud storage services (e.g., Google Drive, Dropbox). Remove the user from shared folders and documents. Collaboration Tools: Remove the user from collaboration tools (e.g. Google Workspace, Microsoft Teams). Revoke access to shared documents and projects. VPN and Remote Access: Disable the user's VPN and remote access privileges. Revoke any VPN certificates or keys. Data Retention and Archiving: Determine the appropriate retention period for the employee's data and implement necessary archiving procedures. Ensure compliance with data privacy regulations. Deactivate User Account: Deactivate the user's account to prevent future access, while allowing other employees to still access any documents associated with the deactivated account. Configure Factory Reset Protection policies: To ensure a seamless offboarding process for company-owned Android devices, it's crucial to properly configure Factory Reset Protection (FRP). If you've already configured your FRP policies, you can skip to step 4. Otherwise, let's dive into the details. Factory Reset Protection (FRP) is a security feature designed to protect Android devices from unauthorized access after a factory reset. It requires authentication with the Google account last used on the device. While this is a valuable security measure, it can complicate device management, especially during employee offboarding. To ensure a smooth offboarding process, consider these two approaches: Enable Enterprise Factory Reset Protection (EFRP): Designed for Enterprise, EFRP allows you to specify which Google Accounts can activate a device that has been factory reset and locked by FRP. These approved users can unlock company-owned devices that have been factory reset, without the need for the previous user’s Google account details. This approach provides a balance between security and manageability. Disable FRP: Disabling FRP allows you to factory reset devices without requiring the previous user's Google account credentials. This can simplify the offboarding process, but it also reduces the device's security. Use with caution, particularly for devices that are at risk of loss or theft. Important Note: Resetting a device through the Settings app typically doesn't trigger FRP, except in specific scenarios involving company-owned devices with Work Profiles and EFRP enabled. Therefore, it's crucial to disable FRP or enable EFRP before initiating a factory reset to prevent potential lockouts. Remote wipe: After allowing the user a brief period to back up personal data on company-owned devices, or transfer ownership to work files, remotely wipe the device. Depending on the device’s enrolment method either: Factory Reset: For company-owned devices, instigate a factory reset to erase all work apps and data from the device without physical access. Remove Work Profile: For BYOD devices, use your MDM solution to remove the user's Work Profile from the device. This will eliminate company apps, data, and settings from the device. Note, personal data is unaffected by the removal of the Work Profile so does not require backup. Revoke device access: Deactivate the device from your MDM solution. This will prevent the device from receiving updates, policies, and security patches. Asset retrieval: Create a comprehensive inventory of all physical assets assigned to the employee (e.g., laptops, phones, keys, badges). Ensure all physical assets are returned or disposed of securely. Update device inventory: Update your device inventory to reflect the device's status (e.g. retired, reassigned). Employees: Your Role in a Secure Exit Data Backup: Use a personal cloud storage service or external storage to back up any personal data that you want to keep before the device is wiped or reset. Following your company's guidelines for data backup, ensure that all company data is backed up to the appropriate location or cloud storage. App Removal Clear the data and cache for these apps to remove any sensitive information. Uninstall any company-owned or work-related apps that you no longer need. This may include email, calendar, and productivity apps. Network Access: Disconnect from any company VPN connections. Remove any VPN profiles or certificates. Forget any saved company Wi-Fi networks. Personal Cloud Storage: Download and save any personal files from company-provided cloud storage. Revoke access to personal accounts linked to company devices. Assets: Depending on company policy, return all corporate devices and accessories to the IT department or designated location. Ensure that the device is in good condition and free of any damage. Social Media Accounts: Review and remove any company-related content from personal social media accounts. Update privacy settings to limit public visibility. Best Practices From the off, it’s good to keep handover in mind. After all, the more structure in place when setting up, the easier handover will be. With this in mind we've put together some tips and best practices to consider when starting out, or even implementing further along. Setting Up Devices and Profiles: Separate Profiles: Create separate profiles for work and personal data to improve security and privacy. Use work profiles to enforce company policies and manage company-owned apps. Corporate email accounts: The improved Android sign-up process makes it easier for IT admins to sign-up and access Google services using their corporate email addresses. This eliminates the need for personal Gmail accounts, leading to cleaner handovers when an employee leaves. Plus, certain setup tasks can be managed centrally through the Google Admin console, again making it much easier to keep track, document and handover tasks. Centralized Management Avoid the hassle of being locked out of corporate Google accounts when the time comes for the admin that set up the account to embrace a new opportunity. Maintaining a centralized approach avoids having a sole owner of any Google accounts, making it easier to manage and maintain control and access to business Google accounts in the event of a handover. IT admins can also easily track, document, and hand over administrative tasks in this way. Default Settings: Configure default settings for devices and profiles to streamline the onboarding process and ensure consistency. Consider using templates or scripts to automate