The Secure Element Podcast - Episode #6 Passkeys
Hey Friends, Episode 6 of The Secure Element is live, and this month, we’re diving into Passkeys. I sat down with Harsh Lal, Senior Software Engineer for Android Authentication at Google, and co-chair for the FIDO Alliance Financial Group, to explore what this next evolution of authentication means for both personal and enterprise security. We dive into: The password problem: Why complexity rules and password reuse create “keys to the kingdom” for attackers. Hardware-backed security: How passkeys live in your device’s Secure Element, making them virtually impossible to fish or extract. Enterprise readiness: Integrating passkeys with SSO providers and how to manage them. Hybrid flows: Using your phone to securely unlock apps on your work laptop via encrypted proximity tunnels. Listen to the episode here: Deep Dive To learn more check out Harsh’s blog series which tracks the evolution of FIDO experiences on Android, and explores how passkeys work across devices via Hybrid transport to make passwordless authentication available everywhere. Drop your questions in the comments - we’d love to hear how your organisation is approaching a passwordless future! Stay secure, Burr Missed an episode? Catch up here: Episode 1: EMM Controls Episode 2: Cyber Resilience on Edge Devices Episode 3: Federal Government Device Certification Episode 4: Device Trust from Android Enterprise Episode 5: End of year recap and what’s to come
2FA sign in error at Android Zero Touch portal
I am the IT admin/owner of our Android Zero Touch instance, and I am trying to log into the portal to view and interact with devices associated with our organization. Our zero touch instance is linked with our Intune tenant, and is working correctly. I keep getting the error that my sign in was rejected because it doesn't meet my organization's 2 step verification policy and to contact my IT admin for more information. I am that IT admin, and I can't login. My login information is correct, I have our account ID, and I'm just trying to get in touch with someone to help with the login. I can't even login to support portal to get help, so I had to use my personal Google account to post this.
Intune Management Capabilities for Samsung Devices
Dear Team, Greetings, I would like to better understand the management capabilities available for Samsung Android devices, with Intune . Specifically, I am looking for clarity on whether these devices can be fully managed through Intune instead of relying on the Samsung Knox management tool, including support for application deployment, patch distribution, firmware updates, and other administrative functions. Any slides reference would be good for my internal discussion ?.[Guide] Android Security Explained
Hey friends, For years, the misconception has been that Android isn’t secure enough for sensitive environments. We want to help you flip that script. Think of the Android Security Explained Paper as your "translation layer” - a resource to help you lead high-level conversations with leadership and prove that modern Android is the secure choice for any organization. What caught our eye: The Android vs. Apple shift: This is the big one, and we’ve seen it pop up time and again in the community. Recent independent reports challenge long-held assumptions, with data bolstering Android as a leader in enterprise and government-grade security. The foundation of trust: An easy-to-understand breakdown of how security is built directly into the hardware and core OS to meet stringent global standards. Complete Enterprise control: How the Android Enterprise framework gives you the granular control to enforce strict policy and protect data. If you’re planning your 2026 strategy or need to justify a shift in your mobile strategy, this paper provides the objective, third-party validation to back up your recommendations. [Click to download the 2026 Security Explained Paper] Stay tuned - our full-length technical Security Paper will be arriving soon for a deeper dive into the architecture! Stay secure! BurrCompliance project for Android?
