Changes to Android Enterprise COPE
“The Android 11 release from Google brings new features and capabilities that make Android a more attractive business alternative to iOS”
Android Enterprise COPE – Corporately Owned Personally Enabled – was a configuration designed to allow personal use on a company owned device offering a combination of security for company data and privacy for the employee.
It appears from the updates coming out with Android 11 that the personal privacy component needed some tweaking. Google has restricted the use of certain capabilities that could infringe on the user’s privacy when a corporate device has been provisioned to allow both work and personal use.
Here’s some of those device management policy changes that you need to know about. They may affect your ability to manage COPE enrolled devices via your UEM console:
-
Device unlock passcodes cannot be cleared or changed
-
A recommended global proxy cannot be set across the entire device
-
The Add/Remove Account restriction will no longer apply to the personal side of the device
-
CA and user certificates on the personal side of the device cannot be removed or installed
-
App installs and uninstalls cannot be prevented on the personal side of the device
-
Cloud backup services for personal data backups cannot be disabled on the device
-
Applications can no longer be required on the personal side of the device
-
Preventing users from changing Bluetooth Settings is no longer possible, though Bluetooth can be disabled completely
-
Preventing the user from mounting USB storage media is no longer possible
Note – the configuration for new enrolments into COPE for Android 11 devices will likely need some changes. Once these changes are fully announced by the UEM vendors we will reach out to our managed customers to work through the impact.
Changes to target API for App Developers
For companies that are building their own Android apps or working with a third party to build custom apps this change is of importance.
Starting November 2, 2020, updates to apps and games on Google Play will be required to target Android 10 (API level 29) or higher. After this date you will not be able to submit new app bundles and APKs to Google with a target SDK version less than 29.
This will not impact existing app listings on the Play Store.
Configuring your app to target a recent API level ensures that users benefit from significant security and performance improvements, while still allowing your app to run on older Android versions.
Google have published a guide via this link which may be useful to your development team.
Changes to Android Enterprise afw#hub
If you have not heard of afw#hub before then this one is probably not going to affect your deployment.
Previously with Android Enterprise it was possible to enrol Work Managed devices and COPE devices using afw#hub during the device start-up process. This would prompt the Android Enterprise enrolment process for VMware Workspace ONE UEM devices.
With Android 11 this enrolment option is being dropped by VMware and the only enrolment options available will be via QR Code or leveraging Zero Touch Provisioning.
QR Code
The QR code Android Enterprise enrolment method sets up and configures Work Managed Device and Corporate Owned Personally Enabled (COPE) modes by scanning a QR code. This enrolment flow is ideal for an admin staging multiple devices before deploying to users or for the end user who will be enrolling their own device with the QR code provided by an IT admin.
We use this QR code option in our Android Enterprise enrolment guides to make the process easier for employees.
Zero Touch Provisioning
There are two options for Zero Touch Provisioning with Android devices
-
Samsung KNOX Mobile Enrolment for Samsung devices, and
-
Android Zero Touch Provisioning for other Android devices such as Nokia, Pixel and LG.
Both of these options require your authorised reseller to load your Android device serial numbers up to the Zero Touch Provisioning portal at time of purchase and then you can streamline the on-boarding and enrolment process for your Android devices.
With Android 11 these two solutions will merge so we will share more about that when we have tested it out. In the meantime, if you want to learn more about Zero Touch Provisioning you can view our Zero Touch Provisioning webinar here.
Secure Passcode Reset
For customers using Android Enterprise Work Profile, which is the encrypted work container sitting on a BYOD or unmanaged device, Android 11 will bring the ability for Administrators to reset the passcode on the work container remotely. It will be possible to enable a ‘forgot my password’ button that will enable a secure work profile password reset. This will bring a better support experience for employees who forget their container password.
Common Criteria Mode
Google has released functionality that can enable Common Criteria Mode on a device running Android 11. Enabling this mode will increase security components on a device including Bluetooth key and Wi-Fi configuration store encryption.
Biometric Authentication
A change to the underlying OS functionality allows developers the ability to choose whether biometric must strong (fingerprint, iris scan, true 3D facial) or weak (photo-based facial) or device credential (pin, pattern, password). This feature must be coded into app updates before it can be leveraged by organisations; however, it gives developers more control and more options for passwordless authentication under conditions where additional security isn’t required or is deemed an acceptable risk.
Conclusion
These are the features we are tracking. We recommend developers check out the full list of API Updates and non-technical users can check out the Android 11 Beta preview.
Microsoft Intune is a part of Microsoft Endpoint Manager and provides the cloud infrastructure, the cloud-based mobile device management (MDM), cloud-based mobile application management (MAM), and cloud-based PC management for your company.
If you’re interested in learning how Android devices could work in your business, check our Intune Security Baseline service, or contact us.
