%3CLINGO-SUB%20id%3D%22lingo-sub-1496752%22%20slang%3D%22en-US%22%3EAnnouncing%20the%20Android%20Enterprise%20security%20configuration%20framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1496752%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20mobile%20usage%20becomes%20more%20prevalent%2C%20so%20does%20the%20need%20to%20protect%20your%20work%20or%20school%20data%20on%20those%20devices.%20One%20method%20used%20to%20protect%20that%20data%20is%20through%20device%20enrollment.%20Device%20enrollment%20enables%20organizations%20to%20deploy%20compliance%20policies%20(PIN%20strength%2C%20%2Froot%20validation%2C%20etc.)%2C%20as%20well%20as%20configuration%20policies%20(WIFI%2C%20certificates%2C%20VPN%2C%20etc.).%20Device%20enrollment%20also%20enables%20organizations%20to%20manage%20app%20lifecycle.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20Android%205.0%2C%20Google%20introduced%20a%20new%20management%20profile%20with%20the%20introduction%20of%20managed%20device%20(device%20owner)%20and%20work%20profile%20(profile%20owner)%20modes%20(what%20is%20collectively%20known%20as%20Android%20Enterprise%20now).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAndroid%20Enterprise%20supports%20several%20enrollment%20scenarios%2C%20two%20of%20which%20are%20covered%20as%20part%20of%20this%20framework%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fandroid-work-profile-enroll%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAndroid%20Enterprise%20work%20profile%3C%2FA%3E%20%E2%80%93%20this%20enrollment%20model%20is%20typically%20used%20for%20personally-owned%20devices%2C%20where%20IT%20wants%20to%20provide%20a%20clear%20separation%20boundary%20between%20work%20and%20personal%20data.%20Policies%20controlled%20by%20IT%20ensure%20that%20the%20work%20data%20cannot%20be%20transferred%20into%20the%20personal%20profile.%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fintune%2Fandroid-fully-managed-enroll%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAndroid%20Enterprise%20fully%20managed%20devices%3C%2FA%3E%20%E2%80%93%20these%20devices%20are%20corporate-owned%2C%20associated%20with%20a%20single%20user%2C%20and%20used%20exclusively%20for%20work%20and%20not%20personal%20use.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWhen%20configuring%20device%20compliance%20and%20configuration%20policies%2C%20the%20number%20of%20various%20settings%20and%20options%20enable%20organizations%20to%20tailor%20the%20protection%20to%20their%20specific%20needs.%20Due%20to%20this%20flexibility%2C%20it%20may%20not%20be%20obvious%20which%20permutation%20of%20policy%20settings%20are%20required%20to%20implement%20a%20complete%20scenario.%20To%20help%20organizations%20prioritize%20client%20endpoint%20hardening%2C%20Microsoft%20has%20introduced%20a%20new%20taxonomy%20for%20%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fsecconframework%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Esecurity%20configurations%20in%20Windows%2010%3C%2FA%3E%2C%20and%20Intune%20is%20leveraging%20a%20similar%20taxonomy%20for%20its%20Android%20Enterprise%20security%20configuration%20framework.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Android%20Enterprise%20security%20configuration%20framework%20is%20organized%20into%20several%20distinct%20configuration%20scenarios%2C%20providing%20guidance%20for%20work%20profile%20and%20fully%20managed%20scenarios.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20Android%20Enterprise%20work%20profile%20devices%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWork%20profile%20basic%20security%20(Level%201)%20%E2%80%93%20Microsoft%20recommends%20this%20configuration%20as%20the%20minimum%20security%20configuration%20for%20personal%20devices%20where%20users%20access%20work%20or%20school%20data.%20This%20configuration%20introduces%20password%20requirements%2C%20separates%20work%20and%20personal%20data%2C%20and%20validates%26nbsp%3BAndroid%20device%20attestation.%3C%2FLI%3E%0A%3CLI%3EWork%20profile%20high%20security%20(Level%203)%20%E2%80%93%20Microsoft%20recommends%20this%20configuration%20for%20devices%20used%20by%20specific%20users%20or%20groups%20who%20are%20uniquely%20high%20risk%20(users%20who%20handle%20highly%20sensitive%20data%20where%20unauthorized%20disclosure%20causes%20considerable%20material%20loss%20to%20the%20organization).%20This%20configuration%20introduces%20mobile%20threat%20defense%20or%20Microsoft%20Defender%20ATP%2C%20sets%20the%20minimum%20Android%20version%20to%208.0%2C%20enacts%20stronger%20password%20policies%2C%20and%20further%20restricts%20work%20and%20personal%20separation.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3A%20Due%20to%20the%20settings%20available%20in%20Android%20Enterprise%20work%20profile%2C%20there%20is%20no%20enhanced%20security%20(Level%202)%20offering.%20The%20available%20settings%20did%20not%20justify%20a%20difference%20between%20Level%201%20and%20Level%202%20and%20there%20is%20a%20need%20to%20maintain%20consistency%20with%20the%20configuration%20framework%20nomenclature%20across%20platforms.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20Android%20Enterprise%20fully%20managed%20devices%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EFully%20managed%20basic%20security%20(Level%201)%20%E2%80%93%20Microsoft%20recommends%20this%20configuration%20as%20the%20minimum%20security%20configuration%20for%20an%20enterprise%20device.