In Cortado's administration portal, you will find a variety of policies that can help you to improve the security of your devices. For fully managed devices in particular, there are a number of options available to you, which we would like to present to you in this article.
Aim
In this How-To, we will show you how to configure policies for Android devices in order to increase device security.
Implementation
- In the Cortado administration portal, select Administration→ Policies.
- Add a new policy by clicking on the plus icon.
- Then select Android and the setup method Fully managed device, Work profile or Work profile on company-owned device (example in illus.).
- Under Device Security, you will find the options that are explained in more detail below. The image shows the default policy settings for fully managed devices. Some policies are already disabled by default to ensure security without having to assign a policy first.
Note! On devices with a work profile or work profile on company-owned devices, only some of the policies described below are available.
Allow use of developer options
Allow installation of apps from unknown sources
Enforce app scanning for malware
Allow Android Debug Bridge (ADB)
Allow to reboot device in safe mode
Allow changes to security certificates
Minimum integrity level/Action for non-compliant devices
Allow use of developer options
Developer options are primarily of interest to system developers and are generally only used on test devices in a corporate context. For this reason, their use is not permitted by default on fully managed devices. On Android devices, you can find the developer options in the settings by tapping Build number seven times under About phone (arrow in left illus.). If the developer options are blocked, you will receive a corresponding message (right image). You can change this default setting by ticking the checkbox and then assigning the policy to users/groups or devices. However, this is not recommended for reasons of device security.
Allow installation of apps from unknown sources
As the installation of apps from unknown sources also represents a significant security risk for device security in companies, this option is also not permitted by default on fully managed Android devices.
If you still want to activate the option, place a checkmark in the corresponding checkbox and then assign the policy to the users/groups or devices. In the Cortado app, you can then see that the option is allowed (arrow in left illus.). In the settings under Apps→ Special app access→ Install unknown apps, the slider is active again and can be adjusted (right illus.).
Enforce app scanning for malware
This policy, which is activated by default, ensures that Google Play Protect can no longer be deactivated. Play Protect performs regular security checks, scans all apps and checks them for malicious behavior. In the settings under Security & privacy→ App security (arrows in left illus.) you will find the Play Protect settings (arrow in middle illus.). If the policy remains activated (tick in the checkbox), the slider for the option Scan apps with Play Protect can no longer be deactivated (arrow in right illus.). Do not deactivate this policy!
Allow Android Debug Bridge (ADB)
With the Android Debug Bridge, an Android device can be controlled from the PC. It is the interface between the PC and the Android device. Commands can be sent to the Android device via USB cable using the ADB. This tool is primarily intended for system developers and is generally only used on test devices in a corporate context. Therefore, this option is also not available by default on fully managed devices. If you want to allow the ADB, you must also allow the use of developer options by ticking both checkboxes and assigning the policy. Once assigned, these options are enabled on the device, which can be seen in the Cortado app (arrows in the left image) and in the settings under Developer options. USB debugging is now activated (right image), so the ADB can be used.
Allow to reboot device in safe mode
In safe mode, you can check whether a downloaded app is causing problems. In this mode, the device is only started with apps that were already pre-installed at the time of purchase. How exactly a device is started in safe mode depends on the manufacturer. On most devices, you need to hold down the on/off button while tapping on Power off (arrow in left illus.). You can then confirm the restart in safe mode (right illus.).
The Allow to reboot device in safe mode policy is enabled by default. If you want to deactivate it, remove the tick from the checkbox and then assign the policy to the users/groups or devices. It is then no longer possible to restart the device in safe mode.
Allow changes to security certificates
A large number of trusted CA certificates are pre-installed on every Android device by default. They ensure that communication between Android devices and websites, apps or other servers is secure. You can find the certificates in the credentials store in the settings under Security & privacy→ More security settings→ Encryption & credentials→ Trusted credentials→ System (left and right image).
If you do not want your users to be able to make changes to the credential storage, remove the checkmark from the Allow changes to security certificates checkbox that is set by default and then assign the policy to the users/groups or devices. Certificates/User credentials can then no longer be installed, deleted or deactivated (left and right image).
Use Common Criteria mode
The Common Criteria mode is an international IT security standard for software and hardware products. The Common Criteria standard ensures that certain aspects of product security have been thoroughly implemented, tested, maintained and independently verified. The guideline is activated by default (tick in the checkbox). When the device is in Common Criteria mode, certain device features are set to meet the higher security level required for Common Criteria certification. For example: Bluetooth long-term key material is additionally integrity protected with AES-GCM. The Wi-Fi configuration memory is additionally integrity-protected with AES-GCM. Do not disable this policy!