device setup. App Management: Use Google Managed Play to create a customized and secure app store for different business needs and user roles and have more control over which apps employees can install and use. Policy Enforcement: Implement policies to enforce security measures such as password complexity, screen lock timeout, and data encryption. Use conditional access policies to restrict access to company resources based on device compliance. Employee Training: Remember, documented procedures and workflows are vital for mitigating risks associated with employee turnover. Proactive documentation ensures business continuity and minimizes disruptions during employee transitions. Provide employees with clear guidelines and training on their responsibilities during the offboarding process. Educate employees on data security best practices and the importance of returning company assets. Regular Reviews: Review and update your offboarding procedures regularly to ensure they remain effective and aligned with evolving security threats. Conduct periodic security audits to identify and address any potential gaps. A well-executed offboarding process is crucial for safeguarding your organization's sensitive data and maintaining security. By following the checklist provided, you can effectively mitigate risks, minimize disruptions, and ensure a seamless transition for both the departing employee and your organization. Like and share this post to help others secure their organization's digital footprint! Let us know your thoughts and experiences in the comments below. Do you have any additional tips for a smooth offboarding process?Debunking 12 Android Enterprise myths
Have you ever heard statements like “Android just isn’t secure” or been asked whether BYOD is too risky for enterprise? These concerns, often based on outdated perceptions, can prevent businesses from fully realizing the benefits of Android Enterprise. So, let’s cut through the noise. Here we’ll address 12 common misconceptions and explore the realities of deploying and managing Android devices in today’s modern workplace. Myth 1: Is Android really less secure? Reality: Always-on security. Android offers proven, multi-layered, proactive security With a zero-trust approach to security, Android operates under the principle of "never trust, always verify." It continuously assesses the security posture of devices and applications, and grants access based on real-time risk assessments. Built-in security at every level includes hardware-level safeguards like verified boot and encryption, software-level protections such as application sandboxing, and proactive threat detection with Google Play Protect. The result is robust defense. Combined with granular control organizations maintain a high level of security while empowering employees with the flexibility of mobile work. Want to dive deeper? Enjoy a cup of tea while you explore our security paper. Myth 2: Android Enterprise is only suitable for large enterprises Reality: Designed for scalability, Android Enterprise can be effectively deployed by businesses of all sizes Android Enterprise offers a range of options to deploy and manage Android devices, so businesses of all sizes can choose the model that best suits their needs and budget. For smaller businesses, BYOD can significantly reduce upfront costs associated with purchasing and managing a fleet of company-owned devices. Plus, the Google Admin console provides a user-friendly interface, simplifying tasks like device provisioning and policy enforcement, making it easier for businesses with limited IT resources to manage their mobile workforce effectively. By offering a range of deployment options, simplified management tools, and cost-effective solutions, Android Enterprise empowers businesses of all sizes to leverage effective device management. Myth 3: BYOD is too risky for enterprise environments Reality: With the right approach, Bring-Your-Own-Device (BYOD) can be a secure and cost-effective strategy Android Work Profile provides a self-contained profile on an Android device that isolates work apps and data from personal apps and data, enabling businesses to safely implement BYOD policies. This secure container safeguards sensitive company data through robust encryption and remote wipe capabilities, even if personal apps are compromised. Work Profile also empowers organizations with enhanced app management capabilities. Businesses can implement approved app lists, ensuring only necessary applications are used for work, without impacting personal app usage. Additionally, they can enforce restrictions on specific app functionalities within the work environment. With these advanced security and management features, Work Profile empowers organizations to securely embrace the flexibility of BYOD. For more detail explore this Work Profile Security on Company Owned Devices paper. Myth 4: Android Enterprise is too complex to implement and manage Reality: Android Enterprise simplifies device management with powerful tools designed for businesses Android Enterprise has significantly simplified management with features like zero-touch enrollment for easy device setup and streamlined policies for controlling work apps and data. Managed Google Play empowers IT administrators with granular control over app distribution and management, ensuring only approved applications are installed on company devices, including tailored company apps. By integrating with leading EMM providers to leverage these tools, businesses can easily customize devices to meet their specific needs, enforce security policies, and manage their mobile workforce efficiently. Myth 5: Android devices are more susceptible to malware Reality: All mobile devices can be targets for malware, but Android has implemented robust security measures to protect against threats Google Play Protect leverages machine learning to proactively detect and combat malware, phishing attacks, and ransomware. It scans apps both before and after installation, even monitoring them for suspicious behavior after download. This proactive approach, combined with regular security updates, provides a robust defense against malicious software, significantly reducing the risk of installing and running harmful apps on Android devices. See for yourself with our Transparency