How to make Android a real part of your business

Over the past five years, iPhones and iPads have become the corporate mobile standards, thanks to their wealth of business apps, Exchange compatibility, corporate manageability, and strong security. Android devices, on the other hand, have largely been relegated to “OK for email” status.

But there’s no longer a reason to keep Android at arm’s length. It can now be as integral to your mobile portfolio as Apple’s iOS devices are. Sure, Apple devices still lead in business-class apps, manageability, and security, but not by enough to exclude Android from full access at most companies.

With that in mind, InfoWorld has put together this guide on how to deploy Android, both for company-issued devices and BYOD scenarios; most companies likely have a mix of both approaches.

The Android devices you should support

Not all Android devices are created equal. For example, the cheapest devices rarely support encryption, so they’re unsafe for corporate usage. Meanwhile, no-name Android devices are often infected with malware — particularly devices sold in the developing world.

When it comes to Android devices, you should focus on the top-tier brands and models. The best options come from Samsung — the Galaxy S and Galaxy Note lines of smartphones and the Galaxy Tab S series of tablets. Not only are they built to last, they support the widest range of radio bands (and thus carrier support across more of the globe) and have the best hardware-level security available. The Samsung devices also support the highest level of Android management, as I describe later.

If your security and management needs are not the most stringent — that is, you’re not a defense contractor or a government agency dealing with sensitive information, or you aren’t focused on high-level corporate executives with sensitive company information — there are plenty of other options, especially for smartphones from the best-known vendors, including LG, Lenovo’s Motorola unit, Sony, Alcatel, and Google.

The second-tier providers typically support encryption and a broad swath of radio bands, as well as provide good fit and finish on their higher-end models. (Don’t be cheap: A low-priced smartphone is likely harder to secure, less likely to support international travelers, and more likely to be damaged. Those all will cost you more than the initial savings.) 

What you won’t get is the same level of hardware security as you do from Samsung. BlackBerry’s Android smartphone, the Priv, which also has strong hardware-level security, may be an option for the more security-conscious, but the company’s persistent market struggles should make you think twice about depending on it.

Stay away from most other companies, and be very cautious about Android devices bought in China, where it’s quite likely the government has required backdoor access be installed.

Whatever you buy, try to choose a model no more than one generation old. Android makers and the carriers are very slow to update their devices, if they bother to update them at all. Anything older than last year’s model is likely to not be updated — not even for security. Plus, older models are less likely to support encryption and other hardware-based security features like fingerprint scanners.

Plan on two-year replacement cycles for Android devices that access sensitive information — versus three or even four years for iOS devices. Apple is good about keeping old devices current via software updates, but Google and its Android allies are not.

For casual Android users — those who use messaging, email, calendars, and perhaps Office, as well as have moderate information access permissions — you can be more forgiving about device age.

The Android versions you should support

Android 4.4 KitKat is the oldest version your organization should support, as it was Android’s first version to get management and security capabilities competitive with those found in iOS. If possible, restrict your usage to Android 5.0 Lollipop or later — at least for users who work the most with sensitive information. Anything prior to Android 4.4 should be avoided.

Lollipop is the first Android version to support Google’s Android for Work containers natively, and any company should use those containers or Samsung’s own Knox for employees who deal with sensitive information (more on those shortly). Although Android for Work can be installed on some older Android versions, it’s simply not as secure there.

The forthcoming Android N will broaden its focus into other enterprise features, such as multiwindowing, and offer additional management options. That’s another reason to stick with recent-model devices: to increase the odds of supporting Android N next year. 

Android management options you should consider

There are three levels of management available to you for Android devices, in addition to not managing them: basic Exchange management, server-based mobile management, and container-based separation.

Basic Exchange management: This option is essentially free if you use Microsoft Exchange. You set Exchange ActiveSync (EAS) policies to enforce basic security hygiene: require encryption be enabled, and require a password be enabled (and maybe even apply policies around password length, complexity, and/or expiration). More EAS policies are available, some of which would make sense for company-issued devices (such as disabling the camera or Wi-Fi), but that would be problematic for BYOD units because they restrict functionality that is perfectly acceptable — and desirable — outside of work.

Server-based mobile management: This option lets you manage more than EAS alone can. Like Apple, Google has developed a set of APIs for Android that allow third-party management servers to control the device. Some of these policies manage security settings, some control device configuration (such as locking a device to specific networks, requiring a corporate VPN be used, and whitelisting or blacklisting specific apps).

You should use such a server — variably referred to by the acronyms MDM (mobile device management) and EMM (enterprise mobility management) — at least for devices that you treat like computers. In other words, if a smartphone or tablet is used to run corporate apps, access corporate servers beyond email and calendar, or interact with corporate data sets, treat it like a managed PC by using a management server.

The top providers are BlackBerry’s Good Technology unit, Citrix Systems, EMC VMware’s AirWatch unit, IBM’s MaaS360 unit, MobileIron, and Soti. Microsoft is also stepping into this market as part of a broader push to converged mobile/PC management.