%20This%20configuration%20is%20applicable%20to%20most%20mobile%20users%20accessing%20work%20or%20school%20data.%20This%20configuration%20introduces%20password%20requirements%2C%20sets%20the%20minimum%20Android%20version%20to%208.0%2C%20and%20enacts%20certain%20device%20restrictions.%3C%2FLI%3E%0A%3CLI%3EFully%20managed%20enhanced%20security%20(Level%202)%20%E2%80%93%20Microsoft%20recommends%20this%20configuration%20for%20devices%20where%20users%20access%20sensitive%20or%20confidential%20information.%20This%20configuration%20enacts%20stronger%20password%20policies%20and%20disables%20user%2Faccount%20capabilities.%3C%2FLI%3E%0A%3CLI%3EFully%20managed%20high%20security%20(Level%203)%20-%20Microsoft%20recommends%20this%20configuration%20for%20devices%20used%20by%20specific%20users%20or%20groups%20who%20are%20uniquely%20high%20risk%20(users%20who%20handle%20highly%20sensitive%20data%20where%20unauthorized%20disclosure%20causes%20considerable%20material%20loss%20to%20the%20organization).%20This%20configuration%20increases%20the%20minimum%20Android%20version%20to%2010.0%2C%20introduces%20mobile%20threat%20defense%20or%20Microsoft%20Defender%20ATP%2C%20and%20enforces%20additional%20device%20restrictions.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3A%20The%20framework%20is%20designed%20with%20the%20understanding%20that%20organizations%20own%20the%20Android%20Enterprise%20fully%20managed%20devices.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20see%20the%20specific%20recommendations%20for%20each%20configuration%20level%2C%20review%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Faesecconfig%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAndroid%20Enterprise%20Security%20Configuration%20Framework%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20with%20any%20framework%2C%20settings%20within%20a%20corresponding%20level%20may%20need%20to%20be%20adjusted%20based%20on%20the%20needs%20of%20the%20organization%20as%20security%20must%20evaluate%20the%20threat%20environment%2C%20risk%20appetite%2C%20and%20impact%20to%20usability.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20hope%20this%20framework%20helps%20you%20when%20evaluating%20what%20Android%20Enterprise%20settings%20to%20deploy%20in%20your%20environment%2C%20or%20if%20you%20are%20transitioning%20away%20from%20Android%20device%20administrator.%20As%20always%2C%20if%20you%20have%20questions%2C%20please%20let%20us%20know.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23ff6600%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23ff6600%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ERoss%20Smith%20IV%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20%2F%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EPrincipal%20Program%20Manager%3C%2FSPAN%3E%3CBR%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20%2F%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ECustomer%20Experience%20Engineering%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1496752%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20article%2C%20Ross%20discusses%20the%20Android%20Enterprise%20security%20configuration%20framework%20for%20personally%20owned%20work%20profile%20devices%20or%20corporate-owned%20fully%20managed%20devices.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1496752%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAndroid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEMS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMDM%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1499621%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20the%20Android%20Enterprise%20security%20configuration%20framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1499621%22%20slang%3D%22en-US%22%3E%3CP%3Eis%20APP%20protection%20deprecated%20in%20favor%20of%20Android%20Enterprise%20work%20profile%20for%20BYOD%20Android%20devices%3F%20(of%20course%2C%26nbsp%3B%3CSPAN%3EAndroid%20Enterprise%20work%20profiles%20are%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.google.com%2Fwork%2Fandroid%2Fanswer%2F6174145%3Fhl%3Den%26amp%3Bref_topic%3D6151012%2520style%3D%2522target%3Dnew_window%2522%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Esupported%20on%20only%20certain%20Android%20devices%3C%2FA%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Eis%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Ffundamentals%2Fbyod-technology-decisions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Ffundamentals%2Fbyod-technology-decisions%3C%2FA%3E%26nbsp%3Bstill%20valid%20(last%20update%3A%202017)%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1502382%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20the%20Android%20Enterprise%20security%20configuration%20framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502382%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cannot%20use%20Smart%20Switch%20in%20all%20my%20Fully%20managed%20enrolled%20devices.