The Android 10 is here, and its introduction has created much ripples in organizations dealing with Android devices for IT enablement. With the new and upgraded version, Android is planning to work with its partners to facilitate and fabricate the future of enterprise mobility, while making smartphones even better for the enterprise users. Android has always encouraged an atmosphere wherein data, whether employee or corporate, is shared within a controlled and secured environment giving privacy and security utmost importance. Today as well, its focus remains the same – to drive a balance between user experience and data security with the right blend of mobile technology. According to Dave Burke, VP Engineering (Android) Google, the key focus areas for Android 10 will be innovation, security and privacy, and digital wellbeing.
With around 50 new changes associated with privacy and security, Android 10 comes with features will support new technologies like Foldables, 5G and on-device machine learning features like Live Captions and Smart Reply. For app developers, Android 10 will bring tools for building enhanced gaming and AR experiences and faster connectivity. To start with, let’s look into the Android 10 elements and their influences on the enterprise IT and EMM vendors. Here, I have collated all the details and information around Android 10 features from the Android Developers Website.
Work Profile for Company-Owned Devices
Improved provisioning tools: Company-owned devices requiring work profiles can benefit from the new and improved provisioning tools provided by Android 10. This allows the IT admin to provision work profiles on Android 10 and later versions, which are enrolled using Zero touch or QR code. A new intent extra allows the DPC apps (Device Policy Controller) to initiate work profile or fully managed setup, while provisioning a company-owned device. After the creation of the work profile or establishment of full management, policy compliance screens are launched by the DPCs to enforce fundamental policies.
Work profile device-ID attestation: For devices with work profiles enrolled through zero-touch, DPCs can get secure-hardware-attested device IDs like IMEI or manufacturer’s serial number. The device must support device-ID attestation and zero-touch enrollment and include a secure hardware (Trusted Execution Environment or TEE) or Secure Element.
Work Profile Improvements
Cross-profile calendar events: This feature aims to blend personal and work apps to keep the device user informed. It does so when apps that are running in the personal profile can also show events from the work profile calendar. This can redirect the device user if he/she is willing to edit a work event in the work profile. This happens when the app is installed both in work as well as personal profiles.
IT control on work profile calendar access: This allows the IT admin to block the work profile from sharing and showing work related calendar information in the personal profile. Without the admin’s access permission, no apps will be able to read and show work profile calendars. The IT admin also decides the specific apps that can perform this task of sharing work calendar details in personal profile.
Control on app downloads from unknown sources: Android 10 empowers the IT admin to prevent or restrict any user or device profile from downloading apps from unknown sources (sources other than Google Play or other trusted platforms). IT admin can apply user restriction policy (it doesn’t require Google Play services) to prevent the user from mistakenly installing apps from unknown/untrusted sources.
Limit permitted input devices to work profiles: This adds extra value and user experience when it comes to BYOD/COPE policy. This means that the device users will be restricted to only the permitted input methods applicable to their work profiles only (for corporate data security purposes) and hence can have better control over the rest of the device and their personal profiles.
Silent wipe of work profiles: In times of immediacy and emergency, IT admins can silently erase work profiles from the enrolled devices without notifying the users about the work profile wipe-off.
Features for fully managed devices
Manual system update installation: Android 10 enables IT admin of fully managed devices to manually update the system through a system update file, which allows him/her to test an update in a small number of devices before installing the updates in all the devices. It also allows the IT admins to suspend the installation or device updates for 90 days and only when the devices are not being used, and to prevent duplicate downloads on networks with limited bandwidth.
EAP Wi-Fi provisioning: Android 10 devices that are provisioned using QR codes and NFC data can obtain EAP (Extensible Authentication Protocol) config, credentials and certificates. On scanning the QR code and tapping the NFC tag, the device will automatically authenticate to a local Wi-Fi network using EAP and will initiate the provisioning process without any manual effort.
Private DNS support: Android 10 allows organizations to use DNS over TLS, also known as Private DNS on Android devices, to prevent leakage, eavesdropping and manipulation of DNS queries and data, as well as internal hostnames. IT admin can control the Private DNS settings and can also restrict device users from changing Private DNS settings.
Under VPN lockdown mode, IT admin can exempt apps that use a VPN by default. The IT admin can also help get the previously exempted apps from VPN lockdown mode. The DPC or the IT admin can restrict/block any incoming or outgoing network traffic that doesn’t use the VPN (Virtual Private Network) through VPN lockdown mode.
Deprecation of device admin
Android 10 has removed the legacy management approach of Device Admin policies due to their irrelevant and outdated features to support evolving enterprise requirements. The newest version prevents apps and EMM agents to apply any Device Admin methods and recommend the partners and customers to embrace fully managed devices or work profiles.
New Features for Apps
Screen lock quality check: As a new element in Android 10, it allows certain apps with critical features to do some sort of device attestation check. For instance, apps requiring screen locks can raise a query regarding the strength and complexity of the profile’s screen lock. In case the apps require a stronger screen lock, it directs the user to the system screen lock settings to update the security settings.
HTTP proxy support in VPN apps: Android 10 allows VPN apps to set an HTTP proxy for their VPN connection.
Apart from lessening the enterprise IT pain points and empowering user experience, Android 10 update also brings in some nifty security and privacy features and upgrades like the choice to set location restrictions while using certain apps, preventing the apps from collecting sensitive device information like device IMEI and serial number and limiting app from accessing external storage. (Check the full list of Android10 privacy features here).
On top of that, phone makers now have to encrypt device data, starting with Android 10, by using Google’s new Adiantum encryption method, to keep your devices away from the damages caused by hackers. Android 10 ensure stronger and more powerful security protocols like TLS (Transport Layer Security) 1.3 to protect data and device while accessing the internet. The BiometricPrompt API, which was introduced with Android Pie to allow apps use biometrics like authentication of face, fingerprints and iris, is now updated with Android 10 with more robust support and the API has been expanded to support both implicit and explicit authentication.
Try Scalefusion MDM platform FREE for 14 Days and explore our features!