unmanaged but secured – how mobile application management support your enterprise

while ios and android offer more and more deep api to securely managed a mobile device and integrate into enterprise – apple utilize restrictions to natively separate managed from unmanaged content – android buildin work container on every device to secure enterprise data – both offer enrollment program to easiely intergrate the devices to management system

but there a argument to not rely on device management api – ios lack unfinished restriction of unmanaged/managed data, it is possible to bypass limitation under certain conditions – android depricated existing device admin feature in favor of android enterprise technology, but new container ui/ux isn’t consitant between different os releases and lack of some existing features, e.g. private/business calender overlay

privacy is a main point to offer a byod solution for your employees, ios managed devices could report your installed app and fully wipe even your private data (until user-enrollment was released), android enterprise addressed this from the very first, apple introduced user-erollment to address privacy concerns for byod deployments

usablity is the other big point to address for your users – while apple provide the ability to use business data within ios native applications, android lack of a consistant look and feel between os releases and different management api, batch icons differ at different releases and espesially samsung devices – to ease support provide the same email app across both mobile os

mobile application management also named non-MDM managed your data within an app or a entire framework, the app is’t capable to control your device, e.g. to enforce device pin or encryption – major mdm vendor like airwatch, mobileiron, blackberry formerly good and citrix provide a framework to secure your data over serveral productivity apps, without the need to rely on device api

microsoft offer with it’s office 365 apps the capability to secure business data with app protection policies without the need to enroll your device to a unified endpoint management, 3rd party mdm could optinally integrate these features with graph api

when it comes to enterpise integration with full device vpn support, certificate authentication or kiosk (single use) devices there is no way around a uem solution

don’t be a fool, select your prefered solution, based on the requirement for each usecase

android (almost) enterprise

…launched in 2015, renamed in 2017 from android for work and now it’s time for enterprises to adopt android’s modern device management

approach of google to manage devices, regardless of any vendor, to better integrate android in enterprise

device admin api’s started deprecating some features, emm system unable to reset device passcode for android 7.0 devices, google will deprecate further in android “p” release in 2018 and stop working with major release of android in 2019

not yet – tested a lot of android’s feature to get a markable footprint in enterprise, realized use cases to bring value for customers but unfortunately android enterprise can’t replace device admin, that’s why…

enrollment – apple’s devices can centralized ordered, prepared and assigned to an emm system via dep (device enrollment program) – google’s pendant zero touch enrollment is currently just available for android 8.1 and pixel devices – samsung got it’s own knox mobile enrollment (kme) which depends on the installed knox version and is for sure just available for samsung devices – a fully managed samsung device via android device owner needs at least knox version 2.8, otherwise you need to prepare all devices locally via qrcode or nfc

certificate authentication is a basic requirement for a secure enterprise deployment, with am emm you’re able to enroll client certificates and distribute via android enterprise to mobile devices – but with current emm tools it’s further possible to achieve a seamless authentication with kerberos constrained delegation, the continuous synchronisation is provided even a user change his password

vpn started a full device tunnel for windows notebooks, beginning with ios is was possible to configure dynamic vpn based on domain rules, even vpn connection can secure a single app, with android enterprise it is possible to setup the vpn just for work content – was missing? a simple “on demand” could stop draining battery life from “always on” vpn or prohibit mistakes if forgot to “manually” enable it

reliability – inconsistent experience noticed – depending of build version, huawei ignore that device passcode is already set – lenovo yoga missing android enterprise enrollment capability – when sending a (private) picture via (secure) mail, login to work container, attachment lost in mail – honor device completly ignore passcode policy for work container – convert phone number to link in gmail is just working sometimes @theverge 

use cases could realized with android enterprise, e.g. silent app and unattended certificate installation is possible for non-samsung devices could , comparing to device admin, but there’s space for improvement…