%20Prompts%20the%20following%20%22Security%20Policy%20restricts%20use%20of%20Smart%20Switch%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20would%20be%20greatly%20apprecated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1502899%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20the%20Android%20Enterprise%20security%20configuration%20framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502899%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F404506%22%20target%3D%22_blank%22%3E%40AndrewM80%3C%2FA%3E%26nbsp%3BAssuming%2C%20Smart%20Switch%20is%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.samsung.com%2Fus%2Fsmart-switch%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.samsung.com%2Fus%2Fsmart-switch%2F%3C%2FA%3E%26nbsp%3Bmy%20guess%20is%20that%20your%20Fully%20Managed%20device%20has%20one%20or%20more%20of%20the%20policies%20disabled%20that%20prevents%20USB%20or%20wireless%20transfer%20scenarios%3A%3CBR%20%2F%3E-%20USB%20file%20transfer%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3E-%20External%20media%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3E-%20Tethering%20and%20access%20to%20hot%20spots%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3E-%26nbsp%3BWi-Fi%20access%20point%20configuration%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3EThere%20may%20be%20other%20settings%20involved.%20The%20documentation%20is%20fairly%20sparse%20on%20that%20app.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1500539%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20the%20Android%20Enterprise%20security%20configuration%20framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1500539%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129574%22%20target%3D%22_blank%22%3E%40Rafa%C5%82%20Fitt%3C%2FA%3E%26nbsp%3B-%20No%2C%20APP%20is%20not%20deprecated%20and%20is%20completely%20supported%20in%20the%20work%20profile%20and%20should%20be%20used%20to%20ensure%20data%20is%20isolated%20in%20the%20event%20multi-identity%20apps%20are%20used%20where%20personal%20accounts%20cannot%20be%20restricted%20(in%20addition%20to%20all%20the%20other%20benefits%20APP%20provides%2C%20e.g.%2C%20preventing%20printing%2C%20%3CSPAN%3Ecut%2Fcopy%2Fpaste%2C%20Save%20As%2C%20managed%20browser%20controls%2C%20etc.).%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1510051%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20the%20Android%20Enterprise%20security%20configuration%20framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1510051%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%20we%20have%20the%20identical%20issue%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F404506%22%20target%3D%22_blank%22%3E%40AndrewM80%3C%2FA%3E.%20My%20device%20is%20a%20fully%20managed%20device%20as%20well.%20Under%20Corporate%20Device%20Policy%2C%20only%20the%20following%20policies%20apply%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22azc-grid-tableHead%22%3E%3CTABLE%20width%3D%22427px%22%3E%3CTBODY%3E%3CTR%3E%3CTD%20width%3D%22426px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3EMaximum%20minutes%20of%20inactivity%20before%20password%20is%20required%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22426px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3ESecurityRequireSafetyNetAttestationCertifiedDevice%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22426px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3ERequire%20a%20password%20to%20unlock%20mobile%20devices.%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22426px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3ESecurityRequireSafetyNetAttestationBasicIntegrity%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22426px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3ERequired%20password%20type%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22426px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3EEncryption%20of%20data%20storage%20on%20device.%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22426px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3EMinimum%20password%20length%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20our%20device%20configuration%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%20width%3D%22347px%22%3E%3CTBODY%3E%3CTR%3E%3CTD%20width%3D%22346px%22%20height%3D%2230px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3EPlayStoreMode%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22346px%22%20height%3D%2230px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3EThreat%20scan%20on%20apps%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22346px%22%20height%3D%2230px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3EFactory%20reset%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22346px%22%20height%3D%2230px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3ESystem%20update%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22346px%22%20height%3D%2257px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3ENumber%20of%20sign-in%20failures%20before%20wiping%20device%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22346px%22%20height%3D%2230px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3EApp%20auto-updates%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22346px%22%20height%3D%2230px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3ETime%20to%20lock%20screen%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22346px%22%20height%3D%2230px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3EMinimum%20password%20length%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%20width%3D%22346px%22%20height%3D%2230px%22%3E%3CDIV%20class%3D%22azc-grid-cellContent%22%3ERequired%20password%20type%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20why%20this%20app%20is%20being%20blocked%3F%20We've%20had%20a%20ticket%20open%20with%20MS%20for%20several%20weeks%20now%20and%20they%20have%20not%20been%20able%20to%20assist%20either.