Tag: emm

google

android bloatware in business

matthias mader

android device arrive with alot of preinstalled app like facebook, flipboard, skype and for sure google service (youtube,maps,gmail,etc.) – for private use this is anoying, but for business it is essential to secure the usecase

android enterprise

when enabling Android Enterprise for Kiosk/Company devices, during setup the default apps could be disabled with this switch – PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED – Samsung offers this with it’s KNOX Mobile Enrollment and google with buildin zero-touch service

be aware that you loose the native camera app if your usecase require one

device management

after your device is enrolled in mobile device managment system (emm, uem or whatever) your able to restrict installed apps by package name, apps differ from device manufaturer and os level, package names also useful to arrange/allow in kiosk setup, for samsung XCover4s these are:

  • com.samsung.android.messaging
  • com.sec.android.app.samsungapps
  • com.samsung.android.calendar
  • com.samsung.android.email.provider
  • com.sec.android.app.myfiles
  • com.sec.android.gallery3d
  • com.sec.android.app.clockpackage.clockpackage
  • com.sec.android.app.clockpackage.alarm.alarmalert
  • com.google.android.gm
  • com.google.android.youtube
  • com.google.android.googlequicksearchbox
  • com.sec.android.app.fm
  • com.google.android.apps.maps
  • com.samsung.android.contacts
  • com.samsung.android.dialer
  • com.samsung.android.game.gamehome
  • com.sec.factory.camera
  • com.sec.android.app.camera
  • com.sec.android.app.clockpackage
  • com.sec.android.app.sbrowser
  • com.microsoft.skydrive
  • com.facebook.katana

adb tools

remove bloatware from a single device or find from from a reference device locally connected

  1. install USB drivers for your device
  2. download & install ADB tools
  3. enable Developer Options & USB debugging
  4. plug in your device into the computer
  5. open a terminal and type: adb devices
  6. will return the ID of your device
  7. in adb shell with: adb shell
  8. list all installed packages: pm list packages
  9. to remove packages type: pm uninstall -k -user 0 <package name>

take care to not disable system critical apps of android, check here

apple, google, microsoft, security

unified endpoint management

matthias mader

today’s employees use at least two or more devices to do daily work on various os at different versions – it is time for a new class of tools – unified endpoint management (uem) combine the management of multiple endpoint types in a single console

evolution

from pc configuration lifecycle management (pcclm) via client management tools (cmt) to unified endpoint management (uem) – companies listed in the client management tools magic quadrant already transformed, other a overruled

content

emm

while enterprise mobility management (emm) is highly competitive and rapidly transforming — for instance, good technology, which was in gartner’s magic quadrant in 2015, was acquired by blackberry, airwatch was acquired by vmware in 2014 – emm contains of:

  • mobile device management (mdm)
  • mobile application management (mam)
  • mobile identity (mi)
  • mobile content management (mcm)

uem combine cmt + emm + iot

benefit

  1. reduce it management cost – a single tool
  2. improved security – get the best of both
  3. better insights – reporting
  4. prepared – enterprise of things

gartner

magic quadrant reports the ability to execute and completeness of vision for vendors – read full report here

Magic Quadrant for Unified Endpoint Management Tools

tco

according to gartner research, the annual tco of a fully managed smartphone using emm is almost
80% lower than the annual tco of a fully managed desktop using cmt

@mobileiron

apple, innovation, technology

defer ios updates

matthias mader

ios12 was announced and demonstrated at wwdc, beta started at june 19th and public beta followed at june 25th

since ios 11.3 it is possible to surpress ios update on managed devices – cause you want to test new releases in your infrastructure – ensure that all of your productivity apps running fine with the new version

it is mandatory that those devcies are supervised, setup with apple device enrollment program or enabled with apple configurator

appleconfigurator

with current emm vendor it is possible to simply enable/disable this value – otherwise configure a profile in apple configurator, either send it via mail or upload to enterprise mobility management suite and deploy remote

 

This slideshow requires JavaScript.

if your device running ios version below ios 11.3 your able to configure global http proxy – with *.pac file your able to redirect apple update url

proxypac

mobile devices fit enterprise needs

general, google, technology

android (almost) enterprise

matthias mader

…launched in 2015, renamed in 2017 from android for work and now it’s time for enterprises to adopt android’s modern device management

androidenterprise2.pngapproach of google to manage devices, regardless of any vendor, to better integrate android in enterprise

device admin api’s started deprecating some features, emm system unable to reset device passcode for android 7.0 devices, google will deprecate further in android “p” release in 2018 and stop working with major release of android in 2019

not yet – tested a lot of android’s feature to get a markable footprint in enterprise, realized use cases to bring value for customers but unfortunately android enterprise can’t replace device admin, that’s why…

enrollment – apple’s devices can centralized ordered, prepared and assigned to an emm system via dep (device enrollment program) – google’s pendant zero touch enrollment is currently just available for android 8.1 and pixel devices – samsung got it’s own knox mobile enrollment (kme) which depends on the installed knox version and is for sure just available for samsung devices – a fully managed samsung device via android device owner needs at least knox version 2.8, otherwise you need to prepare all devices locally via qrcode or nfc

certificate authentication is a basic requirement for a secure enterprise deployment, with am emm you’re able to enroll client certificates and distribute via android enterprise to mobile devices – but with current emm tools it’s further possible to achieve a seamless authentication with kerberos constrained delegation, the continuous synchronisation is provided even a user change his password

vpn started a full device tunnel for windows notebooks, beginning with ios is was possible to configure dynamic vpn based on domain rules, even vpn connection can secure a single app, with android enterprise it is possible to setup the vpn just for work content – was missing? a simple “on demand” could stop draining battery life from “always on” vpn or prohibit mistakes if forgot to “manually” enable it

reliability – inconsistent experience noticed – depending of build version, huawei ignore that device passcode is already set – lenovo yoga missing android enterprise enrollment capability – when sending a (private) picture via (secure) mail, login to work container, attachment lost in mail – honor device completly ignore passcode policy for work container – convert phone number to link in gmail is just working sometimes @theverge 

use cases could realized with android enterprise, e.g. silent app and unattended certificate installation is possible for non-samsung devices could , comparing to device admin, but there’s space for improvement…

androidenterprise.png