Securing your Business: Checklist for Android device offboarding
Modern workplaces are full of digital footprints. From day one, employees leave a digital trail, from corporate email accounts to VPN access and social media updates. So, to ensure a secure exit, it's vital to have an offboarding process in place. Companies must carefully decouple an employee's digital footprint to mitigate risks like data breaches and unauthorized access. To help you with this, we've created a checklist of things to consider when offboarding an employee. While the exact process will vary from organization to organization, read on for some handy tips. IT Admins: Checklist for a Secure Exit Once the employee offboarding process has been initiated, you’ll need to consider the level of remote access the employee should retain. It may be a good idea to reduce this in stages, affording the employee enough time to backup personal and corporate data appropriately. Or depending on the level of sensitivity, more immediate restrictions may be appropriate. Identify the user’s device(s): Use your MDM solution to locate the employee’s device. Limit access: If your company leverages SSO, you can immediately revoke a user's access to all apps by revoking their SSO tokens. Otherwise, you will need to consider the following: Email: Disable the user's email account. Redirect incoming emails to an appropriate recipient or archive them. Company Apps: Remove the user's access to company-specific apps, or third party apps that were previously authorized. Revoke app licenses, if applicable. Cloud Storage: Revoke the user's access to cloud storage services (e.g., Google Drive, Dropbox). Remove the user from shared folders and documents. Collaboration Tools: Remove the user from collaboration tools (e.g. Google Workspace, Microsoft Teams). Revoke access to shared documents and projects. VPN and Remote Access: Disable the user's VPN and remote access privileges. Revoke any VPN certificates or keys. Data Retention and Archiving: Determine the appropriate retention period for the employee's data and implement necessary archiving procedures. Ensure compliance with data privacy regulations. Deactivate User Account: Deactivate the user's account to prevent future access, while allowing other employees to still access any documents associated with the deactivated account. Configure Factory Reset Protection policies: To ensure a seamless offboarding process for company-owned Android devices, it's crucial to properly configure Factory Reset Protection (FRP). If you've already configured your FRP policies, you can skip to step 4. Otherwise, let's dive into the details. Factory Reset Protection (FRP) is a security feature designed to protect Android devices from unauthorized access after a factory reset. It requires authentication with the Google account last used on the device. While this is a valuable security measure, it can complicate device management, especially during employee offboarding. To ensure a smooth offboarding process, consider these two approaches: Enable Enterprise Factory Reset Protection (EFRP): Designed for Enterprise, EFRP allows you to specify which Google Accounts can activate a device that has been factory reset and locked by FRP. These approved users can unlock company-owned devices that have been factory reset, without the need for the previous user’s Google account details. This approach provides a balance between security and manageability. Disable FRP: Disabling FRP allows you to factory reset devices without requiring the previous user's Google account credentials. This can simplify the offboarding process, but it also reduces the device's security. Use with caution, particularly for devices that are at risk of loss or theft. Important Note: Resetting a device through the Settings app typically doesn't trigger FRP, except in specific scenarios involving company-owned devices with Work Profiles and EFRP enabled. Therefore, it's crucial to disable FRP or enable EFRP before initiating a factory reset to prevent potential lockouts. Remote wipe: After allowing the user a brief period to back up personal data on company-owned devices, or transfer ownership to work files, remotely wipe the device. Depending on the device’s enrollment method either: Factory Reset: For company-owned devices, instigate a factory reset to erase all work apps and data from the device without physical access. Remove Work Profile: For BYOD devices, use your MDM solution to remove the user's Work Profile from the device. This will eliminate company apps, data, and settings from the device. Note, personal data is unaffected by the removal of the Work Profile so does not require backup. Revoke device access: Deactivate the device from your MDM solution. This will prevent the device from receiving updates, policies, and security patches. Asset retrieval: Create a comprehensive inventory of all physical assets assigned to the employee (e.g., laptops, phones, keys, badges). Ensure all physical assets are returned or disposed of securely. Update device inventory: Update your device inventory to reflect the device's status (e.g. retired, reassigned). Employees: Your Role in a Secure Exit Data Backup: Use a personal cloud storage service or external storage to back up any personal data that you want to keep before the device is wiped or reset. Following your company's guidelines for data backup, ensure that all company data is backed up to the appropriate location or cloud storage. App Removal Clear the data and cache for these apps to remove any sensitive information. Uninstall any company-owned or work-related apps that you no longer need. This may include email, calendar, and productivity apps. Network Access: Disconnect from any company VPN connections. Remove any VPN profiles or certificates. Forget any saved company Wi-Fi networks. Personal Cloud Storage: Download and save any personal files from company-provided cloud storage. Revoke access to personal accounts linked to company devices. Assets: Depending on company policy, return all corporate devices and accessories to the IT department or designated location. Ensure that the device is in good condition and free of any damage. Social Media Accounts: Review and remove any company-related content from personal social media accounts. Update privacy settings to limit public visibility. Best Practices From the off, it’s good to keep handover in mind. After all, the more structure in place when setting up, the easier handover will be. With this in mind we've put together some tips and best practices to consider when starting out, or even implementing further along. Setting Up Devices and Profiles Separate Profiles: Create separate profiles for work and personal data to improve security and privacy. Use work profiles to enforce company policies and manage company-owned apps. Corporate email accounts: The improved Android sign-up process makes it easier for IT admins to sign-up and access Google services using their corporate email addresses. This eliminates the need for personal Gmail accounts, leading to cleaner handovers when an employee leaves. Plus, certain setup tasks can be managed centrally through the Google Admin console, again making it much easier to keep track, document and handover tasks. Centralized Management Avoid the hassle of being locked out of corporate Google accounts when the time comes for the admin that set up the account to embrace a new opportunity. Maintaining a centralized approach avoids having a sole owner of any Google accounts, making it easier to manage and maintain control and access to business Google accounts in the event of a handover. IT admins can also easily track, document, and hand over administrative tasks in this way. Default Settings: Configure default settings for devices and profiles to streamline the onboarding process and ensure consistency. Consider using templates or scripts to automate device setup. App Management: Use Google Managed Play to create a customized and secure app store for different business needs and user roles and have more control over which apps employees can install and use. Policy Enforcement: Implement policies to enforce security measures such as password complexity, screen lock timeout, and data encryption. Use conditional access policies to restrict access to company resources based on device compliance. Employee Training Remember, documented procedures and workflows are vital for mitigating risks associated with employee turnover. Proactive documentation ensures business continuity and minimizes disruptions during employee transitions. Provide employees with clear guidelines and training on their responsibilities during the offboarding process. Educate employees on data security best practices and the importance of returning company assets. Regular Reviews Review and update your offboarding procedures regularly to ensure they remain effective and aligned with evolving security threats. Conduct periodic security audits to identify and address any potential gaps. A well-executed offboarding process is crucial for safeguarding your organization's sensitive data and maintaining security. By following the checklist provided, you can effectively mitigate risks, minimize disruptions, and ensure a seamless transition for both the departing employee and your organization. Like and share this post to help others secure their organization's digital footprint! Let us know your thoughts and experiences in the comments below. Do you have any additional tips for a smooth offboarding process?Debunking 12 Android Enterprise myths
Have you ever heard statements like “Android just isn’t secure” or been asked whether BYOD is too risky for enterprise? These concerns, often based on outdated perceptions, can prevent businesses from fully realizing the benefits of Android Enterprise. So, let’s cut through the noise. Here we’ll address 12 common misconceptions and explore the realities of deploying and managing Android devices in today’s modern workplace. Myth 1: Is Android really less secure? Reality: Always-on security. Android offers proven, multi-layered, proactive security With a zero-trust approach to security, Android operates under the principle of "never trust, always verify." It continuously assesses the security posture of devices and applications, and grants access based on real-time risk assessments. Built-in security at every level includes hardware-level safeguards like verified boot and encryption, software-level protections such as application sandboxing, and proactive threat detection with Google Play Protect. The result is robust defense. Combined with granular control organizations maintain a high level of security while empowering employees with the flexibility of mobile work. Want to dive deeper? Enjoy a cup of tea while you explore our security paper. Myth 2: Android Enterprise is only suitable for large enterprises Reality: Designed for scalability, Android Enterprise can be effectively deployed by businesses of all sizes Android Enterprise offers a range of options to deploy and manage Android devices, so businesses of all sizes can choose the model that best suits their needs and budget. For smaller businesses, BYOD can significantly reduce upfront costs associated with purchasing and managing a fleet of company-owned devices. Plus, the Google Admin console provides a user-friendly interface, simplifying tasks like device provisioning and policy enforcement, making it easier for businesses with limited IT resources to manage their mobile workforce effectively. By offering a range of deployment options, simplified management tools, and cost-effective solutions, Android Enterprise empowers businesses of all sizes to leverage effective device management. Myth 3: BYOD is too risky for enterprise environments Reality: With the right approach, Bring-Your-Own-Device (BYOD) can be a secure and cost-effective strategy Android Work Profile provides a self-contained profile on an Android device that isolates work apps and data from personal apps and data, enabling businesses to safely implement BYOD policies. This secure container safeguards sensitive company data through robust encryption and remote wipe capabilities, even if personal apps are compromised. Work Profile also empowers organizations with enhanced app management capabilities. Businesses can implement approved app lists, ensuring only necessary applications are used for work, without impacting personal app usage. Additionally, they can enforce