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1510187%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20the%20Android%20Enterprise%20security%20configuration%20framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1510187%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F163437%22%20target%3D%22_blank%22%3E%40Justin%20Horne%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F404506%22%20target%3D%22_blank%22%3E%40AndrewM80%3C%2FA%3E%26nbsp%3B-%20I%20checked%20with%20some%20others.%26nbsp%3BHave%20you%20added%20the%20Smart%20Switch%20app%20via%20Managed%20Google%20Play%20and%20used%20app%20config%20to%20allow%20it%20to%20run%3F%26nbsp%3B%20Also%20there%20are%20list%20of%20perms%20the%20app%20needs%20on%20the%20device%3A%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EThe%20following%20permissions%20are%20required%20for%20the%20app%20service.%3CBR%20%2F%3E%5B%20Required%20permissions%20%5D%3CBR%20%2F%3E.%20Phone%3A%20Used%20to%20confirm%20your%20phone%20number%3CBR%20%2F%3E.%20Call%20logs%3A%20Used%20to%20transfer%20call%20log%20data%3CBR%20%2F%3E.%20Contacts%3A%20Used%20to%20transfer%20contacts%20data%3CBR%20%2F%3E.%20Calendar%3A%20Used%20to%20transfer%20calendar%20data%3CBR%20%2F%3E.%20SMS%3A%20Used%20to%20transfer%20SMS%20data%3CBR%20%2F%3E.%20Storage%3A%20Used%20to%20save%20the%20files%20necessary%20for%20data%20transfer%3CBR%20%2F%3E.%20Microphone%3A%20Used%20for%20high-frequency%20audio%20when%20searching%20for%20Galaxy%20devices.%3CBR%20%2F%3E.%20Location%3A%20Used%20to%20connect%20Galaxy%20devices%20using%20Bluetooth.%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorRoss%20Smith%20IV_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22sam.PNG%22%20style%3D%22width%3A%20760px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F204223i2D2AC551324732D5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22sam.PNG%22%20alt%3D%22sam.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1510433%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20the%20Android%20Enterprise%20security%20configuration%20framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1510433%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%20Thank%20you%20for%20this!%20We%20were%20able%20to%20get%20this%20to%20work%20following%20your%20guidance.%20We%20had%20already%20added%20it%20to%20Managed%20Google%20Play%2C%20however%20even%20though%20we%20allow%20users%20to%20control%20all%20permissions%2C%20for%20some%20reason%20this%20app%20required%20us%20to%20create%20a%20Configuration%20Policy.%20Interestingly%2C%20the%20screenshot%20you%20show%20is%20actually%20a%20Device%20Policy%20not%20an%20App%20Policy%2C%20however%20once%20you%20start%20running%20through%20the%20settings%2C%20you%20get%20to%20the%20window%20you%20show.%20I'm%20not%20sure%20I%20get%20why%20this%20is%20a%20device%20policy%20and%20not%20app%2C%20but%20regardless%20it%20worked.%20So%20thank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1510475%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20the%20Android%20Enterprise%20security%20configuration%20framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1510475%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70852%22%20target%3D%22_blank%22%3E%40Ross%20Smith%20IV%3C%2FA%3E%26nbsp%3B%20You%20are%20a%20legend.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F163437%22%20target%3D%22_blank%22%3E%40Justin%20Horne%3C%2FA%3E%26nbsp%3Bthank%20you%20for%20following%20this%20up%20with%20a%20more%20descriptive%20detail.%20Smart%20Switch%20is%20now%20working%20for%20all%20our%20Fully%20managed%20devices.%20Really%20appreciate%20this%20and%20thank%20you%20again.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1510485%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20the%20Android%20Enterprise%20security%20configuration%20framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1510485%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F404506%22%20target%3D%22_blank%22%3E%40AndrewM80%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F163437%22%20target%3D%22_blank%22%3E%40Justin%20Horne%3C%2FA%3E%26nbsp%3B-%20glad%20we%20were%20able%20to%20resolve%20this%20issue%20for%20you!%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1513365%22%20slang%3D%22en-US%22%3ERe%3A%20Announcing%20the%20Android%20Enterprise%20security%20configuration%20framework%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1513365%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20so%20much%20for%20your%20post!%20Without%20this%20I%20would%20have%20been%20lost%20for%20hours%20banging%20my%20head%20against%20a%20table%2C%20ha%20ha!%20I%20had%20to%20get%20a%20phone%20swapped%20for%20a%20worker%20today%20pretty%20urgently%20and%20whilst%20Smart%20Switch%20previously%20worked%20no%20problem%2C%20suddenly%20with%20this%20new%20phone%20it%20had%20the%20error%20mentioned%20(I%20guess%20something%20has%20changed%20in%20the%20meantime%20since%20I%20last%20did%20a%20phone%20upgrade%2C%20or%20maybe%20it's%20related%20to%20the%20model%20of%20phone).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EJohn%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