Report. It highlights just how rare downloading potentially harmful applications on an Enterprise device really is. Myth 6: BYOD makes it difficult to achieve a good work-life balance Reality: Android Work Profile allows employees to easily switch between work and personal profiles, enabling them to disconnect from work when they need to By separating work and personal data and apps, Work Profile helps employees maintain a clear boundary between work and personal life, reducing stress and enhancing well-being. Employees can seamlessly switch between the Work Profile, and their personal profile, enjoying a familiar device environment while empowered to toggle off work notifications and fully disconnect for a better work-life balance, increased productivity and employee wellbeing. Myth 7: Android Enterprise is not suitable for highly regulated industries Reality: Android Enterprise provides the robust security and compliance features necessary for highly regulated industries Highly regulated industries require robust mobility management solutions with exceptional flexibility and control. Android Enterprise delivers strong security, powerful device management, and innovative solutions to manage and deploy devices seamlessly across diverse use cases. Continuously evolving to address dynamic compliance requirements, Android 15 introduced enhanced security logging aligned with the latest NIAP regulations. Plus, the Android Management API empowers businesses with the agility to adapt policies and ensure compliance with developing industry regulations and security standards. Discover how Android Enterprise empowers financial services in our customer stories, or explore exactly how we comply with industry standards and Android’s certifications in our security paper. Myth 8: Android is fragmented and updates are slow Reality: Android ensures a smooth and consistent user experience alongside simple and robust management capabilities While Android's open nature has historically presented challenges in terms of device fragmentation and update consistency, this view is outdated. As an open-source platform, Android benefits from rigorous scrutiny by a diverse community, including developers, security researchers, and even government agencies. This constant feedback accelerates security advancements. Initiatives like Project Treble have revolutionized the update process by decoupling core Android components from device-specific software. This allows manufacturers to deliver the latest security patches and feature updates more quickly and efficiently. The Android Enterprise Recommended program prioritizes timely security updates and OS upgrades for participating devices, ensuring a more consistent and secure user experience. More widely, Google releases monthly security updates to the platform, the details of which can be found on the Android Security Bulletin. Recommended EMM partners provide essential tools for managing these device updates, ensuring timely patching to maintain a secure mobile environment. Myth 9: Android devices aren't premium Reality: The Android ecosystem boasts a wide range of devices, from budget-friendly options to high-end flagships that rival the best in the industry Premium Android devices offer cutting-edge features like powerful processors, high-resolution displays, and advanced camera features, and innovative designs for a premium user experience. To ensure a consistent and high-quality experience for businesses, the Android Enterprise Recommended program certifies devices and solutions that meet Google's strict enterprise requirements, giving businesses confidence in their chosen devices. Myth 10: The Play Store is limited Reality: The Google Play Store is a vast marketplace with millions of apps, including a wide range of enterprise-grade solutions. From productivity tools and communication apps to industry-specific solutions, the Play Store offers a diverse range of applications to meet the unique needs of any business. Plus, the Play Store empowers businesses to develop and distribute custom applications. By leveraging Android developer tools, businesses can create tailored solutions and securely distribute them to their employees through Managed Google Play. This effectively creates a custom app store while benefiting from the built-in security and robust infrastructure of Google Play Protect. Myth 11: Android Enterprise devices are separate to regular Android devices Reality: The hardware remains the same Android Enterprise is not a separate operating system. It's a suite of tools that enhances the core Android OS with enterprise-grade features and management capabilities. This means any Android device can leverage Android Enterprise, providing businesses with the flexibility and control to meet their specific mobility requirements while maintaining the familiar Android user experience. Myth 12: You can only use Android Enterprise with Google's products and services Reality: While Google offers a robust suite of productivity and collaboration tools, Android Enterprise is designed to be highly interoperable Android Enterprise is only supported on Play protect certified devices. These devices often come pre-installed with popular Google services like Chrome, Google Play Store, and Google Maps (GMS). However, this does not limit users to Google's ecosystem. Android Enterprise seamlessly integrates with a wide range of third-party enterprise applications and services, including those from Microsoft, Salesforce, and others. This flexibility empowers businesses to choose the best software solutions for their specific needs, regardless of their preferred technology stack. Were you surprised by any of these myths? Have you encountered similar challenges or misconceptions in your own experiences? Let us know in the comments below.Do you really need a long pass code on Android?
