At present, IT admins in enterprises are responsible for managing a whole fleet of devices from different management classes such as BYOD (Bring Your Own Device), COPE (Company Owned/Personally Enabled), COBO (Company Owned/Business Only). With these different levels of ownership, organizations must ensure that its business applications and sensitive data stays protected on the device regardless of who owns it. With Android Enterprise, admins can configure the device in two ways — device owner mode and profile owner mode.
For corporate owned devices, provisioning the devices through Android device owner mode will give the organization full control over the device. The functions that a device owner can perform includes:
- Enable or disable hardware and software functions
- Configure password policy and user accounts on the device
- Configure network parameters, VPN and CA certificates
- Wipe the device and its contents
- Set global settings such as airplane mode, GPS and Bluetooth
In company owned deployment scenarios, the enterprise will own and have full control over the device it uses. The management application used is known as the Device Policy Controller (DPC). The DPC is responsible for enforcing policies on to the Android devices. When the DPC acts a device owner it will look after the entire management of the device. It can also perform a wide range of device-oriented actions such as configuring the connectivity, setting up global settings and do factory reset.
Features of Android device owner mode
- Create custom lock screen messages
- Disable data roaming
- Configure the kiosk applications by whitelisting the applications needed by the organization
- Remotely reboot the devices
- Apply certain configurations on the device like unlocking, hardware controls and factory resets
- Ensure secure network connection
- Set up a single wireless network ID across different regions
- Quick enrollment options such as Zero touch enrollment and QR code enrollment
Different provisioning methods such as DPC Identifier, NFC, QR Code, Zero touch enrollment, Samsung KME, G Suite and Android Debug Bridge are available to enroll your devices. Let’s have look at what each means:
- Zero touch enrollment: this is a streamlined method for preconfiguring devices to automatically provision themselves right on the first boot.
- QR Code: the admin can scan the QR code generated by the EMM solution used by their organization to provision and manage the device.
- NFC: this method requires users to create an NFC programmer app that contains the enrollment token, settings and other details to provision a dedicated or fully managed device.
- DPC Identifier: this method is used when the devices can’t be enrolled via QR code or NFC. The admin must follow the setup wizard on the new or factory reset device and get the device connected to the internet to enter the DPC identifier. After this they need to either scan a QR code or enter an enrollment token to provision the device.
- Samsung KME: The Samsung Knox Mobile Enrollment is a bulk device enrollment method where admins can provision the device and get it set for its users right from the moment they switch it on.
- G Suite: In order to set up an Android device with a G Suite account, users would have to add their account to the device. The process of adding the account will depend on whether or not you are setting up a new device or an existing one. Organizations with a G Suite Enterprise account can import the company owned devices into their inventory. These devices will be automatically set up in a fully managed mode.
- Android Debug Bridge: this method uses Android Debug Bridge (ADB) to provision devices as a device owner. It is applicable for devices running on Android 5 or later versions. This method is useful in situations where the number of managed devices is less, as they would have to be unboxed to initiate the provisioning process. After this the enrollment will be carried out separately.
Android device owner mode should be provisioned during the initial setup of the new device or in the case of devices running in an older Android version, after factory reset. Depending on the use case, the devices can be provisioned in two ways:
- If the provisioning flow is device driven, the IT admins can use NFC to provision large number of devices. This method can be used by organizations that use either Managed Google Play Accounts or G Suite.
- If the provisioning flow is user driven, the provisioning options would depend on whether or not the organization uses G Suite. Users of organizations using G Suite will have to add their Google Account during the initial device setup process. This process would help end users to set up the device and is an alternative for those devices that don’t support NFC. Organizations not using G Suite could follow the managed Google Play Accounts method.
Apart from Android device owner mode, there are other solution sets such as the profile owner mode, also known as work profile mode or managed profile mode, where by the means of DPC, the organization can enable the personal devices of employees for work use by adding a work profile to the primary user account on the device. The work profile will be associated with the primary user but as a separate profile. Container level security policies will be set up to prevent users from accidentally pasting sensitive corporate information into unauthorized apps.