As mobile usage becomes more prevalent, so does the need to protect your work or school data on those devices. One method used to protect that data is through device enrollment. Device enrollment enables organizations to deploy compliance policies (PIN strength, /root validation, etc.), as well as configuration policies (WIFI, certificates, VPN, etc.). Device enrollment also enables organizations to manage app lifecycle.

 

With Android 5.0, Google introduced a new management profile with the introduction of managed device (device owner) and work profile (profile owner) modes (what is collectively known as Android Enterprise now).

 

Android Enterprise supports several enrollment scenarios, two of which are covered as part of this framework:

  • Android Enterprise work profile – this enrollment model is typically used for personally-owned devices, where IT wants to provide a clear separation boundary between work and personal data. Policies controlled by IT ensure that the work data cannot be transferred into the personal profile.
  • Android Enterprise fully managed devices – these devices are corporate-owned, associated with a single user, and used exclusively for work and not personal use.

When configuring device compliance and configuration policies, the number of various settings and options enable organizations to tailor the protection to their specific needs. Due to this flexibility, it may not be obvious which permutation of policy settings are required to implement a complete scenario. To help organizations prioritize client endpoint hardening, Microsoft has introduced a new taxonomy for security configurations in Windows 10, and Intune is leveraging a similar taxonomy for its Android Enterprise security configuration framework.

 

The Android Enterprise security configuration framework is organized into several distinct configuration scenarios, providing guidance for work profile and fully managed scenarios.

 

For Android Enterprise work profile devices:

  • Work profile basic security (Level 1) – Microsoft recommends this configuration as the minimum security configuration for personal devices where users access work or school data. This configuration introduces password requirements, separates work and personal data, and validates Android device attestation.
  • Work profile high security (Level 3) – Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration introduces mobile threat defense or Microsoft Defender ATP, sets the minimum Android version to 8.0, enacts stronger password policies, and further restricts work and personal separation.

Note: Due to the settings available in Android Enterprise work profile, there is no enhanced security (Level 2) offering. The available settings did not justify a difference between Level 1 and Level 2 and there is a need to maintain consistency with the configuration framework nomenclature across platforms.

 

For Android Enterprise fully managed devices:

  • Fully managed basic security (Level 1) – Microsoft recommends this configuration as the minimum security configuration for an enterprise device. This configuration is applicable to most mobile users accessing work or school data. This configuration introduces password requirements, sets the minimum Android version to 8.0, and enacts certain device restrictions.
  • Fully managed enhanced security (Level 2) – Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration enacts stronger password policies and disables user/account capabilities.
  • Fully managed high security (Level 3) - Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration increases the minimum Android version to 10.0, introduces mobile threat defense or Microsoft Defender ATP, and enforces additional device restrictions.

Note: The framework is designed with the understanding that organizations own the Android Enterprise fully managed devices.

