igor - Fotolia
Key Android Enterprise security controls for mobile admins
Mobile device admins should take advantage of Android Enterprise's security configurations to prevent threats such as data leakage and hackers bypassing authentication.
IT departments should look for ways to improve their use of Android Enterprise security controls.
Google's Android Enterprise initiative provides IT with APIs to integrate device controls and support into different enterprise mobility management (EMM) tools. Every organization's deployment is different, so some suggestions may not apply. IT professionals can pick and choose Android Enterprise security practices for their EMM tool that cover certain components of their deployment, such as the work profile.
Covering the basics
Data leakage from mobile users can occur when they add their own applications or emails and other accounts to a managed device. If a user plugs his device into a PC to transfer corporate data away from the secure device, this can also cause data leakage.
To avoid this outcome, IT can employ these data loss prevention restrictions:
- Deny the ability to configure user credentials.
- Deny the ability to create and modify accounts.
- Deny mounting physical external storage devices.
- Deny the ability to transfer files over USB.
- Deny USB storage.
- Deny USB debugging.
IT can apply these Android Enterprise security restrictions to work profile deployments, such as BYOD and corporate-owned personally enabled (COPE), and fully managed deployments such as corporate-owned business only (COBO) devices. Policies that prevent the creation, modification and configuration of accounts and credentials ensure that only the organization may push out restrictions and other settings to the corporately managed area of the device. This will either be the whole device in the case of COBO, just the work profile in the case of BYOD and sometimes both for COPE.
Without an unmanaged personal profile on the device sitting alongside corporate data, there's no risk of users allowing corporate data to leave the device through other applications or cloud services. Limiting actions on personal profiles, however, doesn't always make sense.
Mobile device admins should disable unapproved external storage, transfer of data over USB and mounting USB devices to ensure that users cannot move any corporate data from the device to any external media. This configuration is particularly important for fully managed devices because work profile deployments already include measures to prevent data extraction by default.
Setting a passcode is perfectly fine, but there's more to consider for Android Enterprise security than passcodes alone. IT should impose some restrictions to ensure that users choose secure passcodes:
- Disable smart lock.
- Prevent unified passcodes.
- Prevent face and iris unlocking.
- Enforce a short screen timeout and grace period for device lock.
In a corporate mobile device deployment, the passcode is the primary defense against unauthorized access, so IT should prevent anything that could make unauthorized access easier.
Smart lock allows the user to set trusted devices via Bluetooth and trusted locations or voices as well. These trusted elements can override the device's passcode policies and allow the device to remain unlocked. On that basis, IT should generally disable smart lock entirely, but it can also manage the feature granularly.
Unified passcode is a feature for work profiles on COPE and BYOD devices running Android OS 9.0 or later, which allows the device's parent profile and work profile to share the same unlock method. Once the device is unlocked with a unified passcode, the work profile is unlocked as well. In most cases, IT should disable this feature where possible to ensure that the passcode of the work profile is different than the password of the device itself, thereby heightening security.
Face and iris unlocking methods aren't highly secure either. There are countless examples where hackers have spoofed faces on Android devices. Some device manufacturers do a great job with advanced camera systems, but many do not.
Lengthy timeouts on either screen-off or device lock also present a security risk for end users. In most cases IT should aim for shorter timeouts -- ideally around one minute with an immediate device lock. If users leave their devices unattended for any length of time, a device that doesn't lock quickly is more likely to be compromised.
If IT professionals want to be more lenient for work profile users, they can configure longer timeout periods on the parent profile and shorten them on the work profile to ensure that corporate data is safe. IT can deploy this same leniency with face, iris and smart lock authentication methods with Android Enterprise security controls.
Most devices support fingerprint unlocking, which makes the unlocking process quick and easy. This should allow users a headache-free method of unlocking their devices despite a short timeout length.