Blog Post

Intune Customer Success
3 MIN READ

Announcing the Android Enterprise security configuration framework

Ross Smith IV's avatar
Ross Smith IV
Former Employee
Jun 29, 2020

As mobile usage becomes more prevalent, so does the need to protect your work or school data on those devices. One method used to protect that data is through device enrollment. Device enrollment enables organizations to deploy compliance policies (PIN strength, /root validation, etc.), as well as configuration policies (WIFI, certificates, VPN, etc.). Device enrollment also enables organizations to manage app lifecycle.

 

With Android 5.0, Google introduced a new management profile with the introduction of managed device (device owner) and work profile (profile owner) modes (what is collectively known as Android Enterprise now).

 

Android Enterprise supports several enrollment scenarios, two of which are covered as part of this framework:

  • https://docs.microsoft.com/intune/android-work-profile-enroll – this enrollment model is typically used for personally-owned devices, where IT wants to provide a clear separation boundary between work and personal data. Policies controlled by IT ensure that the work data cannot be transferred into the personal profile.
  • https://docs.microsoft.com/intune/android-fully-managed-enroll – these devices are corporate-owned, associated with a single user, and used exclusively for work and not personal use.

When configuring device compliance and configuration policies, the number of various settings and options enable organizations to tailor the protection to their specific needs. Due to this flexibility, it may not be obvious which permutation of policy settings are required to implement a complete scenario. To help organizations prioritize client endpoint hardening, Microsoft has introduced a new taxonomy for http://aka.ms/secconframework, and Intune is leveraging a similar taxonomy for its Android Enterprise security configuration framework.

 

The Android Enterprise security configuration framework is organized into several distinct configuration scenarios, providing guidance for work profile and fully managed scenarios.

 

For Android Enterprise work profile devices:

  • Work profile enhanced security (Level 2) – Microsoft recommends this configuration as the minimum security configuration for personal devices where users access work or school data. This configuration introduces password requirements, separates work and personal data, and validates Android device attestation.
  • Work profile high security (Level 3) – Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration introduces mobile threat defense or Microsoft Defender ATP, sets the minimum Android version to 8.0, enacts stronger password policies, and further restricts work and personal separation.

Note: Due to the settings available in Android Enterprise work profile, there is no basic security (Level 1) offering. The available settings did not justify a difference between Level 1 and Level 2 and there is a need to maintain consistency with the configuration framework nomenclature across platforms.

 

For Android Enterprise fully managed devices:

  • Fully managed basic security (Level 1) – Microsoft recommends this configuration as the minimum security configuration for an enterprise device. This configuration is applicable to most mobile users accessing work or school data. This configuration introduces password requirements, sets the minimum Android version to 8.0, and enacts certain device restrictions.
  • Fully managed enhanced security (Level 2) – Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration enacts stronger password policies and disables user/account capabilities.
  • Fully managed high security (Level 3) - Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration increases the minimum Android version to 10.0, introduces mobile threat defense or Microsoft Defender ATP, and enforces additional device restrictions.

Note: The framework is designed with the understanding that organizations own the Android Enterprise fully managed devices.

 

To see the specific recommendations for each configuration level, review http://aka.ms/aesecconfig. 

 

As with any framework, settings within a corresponding level may need to be adjusted based on the needs of the organization as security must evaluate the threat environment, risk appetite, and impact to usability. 

 

We hope this framework helps you when evaluating what Android Enterprise settings to deploy in your environment, or if you are transitioning away from Android device administrator. As always, if you have questions, please let us know. 

 

Ross Smith IV
Principal Program Manager
Customer Experience Engineering

Updated Dec 19, 2023
Version 11.0
android
Enterprise Mobility and Security (EMS)
mobile device management (mdm)

17 Comments

Sort By
Show More
  • Justin Horne's avatar
    Justin Horne
    Copper Contributor
    Jul 09, 2020

    Ross Smith IV  Thank you for this! We were able to get this to work following your guidance. We had already added it to Managed Google Play, however even though we allow users to control all permissions, for some reason this app required us to create a Configuration Policy. Interestingly, the screenshot you show is actually a Device Policy not an App Policy, however once you start running through the settings, you get to the window you show. I'm not sure I get why this is a device policy and not app, but regardless it worked. So thank you!

  • Ross Smith IV's avatar
    Ross Smith IV
    Former Employee
    Jul 08, 2020

    Justin Horne , AndrewM80 - I checked with some others. Have you added the Smart Switch app via Managed Google Play and used app config to allow it to run?  Also there are list of perms the app needs on the device:


    The following permissions are required for the app service.
    [ Required permissions ]
    . Phone: Used to confirm your phone number
    . Call logs: Used to transfer call log data
    . Contacts: Used to transfer contacts data
    . Calendar: Used to transfer calendar data
    . SMS: Used to transfer SMS data
    . Storage: Used to save the files necessary for data transfer
    . Microphone: Used for high-frequency audio when searching for Galaxy devices.
    . Location: Used to connect Galaxy devices using Bluetooth.

     

  • Justin Horne's avatar
    Justin Horne
    Copper Contributor
    Jul 08, 2020

    Ross Smith IV  we have the identical issue as AndrewM80. My device is a fully managed device as well. Under Corporate Device Policy, only the following policies apply:

     

    Maximum minutes of inactivity before password is required
    SecurityRequireSafetyNetAttestationCertifiedDevice
    Require a password to unlock mobile devices.
    SecurityRequireSafetyNetAttestationBasicIntegrity
    Required password type
    Encryption of data storage on device.
    Minimum password length

     

    This is our device configuration:

     

    PlayStoreMode
    Threat scan on apps​
    Factory reset
    System update
    Number of sign-in failures before wiping device
    App auto-updates
    Time to lock screen
    Minimum password length
    Required password type

     

    Any idea why this app is being blocked? We've had a ticket open with MS for several weeks now and they have not been able to assist either.

     

    Thanks!

  • Ross Smith IV's avatar
    Ross Smith IV
    Former Employee
    Jul 02, 2020

    AndrewM80 Assuming, Smart Switch is https://www.samsung.com/us/smart-switch/ my guess is that your Fully Managed device has one or more of the policies disabled that prevents USB or wireless transfer scenarios:
    - USB file transfer

    - External media

    - Tethering and access to hot spots

    - Wi-Fi access point configuration

     

    There may be other settings involved. The documentation is fairly sparse on that app.

  • AndrewM80's avatar
    AndrewM80
    Copper Contributor
    Jul 02, 2020

    Hi,

     

    I cannot use Smart Switch in all my Fully managed enrolled devices. Prompts the following "Security Policy restricts use of Smart Switch"

     

    Any ideas would be greatly apprecated.

     

    Kind regards

  • Ross Smith IV's avatar
    Ross Smith IV
    Former Employee
    Jul 01, 2020

    Deleted - No, APP is not deprecated and is completely supported in the work profile and should be used to ensure data is isolated in the event multi-identity apps are used where personal accounts cannot be restricted (in addition to all the other benefits APP provides, e.g., preventing printing, cut/copy/paste, Save As, managed browser controls, etc.).

  • Anonymous's avatar
    Anonymous
    Jun 30, 2020

    is APP protection deprecated in favor of Android Enterprise work profile for BYOD Android devices? (of course, Android Enterprise work profiles are https://support.google.com/work/android/answer/6174145?hl=en&ref_topic=6151012%20style=%22target=new_window%22)

    is https://docs.microsoft.com/en-us/mem/intune/fundamentals/byod-technology-decisions still valid (last update: 2017)?