 

To see the specific recommendations for each configuration level, review Android Enterprise Security Configuration Framework

 

As with any framework, settings within a corresponding level may need to be adjusted based on the needs of the organization as security must evaluate the threat environment, risk appetite, and impact to usability. 

 

We hope this framework helps you when evaluating what Android Enterprise settings to deploy in your environment, or if you are transitioning away from Android device administrator. As always, if you have questions, please let us know. 

 

Ross Smith IV
Principal Program Manager
Customer Experience Engineering

10 Comments
Occasional Contributor

is APP protection deprecated in favor of Android Enterprise work profile for BYOD Android devices? (of course, Android Enterprise work profiles are supported on only certain Android devices)

is https://docs.microsoft.com/en-us/mem/intune/fundamentals/byod-technology-decisions still valid (last update: 2017)?

Microsoft

@Rafał Fitt - No, APP is not deprecated and is completely supported in the work profile and should be used to ensure data is isolated in the event multi-identity apps are used where personal accounts cannot be restricted (in addition to all the other benefits APP provides, e.g., preventing printing, cut/copy/paste, Save As, managed browser controls, etc.).

New Contributor

Hi,

 

I cannot use Smart Switch in all my Fully managed enrolled devices. Prompts the following "Security Policy restricts use of Smart Switch"

 

Any ideas would be greatly apprecated.

 

Kind regards

Microsoft

@AndrewM80 Assuming, Smart Switch is https://www.samsung.com/us/smart-switch/ my guess is that your Fully Managed device has one or more of the policies disabled that prevents USB or wireless transfer scenarios:
- USB file transfer

- External media

- Tethering and access to hot spots

- Wi-Fi access point configuration

 

There may be other settings involved. The documentation is fairly sparse on that app.

Occasional Contributor

@Ross Smith IV  we have the identical issue as @AndrewM80. My device is a fully managed device as well. Under Corporate Device Policy, only the following policies apply:

 

Maximum minutes of inactivity before password is required
SecurityRequireSafetyNetAttestationCertifiedDevice
Require a password to unlock mobile devices.
SecurityRequireSafetyNetAttestationBasicIntegrity
Required password type
Encryption of data storage on device.
Minimum password length

 

This is our device configuration:

 

PlayStoreMode
Threat scan on apps​
Factory reset
System update
Number of sign-in failures before wiping device
App auto-updates
Time to lock screen
Minimum password length
Required password type

 

Any idea why this app is being blocked? We've had a ticket open with MS for several weeks now and they have not been able to assist either.

 

Thanks!

Microsoft

@Justin Horne , @AndrewM80 - I checked with some others. Have you added the Smart Switch app via Managed Google Play and used app config to allow it to run?  Also there are list of perms the app needs on the device:


The following permissions are required for the app service.
[ Required permissions ]
. Phone: Used to confirm your phone number
. Call logs: Used to transfer call log data
. Contacts: Used to transfer contacts data
. Calendar: Used to transfer calendar data
. SMS: Used to transfer SMS data
. Storage: Used to save the files necessary for data transfer
. Microphone: Used for high-frequency audio when searching for Galaxy devices.
. Location: Used to connect Galaxy devices using Bluetooth.

 

sam.PNG

Occasional Contributor

@Ross Smith IV  Thank you for this! We were able to get this to work following your guidance. We had already added it to Managed Google Play, however even though we allow users to control all permissions, for some reason this app required us to create a Configuration Policy. Interestingly, the screenshot you show is actually a Device Policy not an App Policy, however once you start running through the settings, you get to the window you show. I'm not sure I get why this is a device policy and not app, but regardless it worked. So thank you!

New Contributor

@Ross Smith IV  You are a legend. @Justin Horne thank you for following this up with a more descriptive detail. Smart Switch is now working for all our Fully managed devices. Really appreciate this and thank you again.

Microsoft

@AndrewM80 , @Justin Horne - glad we were able to resolve this issue for you! :)

New Contributor

Thank you so much for your post! Without this I would have been lost for hours banging my head against a table, ha ha! I had to get a phone swapped for a worker today pretty urgently and whilst Smart Switch previously worked no problem, suddenly with this new phone it had the error mentioned (I guess something has changed in the meantime since I last did a phone upgrade, or maybe it's related to the model of phone).

 

Regards,

John