There also exists a dedicated Android device owner mode which comes as a subset of the device owner solution set. The dedicated device solution set are designed for company owned devices that are used for a single purpose such as kiosks and digital signages. This provides admins with the convenience to restrict the usage of the device to a single app or a set of whitelisted applications. It also prevents users from accessing other apps or enforce other actions onto the device.
Enable device owner mode in your organization’s devices
As mentioned before, a device owner can only be assigned during the initial setup process of the devices. It would always be best to enroll corporate owned devices with a device owner solution set and employee devices with a profile owner solution set. In this way the privacy of the user will not get compromised. In order to activate Android device owner mode, you must first ensure that your organization is enrolled in the Android Enterprise program. Devices running on older Android versions should undergo a factory reset prior to its enrollment. For devices running on Android 7 and above, a QR code can be used to enroll the devices.
Enrolling devices running on Android 7 and above
- Tap on the welcome screen 6 times. After the device has been connected to the network a QR code reader will be installed on the device. On the Hexnode portal, when you navigate to Admin > Android Enterprise you can see the QR code on the screen. After scanning the QR code, click Accept & Continue to resume the installation process.
- Enable device administration, usage access, draw over apps, write system settings and notification access permission. Click on Next to begin enrolling your device with Hexnode MDM.
- The installation will be complete as soon as a work account has been created on the device.
Enrolling devices running on Android 6 and above
- Follow the on-screen procedure to set up the device. When a prompt to enter your Google Account appears, type in afw#hexnodemdm and click on Next. Select the Install option to install the Hexnode for Work application. After this is done, you can either enter the Hexnode server name or scan the QR code and click on Next to agree to the terms and conditions of Hexnode End User License Agreement. Finally select the Continue option to set up your device in Android device owner mode.
- Enable device administration, usage access, draw over apps, write system settings and notification access permissions. Once this step is complete, the device will begin enrolling with Hexnode MDM. The installation will be completed when a work account gets created on the device.
Enrolling devices running on Android 5
- Devices running on Android 5 must first undergo a factory reset, after this is done navigate to Settings and choose the About Phone option. You should tap on Build number 7 times in order to turn on the developer option. Go back to the System settings and click on Developer Options to enable the USB debugging option from the list.
- After this is complete. Download the Hexnode for Work APK. Next download and install the Android Debug Bridge (ADB) on your system. Open the command prompt to type in the path where the ADB folder resides.
- Type the command adb start-server to initialize ADB. After connecting the device to the computer, run this command adb instal HexnodeMDMWork.apk to install the APK which has been downloaded earlier.
- Type the command adb shell dpm set-device-owner com.hexnode.mdm.work/com.hexnode.mdm.reciev to make Hexnode for Work the device owner. After installing the Hexnode for Work application, enter your server name and click on Next to setup your device in Android device owner mode.
- Enable device administration, usage access, draw over apps, write system settings and notification access permissions. Once this is complete, click on Next to begin enrolling your device with Hexnode MDM. The installation process will be complete as soon as the work account has been created on the device.
Set up appropriate restrictions
Hexnode MDM policies can be used to allow or restrict access on the devices enrolled via Android Enterprise. In order to configure restrictions on an Android Enterprise enabled device, you would have to go to policies to select a new one or edit an existing one and choose Restrictions from Android to setup the basic device restrictions.
In addition to restricting basic device functionalities, admins can also:
- Restrict display settings
- Restrict network settings
- Restrict connectivity settings
- Restrict account related settings
- Restrict other device settings
- Set up app-based restrictions
- Set up a factory reset protection
- Enable lock task mode
Set up configurations and permission for the managed apps
With Hexnode it will be easy to limit the features that a managed app can have, it also provides IT with the convenience to pre-configure the app before it gets pushed on to the targeted devices. App permission allow organizations to pre-configure the permissions for Managed Google Play apps to access Android device features. By default, apps requiring access permissions will display a prompt to users to accept or deny permissions. By defining the right app permissions, organizations can ensure that the apps don’t access unnecessary features thus making sure that the corporate data stays protected.