Do you really need a long complicated pass code on Android? Traditionally, IT admins applied similar pass code requirements to Android devices as with server and desktop operating systems. However, this approach can be excessive and unnecessarily restrictive. Unlike laptops or desktops, where unlocking grants access to all user apps and services, Android operates differently. As “Android is now the most common interface for global users to interact with digital services”*(1) with many organizations, from small businesses to large multinational corporations and government agencies, relying on Android devices to access sensitive company data, it’s important to understand the distinction. The key difference lies in how these operating systems handle app permissions. While server/desktop OS's typically consider all apps running within the context of the logged-in user account as fully authorized, Android operates with a more granular approach. Android apps are not inherently granted full authorization for all user actions.*(1) This inherent security measure within Android mitigates the risk of malicious code exploiting the vulnerabilities of server/desktop OS's. On server/desktop systems, attackers often only need to execute malicious code with the currently logged in user's privileges to gain significant control. Android's more restrictive environment makes this type of attack more challenging. Windows, macOS, and Chrome will typically use a username and password coupled with Single Sign-On (SSO) or Multi-Factor Authentication (MFA) that is tied to a corporate account to log into the OS. Android simply uses a PIN, pass code, or pattern that is not tied to a user’s LDAP or domain account to unlock the device. This separates the device unlock on Android by not having that tied to a corporate identity. This difference keeps an Android pass code to unlock a device separate from the user's account to access corporate services and applications. In this way, the Android security model grants less power to users versus traditional OS's that do not require multi-consent models. The immediate benefit to users is that one app cannot act with full user privileges. The user cannot be tricked into letting it access data controlled by other apps due to the robust app sandboxing on Android. So, do you really need a long pass code on Android if the unlock pass code is not tied to your corporate account? Let's consider some more interesting facts to determine if a long pass code is needed to protect an Android device. NIST passcode guidelines: A shift in perspective What does the National Institute of Standards and Technology (NIST) have to say? The general password guidance from the latest version of SP 800-63b *(2) are listed below: Pass code Length: Minimum 8 digits Complexity (Special characters, uppercase, lowercase, number): No longer required Pass code hints: Do not allow Simple or known pass codes: Do not allow Periodic pass code changes (every 90 days, etc.): Not required. Only force changes when a known compromise is detected. SMS for MFA Codes: Do not use Pass code guess prevention (Throttling): Implement NIST’s updated requirements are a result of technology advances that prevent guessing a pass code. As an example, 8 digits without special characters, upper and lower case, and pass code changing requirements are no longer recommended. An 8-digit pass code of non-repeating numbers is now sufficient to provide very strong protection. On Android we actually changed our PASSWORD_COMPLEXITY_HIGH to 6 digits back in Android 12. Let's explore this a little more. Rate limiting and password guessing Android implements a very strong default rate-limiting capability, which imposes increasing delays after the 5th failed login attempt, culminating in a 24-hour lockout after 100 attempts. The benefit to a managed device is that Android Enterprise can limit the attempts to a specific number before a device wipe is triggered automatically. This helps prevent access to personal and company data. Assuming that an Android device is properly managed with a limited number of failed pass code attempts, let's say 10 tries, enforcing a device wipe by policy renders an attack mostly infeasible. Even the latest version of the password-guessing USB tool, rubber ducky, is ineffective. Now, let's explore a simplified explanation of what a hash is in this context. Imagine your pass code to unlock your Android device is "019283". Android has an "algorithm machine" (called a hash function, or algorithm such as SHA256) that takes that password and generates a unique string of characters that represents that specific data, such as "a5f4g6h7j8k9l0". This is the hash of your password. It looks nothing like your original password, making it virtually impossible to figure out your lock screen pass code "019283" just by looking at the hash. Additionally, reversing the hashing calculations is infeasible and the algorithms are created in such a way as to protect against a reversing calculation. Now, every time you try to unlock your device, Android securely feeds what you type into the unlock prompt and puts it through the same hashing algorithm. If the resulting hash matches what is stored in secure hardware on the device, then Android knows you've entered the correct password and it unlocks. What is stored in secure hardware on Android is the hash of your pass code, not your pass code itself. We have all seen the following image on social media, but it portrays incorrect data when it comes to Android. This table does not take into consideration that the attacker has successfully been able to capture the hash of the pass code. Extracting the hash of a pass code from a locked Android device's secure hardware is non-trivial and is extremely difficult, actually infeasible on Android. Conclusion: Rethinking pass code complexity for Android In conclusion, it is important to note that I have only covered a small portion of a very complicated topic that involves encryption, key storage, hashing, and rate-limiting in Android kernel and services. While anything is potentially possible, the reality of exfiltrating a hash from secure hardware is really not feasible or practical. Requiring a pass code that is long and complicated is not a factor in 2025 on Android. With the proper management policies, guessing a pass code to unlock a stolen or lost device should not be a concern any longer. Have a look at what your EMM provider options are when setting a pass code requirement and consider how you can make the user experience for your users better by not having to enforce long complex pass codes, it just frustrates users. *(1) Android Security Model: https://arxiv.org/pdf/1904.05572 *(2) https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf
