Android 5.0 Lollipop embraces the enterprise

It didn't take Apple long to recognize that the enterprise wanted to use their mobile devices, but that they needed some help to do it right. Apple did so, even if they've only recently begun to brag about it.

Google took longer. Prior to the new version 5.0 (Lollipop), Android included precious little specifically to assist enterprises in their needs. Lollipop is a clear change in direction, addressing many of the most important enterprise needs.

Finally, Google has included EMM/MDM APIs to allow a standard approach to the management and security of Android mobile devices. No longer will EMM vendors like MobileIron have to make different versions for the devices of different OEMs. (Of course they will need to continue to do so for as long as they support pre-Lollipop Android devices.)

Google has also moved to harden the base operating system, strengthen data security by default, improve the security update process and authentication and much more. There are thousands of new APIs, many of which help enterprises.

Of course there are Lollipop features, such as Material Design, which is intended to make user interfaces more consistent, and Battery Saver, which benefit enterprises as much as anyone, but they are not enterprise-specific.

(Image courtesy MobileIon)

By far the biggest change is the inclusion of Samsung's KNOX technology, contributed to the Android Open Source Project. EMM (Enterprise Mobility Management, the modern superset of MDM or Mobile Device Management) was a marked weakness in Android with respect to the enterprise. Prior to Lollipop, Google included next to nothing in the base operating system, forcing each OEM to develop their own APIs for EMM products, like MobileIron and Citrix, to use. Now it's part of the base operating system and Google calls it Android Work.

Perhaps the most important capability Android Work adds is a container model, through which users can have conceptually separate personal and work environments on the device. Google calls this Managed Profiles. Apps and data in one are inaccessible to the other. This is old news on some other platforms, particularly BlackBerry, but it will now be standard on all Lollipop devices and manageable by third-party EMM/MDM systems.

See Jack Madden's blog for some informed perspective on it.

(Image courtesy Samsung)

Android is built on Linux. Lollipop is built on SELinux, a more strenuously secure variant. Access control over processes and files is much more sophisticated and fine-grained than on conventional Linux or traditional UNIX permissions. Processes running in user mode cannot change the permissions. This greatly reduces the potential for privilege escalation attacks.

Malicious software should have a much harder time taking hold of a Lollipop system and doing anything useful with it.

(Image courtesy SELinuxProject.org)

Governments got plenty mad at Apple when it announced that iOS 8 would use strong encryption on user storage by default, but it didn't take long for Google to make the same promise for Android 5.0 Lollipop. Both thumbed their noses at national security types who appealed to the companies to leave in a back door for the government to use in order to violate the customer's privacy.

New Lollipop devices will come with encryption turned on automatically. Users upgrading devices to Lollipop will need to initiate the encryption themselves (see the image on this page), which they have been able to do for some time.

So enterprises have been able to encrypt devices already, but Lollipop will increase the encrypted percentage of them nonetheless.

(Image courtesy CNet)

Apple rightly mocks Android for having so many users running out-of-date versions of the operating system. Google has always relied on the carriers to deliver operating system updates and the carriers have... well, they suck at it. So Google is taking some of the responsibility out of their hands.

Google Play Services can now deliver urgent security updates to devices as soon as they're resolved. Google Play Services 5.0 uses a "Dynamic Security Provider" to do this.

One of the most serious and legitimate concerns enterprises have for Android is that so many of the devices, even fairly new ones, get stuck on known-vulnerable versions of the operating system. It's not clear whether carriers will still be needed to deliver major version updates, but the ability to rush out critical updates without waiting for the carrier is a big security plus for Lollipop.

(Image courtesy MobileIron)

Smart Lock makes having a locked device easier. When paired with an Android Wear, Android Auto, or other NFC or Bluetooth device, and both are close enough to each other, the phone or tablet will be unlocked, saving the user from having to enter a code repeatedly. As MobileIron says in their Lollipop paper, it creates new enterprise use cases for devices unlocked by physical electronic keys rather than passcodes.

Smart Lock also improves on Android's Face Unlock feature. Instead of checking the user's face statically at login time, it analyzes the user's face on an ongoing basis. As soon as the device doesn't see the user, it locks.

Finally catching up with iOS and Windows Phone, Lollipop no longer allows a thief to factory-reset a stolen device. This is called Factory Reset Protection or the Kill Switch, and also allows the real owner to remotely wipe the device. A stolen phone that can't be wiped can't be sold.

(Image courtesy Google)

Also known as "screen pinning," this allows a user or organization to lock an Android device to a single app, i.e., a kiosk. The enterprise could therefore assign or loan out devices to users with a single function. The Home and Back buttons don't work.

This is not just an enterprise feature of course. As BlueFletch Mobile points out, apart from use in an actual kiosk, it could be useful for a test-taking application, customer help kiosks at retail stores, or electronic menus at fast-food restaurants. But the app must be authorized by what Google calls an organizational device owner application, which means an EMM/MDM client, so it's not going to work on pure consumer devices.

(Image courtesy Object Partners)