Android 12 for Enterprise: Everything You Need to Know

Android 12 as also implemented some changes that need to be considered from an enterprise perspective to ensure a smooth transition and maintain security and control.

• Android Enterprise with Work Profile:
  For Bring Your Own Device (BYOD) deployments where the device is personally owned. Allows user to use their personal device at work, access their work mail, apps, etc. without compromising security.

• Android Enterprise Fully Managed:
  For Corporate Owned Business Only (COBO) deployments where full control over device and data is required with little to no room for private usage. Typically for regulated environments (Federal administration, government, etc.)

• Enhanced Work Profile (EWP):
  For Corporate Owned Personally Enabled (COPE) deployments where device belongs to the company and is fully enterprise-managed/controlled but leaves the user with a wall-garden for their private apps and data, providing a good balance between BYOD and COBO without compromising corporate data security. It was introduced with Android 11 to replace Android Enterprise Fully Managed with Work Profile.

However, there are relevant security and privacy enhancements available for all of them.

• New enrollment-specific ID will be used to uniquely identify a Work profile enrollment within a specific organization, for both private or corporate-owned devices, and will remain unchanged even after a factory reset/wipe. This will help avoid device records duplication while still allowing to keep track of devices across enrollments, ensuring easier and more accurate lifecycle management. Additionally, for privacy reasons, access to other device-unique hardware identifiers (e.g., IMEI, MEID, serial number) will be removed for personal devices, ensuring these identifiers will never be visible nor stored on any corporate system, such as UEM solution software.

Specific permissions to access sensitive data source can be granted for each Work profile app by the end-user, unless explicitly denied by their IT administrator. These include location, camera, microphone, body sensor, and physical activity.

• USB can be now disabled by the IT administrator, except for charging functions, to try to avoid any possible data leak or malicious attack through this point of entry (read our article here for more information about security risks associated with USB)

• Privacy and transparency enhancements: Allow IT administrator to decide whether to manage or opt out of managing sensor-related permissions for fully managed devices, leaving the user to be prompt and accept/deny permission when apps are first used; IT administrator can always deny permissions.
  
  
• Network configuration: Device Policy Controller (DPC), which is the software piece on the device that allows you to manage Android Enterprise devices using an EMM/UEM solution software, can now retrieve a list of configured Wi-Fi networks without requiring the Location permission. On personal devices, only Work networks are retrieved; on fully managed devices, DPC can additionally ensure that only corporate-approved networks are configured.

The first supported device will be the upcoming Pixel 6 and the upgrade to the existing Google Pixel phone lineup. Other Android devices will get their Android 12 updates pushed out as it becomes available pending OEM and carrier approval throughout the year.

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group