If you want to allow your users to use their private Android devices in the company environment (BYOD), you can configure a work profile on a device for that purpose. To ensure that the user’s privacy remains secure, access to such a device via the management console is restricted. In this article you can learn how to still provide the best possible protection for corporate data on private Android devices with a work profile.
Preventing rooting of Android devices
With regard to Android, rooting refers to the process by which a root account (Superuser) gains access to the complete system, including all the resources. Root access is consequently disabled by default on all Android devices. Rooted devices are not desired in a corporate environment, because company data can be revealed on those devices. It must therefore be ensured that no devices that have previously been rooted can gain access to corporate applications or services. Additionally, retrospective rooting of previously registered devices must be prevented. Two actions are required for this.
Configure Google‘s SafetyNet Test. Under Basic Integrity failure action enable the Wipe option. As soon as SafetyNet Test detects a rooted device, the registration process will be aborted, and the work profile will not be installed. All data related to the work profile will be deleted from the device. This prohibits the installation of a work profile on a rooted device.
During the installation of the work profile and every 10 minutes thereafter, Cortado queries Google if there are any security breaches on the device. Additionally, in case the device is rooted after the configuration of the work profile, Google SafetyNet Test comes into effect, provided the Wipe option has been enabled in Basic Integrity failure action.
Preventing the installation of customised OS versions
There are a variety of reasons why users may wish to use a customised version of the Android operating system. Such versions could, for example, make available an additional feature that is not present in the official version. Or users may want to get out of the version of the operating system supplied by a particular provider (T-Mobile, Verizon). It could also be that there is an intention to install a recovery image that would make it possible for the device to be rooted. To protect corporate data, it must be ensured that access is denied to all devices with customised OS versions. And retrospective changes to the OS version on already registered devices must also be prevented. Two actions are required for this.
In this scenario we also recommend Google’s SafetyNet Test. Enable the Wipe (or Lock) option under CTS Profile Match failure action. As soon as SafetyNet Test detects a device with an unofficial operating system, the work profile will be deleted (or locked). This prohibits the installation of a work profile on these devices.
Deleting the work profile, restoring to factory default settings
You have the option to delete a work profile from an Android device via the Cortado management console. To do so, select the device and click on Wipe Partial.
Additionally, users can delete the work profile from a device themselves at any time. Of course, restoring a private device to factory default settings via the management console is not possible.
Remind users to install security patches
In the past, security vulnerabilities have been repeatedly identified in versions of Android. Therefore, device manufacturers and Google release monthly security patches. It is always recommended to keep security patches up to date. It is not possible to use the management console to force these updates onto private devices. Therefore, remind your users regularly to run updates and to keep the devices up to date.
Preventing installation of apps that don’t come from the Play Store
All Play Store applications are checked by Google to ensure they have no security vulnerabilities and that they contain no malware programs. On private devices with a work profile, you cannot prevent users from installing .apk files directly onto a device. Should self-installed apps expose security vulnerabilities, it presents no danger to the work profile, which is located in a secure container.
The installation of apps that don’t come from the Play Store is, by default, not permitted for the work profile (see Cortado app under Policies, left illus.). Users cannot, for example, load .apk files via the managed app Google Chrome into the work profile (right illus.).
To nonetheless allow the users to do so, the policy Allow Installation of non-market apps must be created and distributed. However, for the reasons stated above, this is not recommended.
Installing untrusted certificates
On private Android devices, users can install untrusted CA certificates themselves (after acknowledging a warning message). You have no possibility of preventing this via the management console. If a user has saved an untrusted certificate that exposes a security vulnerability, it has no effect on the work profile, which is located in a secure container. The data is protected.
Versehentliches browsen auf Phishing-Webseiten verhindern
Phishing-Websites versuchen, an Anmeldedaten von Nutzern zu gelangen. Besucht ein Nutzer versehentlich so eine Webseite (z. B. über einen Link in einer Phishing-Mail), können Unternehmensdaten in falsche Hände geraten. You can prevent this action with help from the Managed Configurations for the browsers that are a part of the work profile. At this time, this is an option for the Google Chrome and Microsoft Edge browsers. We therefore recommend the use of these browsers. Select the app and open the Managed Configurations. Enable the Disable proceeding from the Safe Browsing warning page checkbox in the Managed Configurations.
Make sure that no other browsers are used within the work profile.