Hi all, For Apple (iOS/MacOS ) we use the macos security compliance project tooling (https://github.com/usnistgov/macos_security#readme) for mapping compliance guidelines. A short summary: The macOS Security Compliance Project (mSCP) is an open‑source framework that provides automated, customizable security guidance and baselines for macOS, producing documentation, audit checklists, configuration profiles, and remediation scripts. It supports major security standards, including NIST SP 800‑53, NIST SP 800‑171, DISA STIG, CNSSI 1253, CIS Benchmarks, CIS Critical Security Controls v8, CMMC 2.0 Levels 1–2, and the Netherlands BIO baseline. I haven't found such a project for Android, as anyone aware of such a project that maps security guidelines to available API's for Android Enterprise? Michel
Android Expert Forum & Feature Request
Hey As I saw that bunch of question have been left unanswered on the expert forum is no one at Google monitoring the feed? I just wanted to post it here as the conversations seem to get more traction here. Is there official thread where feature request could be sent, I have been supporting mobile device management over way over a decade and in that time I have seen all sorts of things and there would be some features that would help greatly in managing enterprise environments with Android. Couple examples: It would be great if there would be a way to deploy some contact numbers to the devices on device address book, such service desk or onsite support number. This is especially needed for dedicated devices which usually do not have any email accounts associated with them and getting common contacts deployed to all devices is quite labor intensive with the current tools. Another one is the OS update management, which is lacking quite a bit, especially as I need to do a comparison to Apple and how their new OS update delivery works, it just makes the Android one lack in features. I would really want to see that on enteprise owned device we would have an override for downloading the OS updates via mobile data, as this is huge pain point when wi-fi networks are not available on some sites, and if the end users are not the most technically savvy, it would allow us admins to at least keep the fleet to some what up to date, obviously there still would probably be some issues, but the current status of the OS update policies is lacking. Also not sure should the update installation recognize on going phones calls when it is set to do the updates in automatic mode? As initially when we tried to apply it we got bunch of notifications that the updates where triggered during a phone call. /rant Thanks,
12 deliveries of AE-mas (What shipped in Android Enterprise in 2025)
2025 was a big year for Android Enterprise. This was the year several long-missed features finally landed, Device Trust became a thing, zero-touch got a compliance and audit boost, provisioning saw a revamp, and the Android Management API quietly kept adding the sort of controls that make admins' lives easier. So, in the spirit of celebrating a strong year for the platform, here are 12 Features of AE-mas (let's not worry about the title.. I was strugglin'), in no particular order, chosen somewhat at random as - would you believe - the list could have been longer should I have chosen not to follow the 12 days of Christmas as the theme.. 12. APN overrides via AMAPI APN management finally arrived. In May 2025, AMAPI gained apnPolicy, allowing admins to define and enforce APNs directly through policy. This closes a long-standing gap for cellular deployments where “just set the APN” has historically been anything but. It's great to see this functionality pulled out of OEM config and into the AMAPI layer, giving admins access to on-device APIs that have been effectively off-limits for years. Read about APN here. 11. Developer verification for Android Developer verification isn't coming until next year, but we're talking about it already, and work is in progress to bring it to fruition now. Developer verification raises the bar for Play publishers by requiring stronger identity verification. For enterprise, it’s a supply-chain win: fewer convincing lookalikes, higher friction for malicious publishers, and a clearer answer when security teams ask “who made this app, exactly?”. There’s pushback in the community, there's a lot of misunderstandings about the requirements and ramifications, but hopefully as time goes on this will settle on both sides through further transparency and discussion. Organisations deploying private apps to their own tenants are currently exempt, but it remains a big change nonetheless, and organisations benefit from the wider boost in authenticity of apps and developers. I covered off more about developer approval here. 10. Device Trust from Android Enterprise This was the year Device Trust arrived. Device Trust enables real-time posture and integrity signals (Play Integrity verdicts, boot state, security patch recency, lock-screen presence, strong auth age, OS tamper signals) that can be evaluated continuously rather than only at enrolment, and on both managed and unmanaged devices. It's a huge boost for MAM-type deployments, security solutions, and allows traditionally EMM-dependent vendors the freedom to operate independently. This isn’t a small feature. It fundamentally changes how Android Enterprise fits into modern security architectures. I wrote more about Device Trust here. 9. Custom app management via AMAPI (CUSTOM install type) One