Announcing the Android Enterprise security configuration framework
Published Jun 29 2020 12:12 PM 9,828 Views
Microsoft

As mobile usage becomes more prevalent, so does the need to protect your work or school data on those devices. One method used to protect that data is through device enrollment. Device enrollment enables organizations to deploy compliance policies (PIN strength, /root validation, etc.), as well as configuration policies (WIFI, certificates, VPN, etc.). Device enrollment also enables organizations to manage app lifecycle.

 

With Android 5.0, Google introduced a new management profile with the introduction of managed device (device owner) and work profile (profile owner) modes (what is collectively known as Android Enterprise now).

 

Android Enterprise supports several enrollment scenarios, two of which are covered as part of this framework:

  • Android Enterprise work profile – this enrollment model is typically used for personally-owned devices, where IT wants to provide a clear separation boundary between work and personal data. Policies controlled by IT ensure that the work data cannot be transferred into the personal profile.
  • Android Enterprise fully managed devices – these devices are corporate-owned, associated with a single user, and used exclusively for work and not personal use.

When configuring device compliance and configuration policies, the number of various settings and options enable organizations to tailor the protection to their specific needs. Due to this flexibility, it may not be obvious which permutation of policy settings are required to implement a complete scenario. To help organizations prioritize client endpoint hardening, Microsoft has introduced a new taxonomy for security configurations in Windows 10, and Intune is leveraging a similar taxonomy for its Android Enterprise security configuration framework.

 

The Android Enterprise security configuration framework is organized into several distinct configuration scenarios, providing guidance for work profile and fully managed scenarios.

 

For Android Enterprise work profile devices:

  • Work profile enhanced security (Level 2) – Microsoft recommends this configuration as the minimum security configuration for personal devices where users access work or school data. This configuration introduces password requirements, separates work and personal data, and validates Android device attestation.
  • Work profile high security (Level 3) – Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration introduces mobile threat defense or Microsoft Defender ATP, sets the minimum Android version to 8.0, enacts stronger password policies, and further restricts work and personal separation.

Note: Due to the settings available in Android Enterprise work profile, there is no basic security (Level 1) offering. The available settings did not justify a difference between Level 1 and Level 2 and there is a need to maintain consistency with the configuration framework nomenclature across platforms.

 

For Android Enterprise fully managed devices:

  • Fully managed basic security (Level 1) – Microsoft recommends this configuration as the minimum security configuration for an enterprise device. This configuration is applicable to most mobile users accessing work or school data. This configuration introduces password requirements, sets the minimum Android version to 8.0, and enacts certain device restrictions.
  • Fully managed enhanced security (Level 2) – Microsoft recommends this configuration for devices where users access sensitive or confidential information. This configuration enacts stronger password policies and disables user/account capabilities.
  • Fully managed high security (Level 3) - Microsoft recommends this configuration for devices used by specific users or groups who are uniquely high risk (users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization). This configuration increases the minimum Android version to 10.0, introduces mobile threat defense or Microsoft Defender ATP, and enforces additional device restrictions.

Note: The framework is designed with the understanding that organizations own the Android Enterprise fully managed devices.

 

To see the specific recommendations for each configuration level, review Android Enterprise Security Configuration Framework

 

As with any framework, settings within a corresponding level may need to be adjusted based on the needs of the organization as security must evaluate the threat environment, risk appetite, and impact to usability. 

 

We hope this framework helps you when evaluating what Android Enterprise settings to deploy in your environment, or if you are transitioning away from Android device administrator. As always, if you have questions, please let us know. 

 

Ross Smith IV
Principal Program Manager
Customer Experience Engineering

16 Comments
Deleted
Not applicable

is APP protection deprecated in favor of Android Enterprise work profile for BYOD Android devices? (of course, Android Enterprise work profiles are supported on only certain Android devices)

is https://docs.microsoft.com/en-us/mem/intune/fundamentals/byod-technology-decisions still valid (last update: 2017)?

Microsoft

@Deleted - No, APP is not deprecated and is completely supported in the work profile and should be used to ensure data is isolated in the event multi-identity apps are used where personal accounts cannot be restricted (in addition to all the other benefits APP provides, e.g., preventing printing, cut/copy/paste, Save As, managed browser controls, etc.).

Copper Contributor

Hi,

 

I cannot use Smart Switch in all my Fully managed enrolled devices. Prompts the following "Security Policy restricts use of Smart Switch"

 

Any ideas would be greatly apprecated.

 

Kind regards

Microsoft

@AndrewM80 Assuming, Smart Switch is https://www.samsung.com/us/smart-switch/ my guess is that your Fully Managed device has one or more of the policies disabled that prevents USB or wireless transfer scenarios:
- USB file transfer

- External media

- Tethering and access to hot spots

- Wi-Fi access point configuration

 

There may be other settings involved. The documentation is fairly sparse on that app.