Using these management servers — available via the cloud or on-premises servers — will cost you anywhere from $3 to $20 per user per month, depending on how much you want to manage.

Be careful that you don’t try to manage too much. As is typical in the security industry, mobile management vendors like to paint very scary pictures to up their sales, even though mobile devices are safer than PCs and are rarely the source of data breaches or viral infections. If you’re securing your mobile devices more than your laptops, you’re either overdoing it in mobile or falling short on your PCs.

One area where Android is at more risk than iOS is application security. Although Apple’s App Store has seen malware get past Apple’s defenses, it’s rare, and the iOS architecture limits the potential damage. But Google’s Play Store is more prone to having malware disguised as legitimate apps, and Android’s architecture lets malware roam widely, similar to Windows. You should look seriously at using the mobile management server’s application-management tools, which you’ve probably ignored if you’re used to managing iOS.

But be careful about investing in antimalware apps for Android. It’s not clear they catch much, and as we’ve seen on the desktop, they’re pretty much useless against phishing attacks, where the big breaches and attacks come. It’s better to focus on using a policy to disallow “sideloaded” apps on managed Android devices, managing what apps can be installed, and focusing your security efforts on how your network and servers directly defend themselves against the attacks you know will come in from somewhere.

Container-based separation: Because Android has an open file system, data and malware can roam across the entire device. That’s why first Samsung, then Google brought containers to the operating system level of Android, with their Knox and Android for Work offerings. (iOS uses sandboxes around each app, essentially putting each in its own container, with limited connection paths available for which there are also management tools to control.)

Containers essentially divide the device in two, with corporate apps, data, and services running in one secured container, and personal apps, data, and services running in another container. Some system functions, like the phone dialer, are available to both containers, but even in those cases the underlying data (like address books) can be kept separate.

The use of containers limits the potential for malware infection of corporate apps and the systems and data they access. It also protects users from IT snooping of their personal information. It also means a corporate wipe of a lost or stolen device won’t wipe that personal portion. (Employees then have to wipe any sensitive personal information themselves, using a tool like Google’s Android Device Manager, the Lookout software installed by several Android makers, or Samsung’s own Find My Mobile tool, all of which require employees to set up a corresponding personal account.)

Knox is older than Android for Work, but in reality, neither was up to snuff until 2015. Now that they are, you have to decide: Which one to use?

If you’re an all-Samsung Android shop, go for Knox. It’s natively supported by Samsung’s higher-end recent devices and takes native advantage of Samsung’s hardware security.

Otherwise, go for Android for Work. It’s supported on most higher-end Android devices, including Samsung’s. (Samsung has even provided a native hook between Android for Work and Samsung devices‘ hardware security.)

In both cases, you oversee the containers’ policies using a mobile management server. Not all vendors support Android for Work or Knox yet, but most of the top-tier ones do, including BlackBerry, Citrix, IBM, MobileIron, Soti, and VMware. 

Again, avoid complex container “solutions” offered by mobile management vendors, such as app wrapping, proprietary containers, and proprietary apps that replace the native ones in Android (such as for email or browsing). These not only increase the costs, but increase the management overhead for IT. And frankly, the risks cited by most vendors are way overblown. It’s a lot of money and effort for very little — and often no — additional real-world security.

The Android apps you should provide

Although iOS still rules in apps, Android now has the basics covered.

For office productivity, Microsoft Office is quite capable on Android — and it’s included with a corporate or personal Office 365 subscription. (In fact, a subscription is required to use more than the basic Office features.) No other office productivity suite comes close.

The Microsoft Outlook client for Android is OK for email and calendar access, but a better option is the set of Samsung apps that Galaxy users get with their device. Like Microsoft Outlook, Samsung’s clients support both Exchange and non-Exchange accounts. Non-Galaxy users can use Google’s merely adequate Gmail and Calendar apps — or, better, start using Outlook.

For collaboration, the options are fewer, though Slack and Atlassian HipChat are good for messaging, and Zoom and Cisco WebEx are good for videoconferencing.

If you’re adopting cloud services to provide secure, managed, central storage for employee data, Android has clients for the major services that offer IT-managed versions: Box, Dropbox, Google Drive, and OneDrive. (Apple’s iCloud Drive is not supported, but iCloud Drive isn’t IT-manageable anyhow.)

And in addition to Android’s built-in VPN client, you can get specialty Android VPN clients from Cisco and Juniper, if you use those VPNs’ extra features. It’s no longer true that Android devices must play second fiddle to iOS devices when it comes to such basic security and management tools.

Beyond that, you’re talking domain-specific apps, which need to be tested in your environment and business context. Your IT mobile team should test out the clients (apps and Web) for any systems in place, from Workday to Oracle, from Jira to Salesforce — travel expense managers, time sheets, customer orders, operations dashboards, prospect management, and so on.

Related resources

• Mobile security: Samsung Knox 2.4 vs. Android for Work
• More like Windows: How Android N targets the enterprise
• Mobile and PC management: The tough but unstoppable union
• Review: Galaxy S6 and S6 Edge lead the Android pack