Google, last week, announced the Android Q beta, taking the wraps off of new features in the next version of Android. Today, it’s time to dig and see what’s new.
Here’s a bit of context: First, as these are beta features, they will change. And second, as many OEMs take time to distribute upgrades, it might be a while until you see these features pop up in your user base.
But the more important context is that Android Enterprise is almost five years old. Every Android device in your environment has plenty of mature management features already, and the Android Enterprise Recommended program offers additional validation.
Important Android Q features
Let’s start with general Android features that will affect enterprise users. I’m pulling these from Google’s announcement blog post and developer documentation. The big themes are user privacy, and continuing to tame what apps are allowed to do and how they can do it.
In 2016, Android 6.0 Marshmallow replaced the blanket permissions that users would grant apps at installation with runtime permissions. Now in Android Q, runtime permissions expand to apply to photos, video, and audio access, as well as the Activity Recognition API. Location permissions are more granular, with options to give apps access all the time, only when the app is in use, or never..
Speaking of location, Android Q is also tightening up certain aspects of Bluetooth, Wi-Fi, and cellular data, as well as photo metadata, so that these alternatives for location tracking get protection, too.
Android Q has various new ways of protecting data. Apps cannot silently read the screen buffer, and background apps can’t read the clipboard. Access to things like device serial numbers and IMEIs is limited, and MAC addresses are randomized by default. And apps have to use the system file picker, among other storage changes. Apps can’t launch activities while they’re in the background, and suspended apps are not allowed to play audio.
To help all this along, Android Q is continuing the process of locking down non-public APIs, which began in 9.0 Pie. At some point, all apps submitted to the Play Store will have to target at least 9.0, and devices will display a warning if they are targeted at Android versions older than 6.0.
The results of all of this? More predictable and better behaved apps, and fewer opportunities for malware. (For some more context on actual rates of mobile malware in the enterprise, check out our recent series on mobile threat defense metrics.)
Android Enterprise in Android Q
On the surface, many of the Android Enterprise updates in Q seem incremental, but as I said before, that’s a good thing—it’s a sign of maturity. Check out this slide (below) from the recent Android Enterprise Summit in New York, which summarizes all the major features.
This is in contrast to iOS, which I believe has some significant gaps that affect BYOD and COPE use cases.
Anyway, here’s the full list, pulled directly from developer.android.com. Some of these items are down in the weeds, and more of interest to developers at EMM vendors, but I’m putting them all here for the sake of completeness. You can find links to more Android Enterprise documentation in our EMM resources guide.
Work profile provisioning for company-owned devices: You can now use NFC, QR codes, or zero-touch to provision corporate devices that just need a work profile. This could be useful somewhere that has a fairly liberal COPE policy.
Work-profile device-ID attestation: This is for zero-touch work profiles, as described above. It uses hardware features like TEE or a secure element.
Access to work profile calendars (from the work profile): This is one more step in blending work and personal. There are always more details to figure out, so these refinements will keep coming. Naturally, admins can control this via policy.
Work profile, device-wide unknown sources: It was already possible to have a work profile block unknown sources on the host device, but this gives a new option that doesn’t require Google Play services. This issue reared its head back when the Fortnite app came out, and has the potential to affect BYOD policies in the future, but everyone agrees that blocking unknown sources is a good basic policy.
Limit permitted input devices to work profiles: This should be self explanatory; it’s another way of adding more granularity to the BYOD/COPE experience.
Manual system update installation: On fully managed devices, you can schedule OS updates. Several OEMs have offered this for a while, so it’s an example of a feature coming into the core Android experience, giving OEMs time to do work on other things (see OEMConfig and Samsung, for example).
EAP Wi-Fi provisioning: On fully managed devices, you can include EAP information (including credentials and certificates) in QR code and NFC provisioning workflows.
Private DNS support: For fully managed devices. Also known as DNS over TLS.
VPN improvements: Including VPN lockdown mode exemption, HTTP proxy support in VPN apps, and VPN service modes.
New delegation scopes: EMM agents (or DPCs) can delegate certain tasks to other apps. Android Q adds options for network activity logging, certificate selection, and package installation.
Deprecation of device admin: By now you’re probably familiar with this, as this is the big one and we’ve talked about it before. Pre-Android Enterprise management techniques are out; but unless you have some older devices or haven’t updated your EMM software in years, you’ve probably started to make the transition already. Jason Bayton has some good resources if you haven’t started.
Screen lock quality check: This is a way for apps to do a type of device attestation check, as Kyle covered recently. It’s also a good way for developers to avoid a double hop (unlocking the device and then unlocking the app).
Keychain improvements: Certificate selection should be easier.
The elevator recap
If somebody in your organization asks you what’s new in Android, you can tell them this: Android Enterprise is in almost all devices, and is very good. Everybody in the industry agrees that it was done the right way, and in Q, it’s getting refined.
Android Q is taking a lot of steps to tighten up privacy and apps. But overall, the Android ecosystem is way different than it was three, five, or 10 years ago. Anyone who hasn’t paid much attention to it should be sure to get up to speed on the current state.