Ivanti Blog: Posts by

The Android 14 Enterprise Features You Should Know

Tue, 05 Sep 2023 19:06:14 Z

Android 14, Google’s latest release, brings a host of improvements for users, with enhancements to accessibility, localization, battery life improvements and more. But for IT admins, there are also several Android 14 enterprise features to plan for that enhance user privacy and control.

What’s new in Android 14 for Enterprise?

New APIs to display work contacts and caller IDs on personal side

Previous Android releases have allowed cross-profile data sharing so that personal apps can access work profile contacts and phone numbers – a small but meaningful feature that reduces friction for the many end users who use the same device for work and personal communication.

With Android 14, IT admins can apply more granular policies by specifying which apps are allowed to access this information.

Calendar apps, which may use cross-profile data, should consider switching to connected apps, which can use both work and personal data (for instance by displaying a single calendar view with work and personal appointments), but without giving IT admins access to personal data, thereby maintaining user privacy.

Restrictions to ultra-wideband radio

Ultra-wideband (UWB) technology, a short-range wireless communication protocol used primarily to track the location of objects with high accuracy, has only recently been introduced to high-end smartphones, although government and military applications go back decades. Android 13 was the first Android release with feature-complete UWB support.

UWB is expected to grow rapidly, particularly in applications such as healthcare, logistics and manufacturing, where extremely accurate real-time location information can assist with complex and challenging asset tracking.

In anticipation of that growing ubiquity, Android 14 allows an admin to turn off UWB on corporate-owned devices in situations where it is not desirable, for instance when security and privacy concerns outweigh the benefit of real-time location data.

When will features be available?

Google doesn’t share exact release dates, but Android 14 is expected to be released soon, in early September. Like every year, Google Pixel devices will receive updates on release day. Other device manufacturers follow their own cadence for over-the-air updates, so check with your vendors for schedules.

Ivanti UEM solutions will support Android 14 on day zero, meaning Ivanti customers can transition seamlessly to Android 14 on all of their Android devices.

Where to get more information on Android 14

For additional details on new Android 14 enterprise features, visit Google’s Android 14 release notes.

For details about support for Android 14 on Ivanti products, visit Ivanti customer support.

Android 13 and Ivanti UEM: What to Know About the Latest Enterprise Features

Thu, 18 Aug 2022 14:22:43 Z

Android 13, the latest release from Google, is here. For IT administrators, this means making sense of new enterprise features and enhancements: what changed, why should you care – and most importantly, what should you do about it?

Is Ivanti Android 13 ready?

For Ivanti customers, one thing you won’t need to worry about is whether the new OS is supported by your UEM solution. Ivanti UEM products are Android 13 ready, with day zero support for a seamless transition. Customers can access product-specific support through the Ivanti Community.

What’s new in Android 13 for Enterprise: the features admins should know

Android 13 brings several new enterprise features and many enhancements to user privacy, control and comfort. There are a number of changes to pay attention to:

More user control over privacy, battery management and notifications.
Enhanced 5G/cellular support.
New device and security settings, as well as security enhancements to the OS.
More options for corporate out-of-the-box deployment.

Let’s dig into each of these areas.

End user privacy and usability enhancements

Android fans have reason to cheer: it’s not often that privacy and usability improve simultaneously, and Android 13’s new user controls offer both. Administrators will want to ensure that any work apps that should be exempt from these controls are configured to do so.

Users can stop unwarranted services. Users can view and stop apps with foreground services from the notification drawer. Some apps are exempt from this action, including Ivanti/MobileIron Go. To get rid of this user control entirely, you will need to configure “Disallow User Control.”

New rules help preserve and optimize battery use. The system will place an app in the restricted bucket when app behavior matches certain criteria. Although some apps are exempt, other apps – including work apps – may be subject to this new rule. To avoid work apps being placed in the restricted bucket, admins can configure “Disallow User Control.”