of the most consequential releases of the year, perhaps even since AMAPI began half a decade ago. AMAPI introduced first-class support for installing and managing custom applications using installType: CUSTOM, backed by signing certificate validation (appSigningKeyFingerprints) and explicit install and uninstall commands. It allows organisations reliant on line-of-business (LOB) internal applications to ditch any and all wild-west sideloading for a policy-driven, verifiable deployment, which is exactly what enterprise actually needs. All without the need for uploading apps to Google Play. I wrote more about custom apps here. 8. Zero-touch portal audit logs and admin roles The zero-touch portal became auditable and permission-scoped in 2025. Google rolled out audit logs to the zero-touch customer portal, capturing all admin actions needed to ensure the platform is no longer a black hole of who did what. Alongside this came clearer admin role separation, reducing the blast radius of operational mistakes. For regulated environments, this turned zero-touch from a black box into something governance teams could actually trust. 7. Android 16 provisioning improvements One of the greatest improvements to the enrolment flow happened in 2025, and it was so long overdue! Android 16 brought a clear push toward more reliable setup flows, fewer steps, and the ability to update it on the fly, as opposed to being stuck adjusting it only on major version releases. I put out a video nearer the start of the year, while 16 was still in beta, which you can see on LinkedIn here. With this newer approach, Google is beginning to leave behind the old managed provisioning flows baked into AOSP, though they're still there as a fallback today. It'll be interesting to see how this evolves. 6. Application roles in Android Management API This was unexpected. Application Roles formalised entire classes of enterprise apps, including: COMPANION_APP KIOSK MOBILE_THREAT_DEFENSE_ENDPOINT_DETECTION_RESPONSE SYSTEM_HEALTH_MONITORING Apps assigned these roles can be exempt from background execution limits, power management, suspension, and hibernation on modern Android versions, with user control restricted by default. This isn’t just about companion apps - it’s about enterprise software finally being treated as first-class by the OS, and adds much-needed flexibility with far less configuration and overhead. 5. Default application management policy Admins finally gained control over default apps. AMAPI added a policy allowing admins to define a prioritised list of default applications per app type (browser, dialler, etc), setting the first qualifying app as default and preventing user changes. For compliance-sensitive fleets - browsers, diallers, PDF viewers - this is the sort of boring control that saves hours. It's predominantly Android 16+, but there's a few that go back a few versions of Android. Read more about default applications here. 4. RCS archival RCS has long been the compliance blind spot for Android Enterprise fleets, with SMS/MMS archiving handled by legacy tools while RCS was left out in the cold. In December, Google release a supported way to archive RCS/SMS/MMS on fully managed devices, with Google Messages as the mandated client. Once those prerequisites are met, admins can configure Messages to forward message bodies, metadata, and attachments to a SIEM/service/archival tool on a schedule or trigger with no needed workarounds or limitations of legacy solutions. It’s - to reiterate - Google Messages only for now (OEM messaging apps remain out of scope unless they add their own support), but it gives regulated orgs a sanctioned retention path for rich messaging at last. It has been met with quite a bit of mixed feelings, and even more FUD. I go into more detail about RCS archiving here. 3. App functions and cross-profile controls Android 16 brought app-to-app interaction under policy control. New settings allow admins to govern whether apps can expose app functions, and whether personal-profile apps can invoke functions exposed by work-profile apps, bringing finer control to cross-profile linking scenarios. Niche, but powerful for when this functionality takes off in enterprise workflows. 2. Android App Bundle (AAB) support in the Managed Play iframe This finally removed a long-standing enterprise limitation. In March 2025, Android App Bundle uploads became supported in the Managed Google Play iframe. Private apps finally gained parity with public Play distribution, including split APK delivery and more efficient installs. I wrote more about AAB here. 1. Android’s accelerated platform release cadence The change that underpins everything above. Android is shifting toward more frequent platform releases, with Android 16 landing far earlier than usual and signalling a broader move away from a single annual cadence. Harder to track? Maybe. I'm having a lot more fun poking around the Android Canary builds looking for unreleased functionality than I do sleuthing around AOSP code, though! Better for shipping enterprise capability without waiting a full year? Also yes. Signing off Android Enterprise levelled up across the board in 2025. From trust and supply-chain integrity to app management and provisioning improvements, the team set the bar really high this year. Let's hope the momentum continues in 2026! Which of these made the biggest difference for you this year, and what are you hoping lands in 2026? Happy holidays and here’s to a wonderful New Year!