App configurations allow admins to remotely configure features for the Managed Google Play apps. Once the apps get installed, all the settings will be supplied automatically. Since not all apps support configurations, it would be better to consult with an App developer first to see whether the app you wish to use is designed to support configuration settings. In the case of supported apps, the developer will specify the options that can be configured. The IT can then use the options displayed in the Hexnode console to define the custom configurations. This not only saves IT a lot of time but it also provides them with the benefit to pre-configure and distribute the apps to multiple users in a single go.
Introduced at the Android Enterprise Summit 2018, OEMConfig is an Android standard defined by Google that brought in changes in Android device management. With the help of OEMConfig Hexnode can offer its customers a wide range of hardware and security features for Android Enterprise devices without having to build every individual OEM specific setting into the product.
Device manufacturers that support OEMConfig build their own OEMConfig apps and host them on the Google Play platform. The organization then approves and adds the OEMConfig app to the UEM console. Hexnode allows administrators to customize the settings by the means of managed apps configurations. The apps can also be pushed silently to the Android Enterprise enabled devices via the Hexnode console. The customized OEMConfig app will get installed onto the device and will use the configured settings to manage the devices. Once a new feature has been added the OEM will update the app and Hexnode will automatically add support to the new feature.
Lock down the devices to a kiosk mode
Kiosk mode can only be achieved on fully managed devices. Android device owner mode comes with a set of enhanced features that are ideal for kiosk deployments such as the silent deployment of both in-house and store apps. Android Enterprise has a separate deployment scenario for dedicated devices. These dedicated devices (formerly known as Corporate Owned Single Use) are fully managed devices that are used to serve a specific purpose. Devices that cater to customer specific needs include kiosks and digital signages. In order to ensure a complete lockdown, additional user restrictions such as disabling SAFE boot, factory reset and prevent the adding of a new user can be applied.
Android includes a set of APIs that are built to lock down the fully managed devices to a kiosk mode. Some of the key highlights of these Android Enterprise dedicated devices includes running the system in a kiosk mode by the means of a lock task mode, sharing the device between multiple users, cache the APKs required for multi-user sessions and suspend system updates. Though Android developers can create dedicated applications that can easily set up a kiosk mode on Android devices, it would be more convenient to rely on the services of a powerful MDM solution like Hexnode to take care of your kiosk configurations. Hexnode MDM comes with a set of tools that help various organizations to set up the right kiosk that would neatly adhere to their business requirements.
Hexnode by pairing up with no-touch enrollment programs such as Android Zero Touch Enrollment and Samsung Knox Mobile Enrollment offers a quick deployment and provisioning of Android devices. Having a centralized platform to manage the kiosk systems is important as it can hinder security issues that can arise when a non-technical user base improperly use the kiosk devices.
Industry Use Cases
School owned devices enrolled through Android device owner mode allow admins to block certain functionalities like factory reset and Wi-Fi modifications. By whitelisting the necessary applications, admins can ensure that the students who use these fully managed devices are free from distractions and remain concentrated on their studies.
Organization usually deploy corporate owned devices when they require a tight control over the management of the devices used by their employees. When these devices are operated in Android device owner mode, IT admins can make sure that the sensitive corporate data present within the device stays protected at all times. Unlike the profile owner mode, the fully managed device come with a set of additional functionalities to enhance the security of the enterprise such as remotely rebooting the device and locking it down in an immersive kiosk mode. Organizations managing a large number of devices would do better in enrolling their devices in Android device owner mode as it would provide them with quick enrollment options and flexibility in configuring more network restrictions.
Hospitals and healthcare clinics that use Android Enterprise enabled devices can harness additional security capabilities in a way that is easier for both the IT department and end users. Admins can ensure that the essential policies are being universally applied onto the targeted devices without asking the medical personnel to update their device manually each time a policy gets pushed, thus giving them ample time to interact with their patients.
Android has a set of APIs to help people who use dedicated devices to get their tasks done. With the help of the lock task mode, employees can run the device in a kiosk like mode and stay productive by having access to just the whitelisted applications. Businesses can also save costs as a single device can be easily shared between multiple shift workers.