New runtime permissions offer more quiet time and privacy. Android apps run in a limited-access sandbox, and if an app needs to use resources or information outside of that sandbox, it must define permissions. Android 13 adds more than 20 new permissions, but three are of particular interest:

POST_NOTIFICATIONS determines whether an app is eligible to send exempt (i.e. general) notifications. All apps that require pushing notifications would require user consent or preapproval from a UEM console.
USE_EXACT_ALARM determines whether an app is eligible to send time-related notifications and reminders, limiting these to alarm clock, timer and calendar apps.
NEARBY_WIFI_DEVICES, part of the NEARBY_DEVICES permission group, helps apps that manage a device’s connection to nearby access points over Wi-Fi request specific permissions, rather than privacy-sensitive location permission.

Android’s developer site offers further details on the new permissions.

5G and cellular support enhancements

For both 5G and non-5G users, the Android 13 release offers improvements for handling traffic.

Admins have more options for 5G slicing. This feature, first introduced as part of Android 12, now allows admins to have many slices configured and to extend them to company-owned assets – meaning you can use dedicated 5G slices to expedite traffic routing.

APNs can be configured with a specific enterprise ID. Carriers must share the APN endpoint name with the IT admin so that the admin can input that information into the APN configuration, which will help in tagging traffic.

Android’s developer site offers further details on network configurations.

Security enhancements

Android 13 brings a number of additional device and security controls worth investigating:

DISALLOW_ADD_WIFI_CONFIG disallows a user from adding a new Wi-Fi configuration.
DISALLOW_CHANGE_WIFI_STATE disallows a user from enabling or disabling Wi-Fi. Even if the user manages to put the device in airplane mode, the device remains connected.
DISALLOW_SHARING_ADMIN_CONFIGURED_WIFI disallows a user from sharing Wi-Fi for admin-configured networks.
DISALLOW_WIFI_DIRECT disallows a user from using Wi-Fi Direct.
DISALLOW_WIFI_TETHERING disallows a user from using Wi-Fi tethering, including existing control tethering.
EnableTrustOnFirstUse allows a user to accept the Root CA cert, which is received from the network server during an initial connection to a new network. It still requires user action and explicit acceptance.
SetMinimumRequiredWifiSecurityLevel prohibits devices from connecting to networks that do not meet a minimum level of security.
SetWifiSsidPolicy(WifiSsidPolicy) allows admins to define a list of SSIDs to allow and disallow.
Control MAC randomization with these four different options.

Two notable changes to the OS also improve Android’s security.

NIAP-compliant security logs track Wi-Fi and Bluetooth connectivity events. These logs meet the requirements of the Common Criteria Protection Profile for Mobile Device Fundamentals.

Intent filters block non-matching intents. When an app sends an intent to an exported component of another app that targets Android 13+, that intent is only delivered if it matches an <intent-filter> element in the receiving app. (Note that explicit intents address a specific package name and are not affected by this change.)

Corporate out-of-the-box deployment enhancements

Finally, Android 13 offers more deployment options:

EXTRA_PROVISIONING_ALLOW_OFFLINE allows enrollment of Android devices in completely closed networks. If you are using the QR code method for enrollment, you need to add an additional flag to the QR code.
EXTRA_PROVISIONING_KEEP_SCREEN_ON allows the device screen to be active during provisioning.
EXTRA_PROVISIONING_USE_MOBILE_DATA is a Boolean setting that allows the device to be provisioned using mobile data, or not.

Android’s developer site offers further details on provisioning.

Taking advantage of Android 13’s latest enterprise features

The release of Android 13 emphasizes again the importance of adopting Android Enterprise from legacy Device Admin, which was deprecated in Android 10. We strongly recommend that you plan this migration.

It is also important to note that while Google’s Pixel devices receive updates on day one, other device manufacturers follow their own cadence for over-the-air updates. You can check with your vendors for updates and schedules.

To get details on Android 13 compatibility and support for your specific UEM product, visit the Ivanti Community or speak to your customer success manager.

