Security guide for using Android devices in companies

Securing Android devices

General recommendations

• When deciding which Android devices your company will use, keep in mind that Android devices typically receive software updates for up to 3 years after product launch. Once a device is considered old, it no longer receives security updates and updates. Newer equipment should be purchased at that time. Please note that operating system updates depend on the device manufacturer – Google provides a list of end-of-service data for Pixel and Nexus devices. For other brands of equipment, consult the manufacturer.
• For the highest level of control over the policies applied, the device should be managed by the company.
• After registration, Android devices should be monitored using mobile device management services to enforce the necessary security restrictions.
• Depending on the device used by the company, an Enterprise Mobility Management (EMM) system should be implemented to allow the configuration of OEM (Original Equipment Manufacturer). OEM standards have been introduced by Google to enable OEMs to develop applications that offer additional device-specific configurations. These applications are available in the Google Play Store and allow IT administrators to access the security policies applied to their devices through the EMM console.
• Configure Mobile Device Management (MDM) activity logging and monitoring options.
• Use one of the recommended network architectures to allow the user remote access to the company’s services.
• If a virtual private network (VPN) is required, you should use a dedicated third-party application.
• The professional use of third-party applications (“managed applications”) must be approved and centralized in a company’s application catalog. These may be automatically installed when the device is set up, or available in the company-run Google Play Store. ⚬ Consider activating professional Google Accounts on users’ devices. This allows you to manage various Google features through your device policies.
• Configuring an antivirus or other security programs on mobile devices is not recommended.

Work applications

Most companies will want to offer users a range of productivity and business applications so that they can access documents, create content and collaborate remotely to increase employee productivity. It is recommended to use the integrated applications in the services of the company you belong to. These applications have a higher degree of trust and security, as their manufacturers offer traceability of their technical qualities and a package of benefits for users.

Third-party applications used at work should come exclusively from the company’s application catalog, which contains only pre-approved applications and is managed by a well-secured MDM service. Applications installed in this way will be able to be monitored, having access to service data from wherever they are used. Highly privileged applications, such as the third-party keyboard application or network extensions, should be included in the approved catalog, as these types of applications can access large amounts of data and therefore pose a higher risk for company in terms of cyber attacks.

If your Android device is configured to be exclusively dedicated to business, the company’s private Google App Store will only allow user access to pre-approved apps. However, in hybrid configurations, both for personal and professional use, some applications installed in the public Google Play Store will not be monitored by the company and must not have access to the same data. This guide is intended for companies, from choosing and purchasing devices to providing advice to end users.