Google strengthens secure enterprise access from BYOD Android devices

Google has introduced Device Trust from Android Enterprise, a new solution for making sure that private Android devices used for work are secure enough to access corporate resources and data.

Device Trust from Android Enterprise (Source: Google)

What is Device Trust from Android Enterprise?

Android Enterprise is a set of tools and APIs from Google that helps businesses securely manage Android phones and tablets used by employees for work.

Key features allow:

• Management of work profiles on BYOD devices, entire company-owned devices, and dedicated devices (e.g., kiosks)
• A custom, managed Google Play store for distributing approved apps to employees
• Remote set up and configuration of devices
• Enforcement of security controls
• Integration with mobile/enterprise mobility management solutions used by the organization

Device Trust is a new feature that uses 20+ trust signals from employees’ Android devices to determine their security posture and, based on it, access to corporate resources will either be allowed or denied according to predefined policies.

“For company-owned and EMM-managed devices, Device Trust from Android Enterprise adds an extra layer of security for your business data and helps you integrate directly with your organization’s security tools,” says Al Chappelle, Senior Product Manager, Android Enterprise.

On personal, unmanaged employee devices, the security posture signals are collected by apps created by registered Device Trust from Android Enterprise solutions providers, currently: CrowdStrike, Okta, Omnissa, Urmobo and Zimperium.

“A partner app integrates with the Android Management API SDK and the partner follows the access process to be added to the allowlist to gain signals. The partner app can then request [device trust] signals from the Android Device Policy [app] at any point it deems appropriate,” Chappelle told Help Net Security.

“The partner app can then decide what to do with those signals – e.g., some partners are sending those signals to their backend service for use in their product / solution. Some partners are analyzing and using those signals on devices in their app.”

The partner app brings the trust signals into the device management, identity management, threat detection and monitoring solutions organizations’ security team already uses.

Privacy-agnostic trust signals

Device Trust is particularly helpful when working with contractors and consultants or when employing temporary workers, as they are likely to use their private Android devices to access company apps. While they need access quickly, the employer needs it to be secure.

These devices are unlikely to be enrolled into the organization’s enterprise mobility management system, but a partner Device Trust from Android Enterprise app can help enterprises verify the device’s trust status, enforce access policies, and revoke access once the engagement ends.

Chappelle told us that the trust signals have privacy protections built in: IT admins can see the privacy-agnostic security posture signals of the device, but can’t see beyond this functionality into any additional data or controls of the device.

“For example, the IT admin could disable a user from being able to sign into a (work) app with their work credentials or remove authentication tokens if the device’s security state changed, but they can’t see into the data of that work app,” he explained.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!