Pipeline Ransomware. Could I Be Next?

Thu, 13 May 2021 21:54:27 Z

If you have been following the news or trying to buy gas in Atlanta, you probably have already heard about the ransomware attack on one of the most important strategic pipelines in the US. 2020 saw ransomware attacks skyrocket and now 2021 seems to be following the trend. The current situation begs us to rethink how we think about our security practices and mindset.

One area of security that you may have heard about is Zero Trust (ZT). For our Ivanti customers I will try to bring some key aspects of this topic to light so that we can help you implement ZT within your own environment.

When I talk about Zero Trust internally or externally, I have always tried to explain this as a mindset and a journey. Some ways in which I think about it include:

Reduce the attack surface overall and with every inch of new product added.
Security should not be an afterthought, but an integral part of any solution.
Re-emphasize who and how can one get access to a service or a resource.
Last but not least, have a “Always Verify, Never Trust” mindset.

You may see I keep repeating “mindset.” I simply cannot emphasize how important this aspect is to achieving a security level where an organization can carry on with business with very minimal risk of cyberattacks. Also, by no means are the things I have listed here going to be an end-all-be-all list.

As an Ivanti customer what do I need to look into?

How to stop using passwords – What if your end users did not know or even have a password? Does that sound exciting? What if they would get an even better user experience than the current password-based technology you may be using? Ivanti’s Zero Sign On technology could help you here.

How to stop various phishing attacks? Phishing on mobile devices is more concerning as organizations have been fighting phishing attacks, for a considerable amount of time, via email or otherwise on desktops. But again, since we are implementing a Zero Trust framework, we cannot ignore those powerful mobile endpoints. A good mobile phone today is more powerful than even some desktops, and more importantly almost every employee is using it to work from everywhere.

If I combine above two aspects of password theft and phishing on mobile phones, which are not protected, as an attacker it’s easier for me to go after user credentials on those endpoints using email, SMS, or some sophisticated man-in-the-middle (MiTM) attacks. However, the key advantage an attacker has is the limited real estate and a user who is eager to click.

Application security and device integrity: Whether your users are using Windows, macOS, iOS or Android, it’s critical to have control on the applications that are being used at work.

Allowing users to use their favorite tools should also be a choice for IT to consider as line of business users (LOBs) are successful when they have the right tools secured by IT. We have seen SolarWind’s Orion software breach instance and I hope by now we understand even approved software can be vulnerable. This is where a quicker remediation comes in handy. Ivanti Neurons helps IT to self-heal and self-secure, allowing IT to move swiftly to fix identified issues.

Conditional access: A key step to reducing attack surface is to form a policy on who gets access and how. Ivanti’s conditional access capabilities can help you here. For example, a user coming via an unmanaged device, unknown network, or some other condition will always be blocked and given a custom remediation page. This is powerful as you are only allowing devices you can trust. Even when sanctioned devices are allowed to access a service or resource, Ivanti’s solutions ensure that these are based on that endpoint and user’s security posture.

Patch Management: Chances are your patches are not keeping pace with the changes and vulnerabilities discovered. While this may seem daunting for thousands of devices in your enterprise, we can help you achieve this in a few clicks. Using Ivanti Neuron’s discover engine, you get a peek into services that you might not even know existed. Discovering the unknowns will help you understand the footprint across internal datacenters, or even public datacenters such as AWS.

At the end of the day, we have to fight cyberattacks with cooperation and executing on a “Never Trust, Always Verify” aka Zero Trust ideology using best-of-breed solutions. To summarize:

Discover the unknowns of your enterprise via Ivanti Neurons.
Have a patching cadence.
Try to implement passwordless technologies to reduce attack surface for password thefts.
Do not undermine mobile endpoints and provide attackers an entry point.
Have a policy for who and how gets access to a service or resource to limit unwarranted access.

Learn more about Ivanti Neurons and request a full private demo through our website.