Skip to content
All posts

Android 14 for Enterprise: Everything You Need to Know

While predominately offering new consumer-focused features, the forthcoming Android 14 release also brings a series of security and management improvements for the enterprise.

Persistent Screen-On During Provisioning

Android device’s screen usually turns off during the enterprise device enrollment process, which can sometimes result in failure and require a device reset. While this might not be huge of an issue in small environment, not enrolling devices every day, it surely has a negative impact on larger ones, with thousands or more devices. With Android 14, a new Device Policy Controller (DPC) extra allows to keep the screen on.

 

SIM Management for Corporate Owned, Personal Enabled (COPE) Devices

Providing Subscriber Identity Module (SIM) cards to employees for work use presents several challenges for enterprises. Firstly, managing and securing many SIM cards can be complex and costly. Ensuring that these SIM cards are only used for work purposes requires monitoring and control measures, which can be time-consuming. Secondly, employees may use work SIM cards for personal activities, leading to potential privacy and compliance issues. Additionally, dealing with lost or stolen SIM cards and handling mobile device management can be logistical challenges. Lastly, the rapid evolution of mobile technology may require regular updates and replacements, adding to the administrative burden and costs for the enterprise.

 

Starting with Android 14, organizations will finally be able to assign SIM cards directly into the Work profile of Corporate Owned, Personal Enabled (COPE) devices, which refers to the devices that belong to the company and are fully enterprise-managed/controlled but leaves the user with a secure, private area for their private apps and data, providing a good balance between BYOD and COBO without compromising corporate data security nor end-user’s privacy.

 

This will be very helpful for typical scenarios where a company provide a mobile device and a SIM card (provisioned for example with voice and data subscription) to their employees, for both work but also personal usage, ensuring work and life balance, ultimately resulting in a higher user acceptance.

 

When that subscription is associated with the Work profile, phone calls and SMS messages using said subscription will only be available to a set of managed, work apps within said profile; same for the logs and messages, that will only be accessible within it.

 

Changes to Pausing Work Profile

Balancing work and private life while using corporate mobile devices can be challenging for employees. Constant accessibility to work emails and messages as well as receiving notifications makes it difficult to disconnect after work hours, which can lead to burnout and negatively impact personal relationships. Concerns about privacy also arise as employers may monitor or access personal data on these devices, and employees may feel a loss of control over their personal information. Plus, mixing work and personal content on one device can result in confusion and potential data leakage.

 

With Android 14, Work profile can be paused, instead of turned off like in Android 13. This brings many improvements for the end-user experience, as work apps keep running in the background, polling notifications and data; as soon as the unpausing, they are immediately available, without any wait time nor sync required. Also, this prevents notification floods situations like experienced before after turning their Work profile on. Also, cross profile contacts are identified, so any time the user gets a phone call, Caller ID will be displayed correctly, even if associated with a work contact located in the Work profile currently paused. Finally, in terms of security, as apps keep receiving policies updates, there is no more risk of falling out of compliance when the Work profile is paused during a long period of time, for example extended vacation.

Security Features

Prevent Installation of Older Applications

Having older versions of mobile apps on your device poses significant security risks, as outdated apps often contain known vulnerabilities that malicious actors can exploit to compromise devices and steal sensitive information from them. Developers release updates to patch these vulnerabilities as soon as discovered and reported, to enhance security, so failing to update leaves devices exposed.

 

Android 14 brings a new restriction on app installation, that cannot be overridden using management APIs, that will block corporate applications from installing if targeting SDK 23 (Android Marshmallow) or earlier. This only applies to applications installed after the device is updated to Android 14; apps already present before will not be affected.

 

Work Apps Screenshots Saved to Work Profile

Taking screenshots on a corporate mobile device can pose Data Loss Prevention (DLP) risks by potentially exposing sensitive information. Employees may capture confidential data and unintentionally share it, bypassing DLP controls. IT administrators may have limited control over screenshot functionality, especially on personal or unmanaged devices used for work.

 

With Android 14, whenever an employee takes a screenshot of a managed, work apps running within the Work profile, the resulting picture will now be saved within said profile, instead of the parent profile, de facto helping with preventing any intentional or accidental data leaks of corporate information into the unmanaged, personal space on the mobile device.

 

Restrictions to Ultra-Wideband (UWB)

Ultra-Wideband (UWB) represents a wireless communication technology employing an expansive spectrum of radio frequencies for data transmission. Unlike traditional wireless technologies like Wi-Fi and Bluetooth, UWB employs brief, precise pulses, facilitating remarkably accurate time-of-flight measurements.

 

Typical use cases include indoor positioning and tracking, allowing for accurate localization of objects or people within buildings. In automotive systems, it enhances safety by enabling precise vehicle localization, collision avoidance, and even supporting autonomous driving. UWB is also used for asset tracking in industries, improving resource management. Furthermore, it facilitates high-speed data transfer, benefiting mobile device connectivity and applications like high-definition video streaming.

 

With Android 14, IT administrators will be able to turn if off on corporate-owned devices in scenarios where it is not suitable and/or represents a potential risk in term of security and privacy, greater than the benefits of having real-time location service.

Disable Second-Generation (2G) Cellular Network

Using a 2G network on a mobile device presents security risks due to weak encryption. This vulnerability can lead to eavesdropping on voice calls and text messages. Attackers can exploit 2G's susceptibility to interception, SMS spoofing, and impersonation. The lack of security updates makes 2G devices more prone to malware and exploitation. Additionally, emergency services and critical communications on 2G may be compromised. It's advisable to migrate to more secure network generations like 4G or 5G to mitigate these risks and ensure better protection for sensitive data and communications.

 

Starting with Android 14, organizations will be able to restrict the ability to use 2G connectivity on their entire Android Enterprise mobile devices fleet, mitigating these security risks.

 

Disable Support for Null-Ciphered Cellular Connectivity

Null ciphers in the context of commercial networks refer to encryption methods where no encryption is applied at all, leaving data vulnerable to interception and eavesdropping.

 

Primary (legit) use cases for null ciphering include providing debugging capacity to the carriers/network operators, allow emergency calls when no active SIM card is present on the device, or fallbacks in case networks deprecate all other encryption algorithms the modem is programmed to use.

 

To mitigate these risks, robust encryption and security protocols are essential in commercial network environments. Android 14 will also introduce a feature that disables support for null-ciphered cellular connectivity at the model level, for devices using the last radio Hardware Abstraction Layer (HAL).

 

Note that like with the “disabling 2G” feature, employees will still be able to place emergency calls using null-cipher connections, to avoid putting their personal safety at risk.

 

Financed Devices

With Android 14, a device can now be declared as “financed”, enabling device management for credit providers. Using Device Lock Controller, a custom DPC, they can remotely restrict access to device in case of missed payment(s). Even if restricted, some features will remain available, for example receiving incoming calls (and even placing some outgoing calls), emergency calling as well as access to the full Settings app on the device, capacity to backup and restore data.

 

This is target for consumer devices, and some providers like Kenyan carrier Safaricom are using it already, with a three stages plan to progressively lockout the device in case of missed payments.

                    

When Will It be Available?

The first supported device will be the upcoming Pixel 8, to be unveiled at the Made by Google 2024 event that will take place on October 4th.

 

Which Devices Will Support It?

Existing Google Pixel phone lineup, starting from Pixel 4a 5G and later, will immediately receive a software update.

Android devices from other manufacturers will also get their Android 14 updates pushed out as it becomes available pending OEM and carrier approval throughout the year.

In the case of Samsung, it is worth noting that it will be available starting for the following series:

Galaxy S21 and later, Galaxy Z Flip 3 and later and Galaxy Tab S8 and later. Availability is yet to be confirmed by the vendor.

The team at ISEC7 can help with incorporating the new Android 14 for Enterprise into your pre-existing enterprise deployment to ensure all business and operational use cases are addressed. ISEC7 is your premier one-stop-shop for all your mobility and security needs, further shaping and improving efficiency in your digital landscape. Please feel free to contact us with any inquiries and we would be happy to assist you.