Copper Contributor

@Ross Smith IV  we have the identical issue as @AndrewM80. My device is a fully managed device as well. Under Corporate Device Policy, only the following policies apply:

 

Maximum minutes of inactivity before password is required
SecurityRequireSafetyNetAttestationCertifiedDevice
Require a password to unlock mobile devices.
SecurityRequireSafetyNetAttestationBasicIntegrity
Required password type
Encryption of data storage on device.
Minimum password length

 

This is our device configuration:

 

PlayStoreMode
Threat scan on apps​
Factory reset
System update
Number of sign-in failures before wiping device
App auto-updates
Time to lock screen
Minimum password length
Required password type

 

Any idea why this app is being blocked? We've had a ticket open with MS for several weeks now and they have not been able to assist either.

 

Thanks!

Microsoft

@Justin Horne , @AndrewM80 - I checked with some others. Have you added the Smart Switch app via Managed Google Play and used app config to allow it to run?  Also there are list of perms the app needs on the device:


The following permissions are required for the app service.
[ Required permissions ]
. Phone: Used to confirm your phone number
. Call logs: Used to transfer call log data
. Contacts: Used to transfer contacts data
. Calendar: Used to transfer calendar data
. SMS: Used to transfer SMS data
. Storage: Used to save the files necessary for data transfer
. Microphone: Used for high-frequency audio when searching for Galaxy devices.
. Location: Used to connect Galaxy devices using Bluetooth.

 

sam.PNG

Copper Contributor

@Ross Smith IV  Thank you for this! We were able to get this to work following your guidance. We had already added it to Managed Google Play, however even though we allow users to control all permissions, for some reason this app required us to create a Configuration Policy. Interestingly, the screenshot you show is actually a Device Policy not an App Policy, however once you start running through the settings, you get to the window you show. I'm not sure I get why this is a device policy and not app, but regardless it worked. So thank you!

Copper Contributor

@Ross Smith IV  You are a legend. @Justin Horne thank you for following this up with a more descriptive detail. Smart Switch is now working for all our Fully managed devices. Really appreciate this and thank you again.

Microsoft

@AndrewM80 , @Justin Horne - glad we were able to resolve this issue for you! :)

Brass Contributor

Thank you so much for your post! Without this I would have been lost for hours banging my head against a table, ha ha! I had to get a phone swapped for a worker today pretty urgently and whilst Smart Switch previously worked no problem, suddenly with this new phone it had the error mentioned (I guess something has changed in the meantime since I last did a phone upgrade, or maybe it's related to the model of phone).

 

Regards,

John

Copper Contributor

@Ross Smith IV Thanks a lot for the solution to get Samsung Smart Switch working.

 

Is there any update making the Google Backup / Samsung Backup available as a configurable option in Intune?

This would be a lifesaver for Android Fully Managed adoption in our company.

 

Regards, Jeroen Dijkman

Copper Contributor

@Ross Smith IV As per your response above permission were amended to our previously working app configuration policy. But we are still unable to open Smart switch on fully managed devices.

NicPepin_0-1598469292716.png

 

Any suggestions?

 

 

Copper Contributor

@NicPepin 

Which version of Android are you using? I found this policy only working from version 9 and higher.

Copper Contributor

We have been able to use the Samsung Cloud app to do the backup and restore on the Android Fully Managed devices. For us it is and added value compared to Smart Switch in case someone loses his phone.

We did the following:

 

  • Create and add a Samsung account on the device
  • When the account is added you should be able to sign in to the Samsung cloud app.
  • Within the app you can configure the backup and restore
  • Within the settings of the app you need to tick a box to make the icon visible

We use this for now as workaround until the integrated backup and restore becomes available.

 

regards,

 

Jeroen Dijkman

Copper Contributor

@JeroenDijkmanthis is indeed the problem, it functions on our android 9+ devices.

 

however what I cannot comprehend is why? We have 120 new devices just sitting here, because we cannot migrate user data from our old model phone to new model.
 

Unfortunately due to  PIPEDA we cannot use Samsung cloud.

 

So I'm just kind of wondering what solution Microsoft can provide for a solution that has been working for 3+ years and now does not? Is the only solution to cancel Microsoft intune subscription and migrate back to Airwatch?

Copper Contributor

Hi Ross,

 

Can this be done on Devices that are enrolled via Corporate - Owned Dedicated Devices?

 

If so, do i need to create an Managed App or Managed Devices config policy?

 

Many thanks in advance,

Andrew Maybir

Co-Authors
Version history
Last update:
‎Dec 19 2023 01:24 PM
Updated by: