Microsoft Intune and Android for Work
You may or may not have come across Android for Work. What it is and what does it do? Android for Work is Google’s enterprise device management initiative that allows IT to manage and secure corporate information (apps and data) in a separate ‘work profile’. Warning: Marketing fluff. Android for Work separates business apps from personal apps so you can use your favourite Android device for both work and play. A dedicated profile for business content that never mixes with your personal stuff so that IT can’t see or erase your photos, emails or other personal data. Read more about it here.
The Problem Child
You would have pretty much noticed the pain of managing Android devices if you’re the administrator responsible for managing devices in your organisation. This comes down to the level of fragmentation the Android ecosystem and because of the fact that the Android operating system is open source. What this means is that OEMs take this piece of operating system and modify it for their devices whilst providing extensions on top of it to provide added features to users. This is great for the everyday user because there are so many choices out there for them but for the systems admin, this is a huge nightmare to manage and secure. This is one of the goals Android for Work is set out to achieve; a more unified management experience for IT as well as for the end user – much like how managing iOS devices look like.
What You Need to Know
Here are several things you may want to know about Android for Work.
Work Profiles – Android for Work uses the concept of a separate profile similar to a logical container to discriminate between work and personal. Enabling a work profile allows organizations to manage the business data and applications they care about, but leave everything else on a device under the user’s control. Administrators control work profiles, which are kept separate from personal accounts, apps, and data. This means a clear boundary of what IT can and cannot do. In this model IT no longer can perform a full device wipe or factory reset but is only limited to wipe data that is in the work profile. What this also means is that most device information remains invisible to IT other than what is exposed within the work profile.
Applications – Contrary to how apps are deployed to Android devices today; .apk / Google Play, in Android for Work apps are delivered only from one source – the Google Play Store. The immediate question will be “what about my LOB apps?”. Google is moving everyone to deploy business apps through their enterprise multi-tenant version of Play Store called, you guessed it – Google Play for Work! This is an isolated section of the store but only accessible to the organisation that owns it. Nobody else can see it. This increases security and eliminates the need to enable the allow installations for unknown sources option in the operating system which is considered the No. 1 malware threat that exist on Android today. What it also means is that there is now the ability to silently push required applications to the devices rather than taking them to a link in the Play Store through the conventional MDM.
Encryption – is no longer an option when managing devices with Android for Work. Even if the device is not currently encrypted, it will be at the point when the device is enrolled and a work profile created.
Permissions – Remember those annoying prompts to allow/deny access to parts of the devices like contacts, camera and storage? That’s gone now within the context of the work profile because now the administrators determines that for you when an app is pushed out so that the end user doesn’t need to. However on the personal side of the profile this is not affected and will continue to work as it was before.
Mode of Management – Microsoft Intune can concurrently support both methods of Android management; conventional MDM method and Android for Work. Intune considers this to be an entirely different device platform so you will see in the Intune console Android for Work devices alongside managed iOS devices and traditionally managed Android devices. The two modes of management for Androids are available for the administrator to target different groups of users on supported devices mainly because Android for Work is only available for Android version 6.0 and above.
In my following posts I will cover various topics in getting Android for Work running in your Microsoft Intune tenant so stay tuned for that shortly.