restrictions on specific app functionalities within the work environment. With these advanced security and management features, Work Profile empowers organizations to securely embrace the flexibility of BYOD. For more detail explore this Work Profile Security on Company Owned Devices paper. Myth 4: Android Enterprise is too complex to implement and manage Reality: Android Enterprise simplifies device management with powerful tools designed for businesses Android Enterprise has significantly simplified management with features like zero-touch enrollment for easy device setup and streamlined policies for controlling work apps and data. Managed Google Play empowers IT administrators with granular control over app distribution and management, ensuring only approved applications are installed on company devices, including tailored company apps. By integrating with leading EMM providers to leverage these tools, businesses can easily customize devices to meet their specific needs, enforce security policies, and manage their mobile workforce efficiently. Myth 5: Android devices are more susceptible to malware Reality: All mobile devices can be targets for malware, but Android has implemented robust security measures to protect against threats Google Play Protect leverages machine learning to proactively detect and combat malware, phishing attacks, and ransomware. It scans apps both before and after installation, even monitoring them for suspicious behavior after download. This proactive approach, combined with regular security updates, provides a robust defense against malicious software, significantly reducing the risk of installing and running harmful apps on Android devices. See for yourself with our Transparency Report. It highlights just how rare downloading potentially harmful applications on an Enterprise device really is. Myth 6: BYOD makes it difficult to achieve a good work-life balance Reality: Android Work Profile allows employees to easily switch between work and personal profiles, enabling them to disconnect from work when they need to By separating work and personal data and apps, Work Profile helps employees maintain a clear boundary between work and personal life, reducing stress and enhancing well-being. Employees can seamlessly switch between the Work Profile, and their personal profile, enjoying a familiar device environment while empowered to toggle off work notifications and fully disconnect for a better work-life balance, increased productivity and employee wellbeing. Myth 7: Android Enterprise is not suitable for highly regulated industries Reality: Android Enterprise provides the robust security and compliance features necessary for highly regulated industries Highly regulated industries require robust mobility management solutions with exceptional flexibility and control. Android Enterprise delivers strong security, powerful device management, and innovative solutions to manage and deploy devices seamlessly across diverse use cases. Continuously evolving to address dynamic compliance requirements, Android 15 introduced enhanced security logging aligned with the latest NIAP regulations. Plus, the Android Management API empowers businesses with the agility to adapt policies and ensure compliance with developing industry regulations and security standards. Discover how Android Enterprise empowers financial services in our customer stories, or explore exactly how we comply with industry standards and Android’s certifications in our security paper. Myth 8: Android is fragmented and updates are slow Reality: Android ensures a smooth and consistent user experience alongside simple and robust management capabilities While Android's open nature has historically presented challenges in terms of device fragmentation and update consistency, this view is outdated. As an open-source platform, Android benefits from rigorous scrutiny by a diverse community, including developers, security researchers, and even government agencies. This constant feedback accelerates security advancements. Initiatives like Project Treble have revolutionized the update process by decoupling core Android components from device-specific software. This allows manufacturers to deliver the latest security patches and feature updates more quickly and efficiently. The Android Enterprise Recommended program prioritizes timely security updates and OS upgrades for participating devices, ensuring a more consistent and secure user experience. More widely, Google releases monthly security updates to the platform, the details of which can be found on the Android Security Bulletin. Recommended EMM partners provide essential tools for managing these device updates, ensuring timely patching to maintain a secure mobile environment. Myth 9: Android devices aren't premium Reality: The Android ecosystem boasts a wide range of devices, from budget-friendly options to high-end flagships that rival the best in the industry Premium Android devices offer cutting-edge features like powerful processors, high-resolution displays, and advanced camera features, and innovative designs for a premium user experience. To ensure a consistent and high-quality experience for businesses, the Android Enterprise Recommended program certifies devices and solutions that meet Google's strict enterprise requirements, giving businesses confidence in their chosen devices. Myth 10: The Play Store is limited Reality: The Google Play Store is a vast marketplace with millions of apps, including a wide range of enterprise-grade solutions. From productivity tools and communication apps to industry-specific solutions, the Play Store offers a diverse range of applications to meet the unique needs of any business. Plus, the Play Store empowers businesses to develop and distribute custom applications. By leveraging Android developer tools, businesses can create tailored solutions and securely distribute them to their employees through Managed Google Play. This effectively creates a custom app store while benefiting from the built-in security and robust infrastructure of Google Play Protect. Myth 11: Android Enterprise devices are separate to regular Android devices Reality: The hardware remains the same Android Enterprise is not a separate operating system. It's a