Android activations: What changes with versions P and Q in detail – Also for KNOX

Google will make major changes to Android and things will change. I had already written down these new functions and changes, but in this article I will go into detail about Android P / Q / Dynamics / KNOX activations at an MDM.

MDM-C (Mobile Device Management Controlled) Activations

If you only want to distribute apps on the devices or use app containers such as BlackBerry Dynamics on Android, you could activate either via MAM (Mobile Application Management) only as known as BYOD (Bring Your Own Device), or via MDM-C (Mobile Device Management Controlled), known as COPE (Corporate Owned Personal Enabled). With MDM-C, an administrator has certain permissions on the device and can enforce certain IT policies. But exactly in this case something will change starting on Android Pie: the device administrator will be removed and replaced by the DPC (Device Policy Controller).

If MDM-C is activated, the UEM Client is set up as the device administrator after the activation data has been entered, or the user is asked for exactly this authorization for the client for successful activation. The client can then enforce the IT policies and compliance profiles. Starting with Android Pie, the range of functions is already limited.

Android version Year of publication Implications
Pie (9) 2018 Device passwords can no longer be set.
Existing activations remain in place.
Q (10) 2019 Activation can no longer be performed because the “Device Administrator” authorization is no longer available.
Activations do not remain.

To-Do:

All MDM-C activations must now be performed with Android Enterprise activation. In other words, you set up a work profile for the AppContainer environment.

  • Activation with Android Enterprise Work & Personal or Workspace only
  • For example: Deactivate BlackBerry Secure Connect Plus or perform a Non-Premium activation in the Enterprise Connectivity Profile
    For a premium activation, i.e. with connectivity as global VPN in Android Enterprise, in Dynamics Direct Connect or in Enterprise Connectivity, add all Dynamics Apps as exceptions

Background:

Only with Android Enterprise use you can still use the full scope of an MDM system from Android Pie and Q.

For BlackBerry AppContainer (Dynamics) activations: Since the Dynamics Apps establish their own encrypted connection to the NOC, they must either communicate directly with their own infrastructure or configure the Dynamics Apps as an exception for the use of the IP tunnel to avoid a data loop when using BSCP.
If you activate Android Enterprise with BSCP tunnel, the communication channel would be as follows: Android Enterprise Work Perimeter -> BSCP Tunnel -> NOC -> (optional Proxy ->) UEM Server -> NOC -> UEM Server.
The last loop over the NOC is unnecessary.

KNOX to Unification

Until Android Nougat (7) you could activate either KNOX Workspace or Android Enterprise. When using KNOX, special Samsung IT policies and hardware encryption were provided for the workspace on Samsung devices. However, from Android Oreo (8) these two activation are or will merged: Unification.

This means that you can activate Android Enterprise from Android Oreo on Samsung devices, but still use the KNOX policies and hardware functions. KNOX Workspace will be discontinued in the short term as a stand-alone solution, as the device administrator is also used in this activation type. In Android Oreo, COPE (Work and Personal – Full Controll, Samsung CL/B2B mode) and COBO (KNOX Workspace only, Samsung COM) are supported as independent KNOX solution/activation.
In the meantime administrators were able to push a managed Google Account into KNOX to push apps and AppConfigs.

But there is a problem: What happens to devices that have been activated without a Google account?

Until now, no Google account was needed for KNOX devices. But with Android Enterprise you need a managed Google account in the Work Perimeter. So I would suggest to activate all KNOX activations with a Managed Google Account. As of now we don´t know if all KNOX activations will be migrated to Unification.