suite of tools that enhances the core Android OS with enterprise-grade features and management capabilities. This means any Android device can leverage Android Enterprise, providing businesses with the flexibility and control to meet their specific mobility requirements while maintaining the familiar Android user experience. Myth 12: You can only use Android Enterprise with Google's products and services Reality: While Google offers a robust suite of productivity and collaboration tools, Android Enterprise is designed to be highly interoperable Android Enterprise is only supported on Play protect certified devices. These devices often come pre-installed with popular Google services like Chrome, Google Play Store, and Google Maps (GMS). However, this does not limit users to Google's ecosystem. Android Enterprise seamlessly integrates with a wide range of third-party enterprise applications and services, including those from Microsoft, Salesforce, and others. This flexibility empowers businesses to choose the best software solutions for their specific needs, regardless of their preferred technology stack. Were you surprised by any of these myths? Have you encountered similar challenges or misconceptions in your own experiences? Let us know in the comments below.Stronger management of company-owned devices with Android 15 for business
15th October, 2024 For company-owned devices, Android 15 empowers you with advanced management capabilities to help you take control, optimize your fleet of devices, and safeguard your business – on your terms. Explore new tools to navigate the modern workplace with Android 15. Streamline eSIM management for managed devices Android 15 streamlines adding, removing and provisioning eSIMs on both company-owned devices and managed BYOD devices. Simple eSIM management* on managed devices makes it easier to onboard and offboard employees. This means IT admins can spend less time setting up eSIM devices, and more time on impactful work. *For all devices, eSIM management is conducted via the EMM. Additionally, for BYOD devices, the device’s owner is responsible for using and activating the eSIM, and the user can delete the eSIM at any point. Secure personal profiles and private spaces on COPE devices Extend your existing personal app policies to the private space on company-owned devices. IT admins have better control over the device’s security posture with a limited set of privacy preserving security restrictions* for selected apps outside the Work Profile on company-owned devices. An additional set of privacy safe security configurations for core apps will be made available at a later date. *AMAPI managed devices will have the ability from Android 15 onward. Managed configurations apply only to company-owned, personally enabled (COPE) devices. Enforce the default apps for personal profile on company-owned devices IT admins can now enforce the default dialer, messaging app, and browser* in the personal profile when setting up company-owned devices to add an extra layer of security without compromising user experience. * Available only on company-owned, personally enabled (COPE) devices. IT admins can only make an app the default if it’s already in the user’s personal profile. To ensure OEM defaults for dialer and browser are set, this feature should be configured prior to set up. Enable seamless searching for your teams with Circle to Search Forget juggling multiple apps. With new admin controls for Circle to Search* on both fully managed devices and within the Work Profile, IT can confidently empower employees to search directly from their work apps. They can simply circle, scribble, or tap content for more information. *Circle to Search requires internet connection and compatible apps and surfaces. Results may vary depending on visual matches. For Android Enterprise managed devices, the feature is available on fully managed devices and devices with Android Work Profile. For company-owned, personally enabled (COPE) devices, Circle to Search is subject to the IT admin’s ability to turn off screen capture, which will disable the feature. For employee-owned devices with an Android Work Profile, Circle to Search within the personal profile remains unaffected by IT admin policies. Available on Pixel P8, P8 Pro, P6 series, P7 series, Pixel Fold, Pixel Tablet, Samsung S24 series, S23 series (incl. FE), S22 series, S21 series, Z Flip 3/4/5, Tab S9 series, Tab S8 series. Extend battery life with screen brightness and timeout controls Android 15 introduces screen brightness and timeout period controls* for company-owned devices. IT admins can adjust settings to optimize device efficiency for frontline staff, extending battery life to help them power through a shift without any device downtime. *Available on company-owned, personally enabled (COPE) devices, fully managed devices, and dedicated devices. Read Enhanced employee and device protection with Android 15 for business next. Learn more in our Help Center FAQ. Register for the community to access and download these images and an Android 15 slide deck. How helpful will these new features be to your business? We’d love to hear your thoughts and feedback below![Community tips] What to consider when choosing a device management option?
Hello everyone, I hope you are having a great start to your September. Considering what device management option(s) will work best for your company and employee needs is an important undertaking. From strictly controlled devices to more flexible setups, you’re able to choose the management type that best aligns with your goals and the way your employees use devices. Here in the community we often see questions on this area and so I thought similar to our discussion on choosing a EMM, many of you have been through this experience (and continue to consider this). It would be fantastic to hear your community tips and advice. What tips would you recommend to someone considering and researching which particular management option to implement? How did you choose the best fit for your business needs? What are your main considerations? If you are currently going through the process, please do comment too, it would be great to hear from you. Looking forward to hearing from you. Thanks so much, Lizzie
