Android R or Android 11 – this is the new operating system version of Android this year. While the update doesn’t bring many major changes overall, it does bring one that is relevant for companies that provide corporate devices, allow their private use, and use Android Enterprise: Because Android R changes the COPE model, where devices were previously managed using a Work Profile on Fully Managed Devices. This profile will be replaced by the so-called “Enhanced Work Profile”, which comes close to the BYOD scenario and allows significantly fewer management options in the private area than before.
BYOD, COPE, COBO vs. COSU
No matter whether a device is owned by the company or the employee: When it comes to corporate data, companies have the need to secure that data – but also the duty to protect the privacy of users. That’s why Android has four different models that offer different management options in Unified Endpoint Management systems for IT administrators, depending on ownership and usage:
- Bring Your Own Device:
BYOD devices are private devices that are also used for business. To protect employee privacy, the settings that administrators can change are low and focused on ensuring the security of corporate data. For example, an enterprise app store can be offered, a PIM application can be installed, data transfer to unauthorized applications can be prevented and data can be deleted from the device if necessary. Users must install a so-called Work Profile or it can be distributed to the devices via a UEM system.
- Corporate Owned Personally Enabled:
COPE devices are corporate property but are also enabled for private use. Here, professional apps are protected in a container that is managed by a Work Profile. Comprehensive security policies can be enforced. For example, the use of cameras, WLAN, and data roaming can be restricted and insight can be gained into the security of private and business applications.
- Corporate Owned Business Only:
COBO devices are also corporate devices, but are only allowed to be used for business purposes. Here the entire device is secured – with extensive management options. For example, it can be specified that apps may only be downloaded from the corporate app store.
- Corporate Owned Single Use:
COSU devices are also company devices that are operated in a kiosk mode and are restricted to certain applications. Here, the user interface, range of functions, and applications can be completely limited.
The management options of companies are usually defined in their policies. If the COPE model is too intrusive for an employee, he or she can simply do without the private use of the device.
The future: The "Enhanced Work Profile"
According to Google, the COPE model will move much closer to the BYOD scenario in the future by limiting the administrative options in the private sector and limiting them to the professional context. Settings that affect the privacy of users can no longer be made in-depth, as is currently the case. The previous Work Profile will now be replaced by an “Enhanced Work Profile”, which separates and secures professional data and applications from private data.
This means that it will still be possible in future, for example,
- to prevent the device from being reset to factory settings,
- to limit the pausing of the Work Profile to a certain period of time and
- to place the device under the management of the UEM system directly during the initial installation.
But it is no longer possible,
- to view all privately installed apps,
- to install apps in the personal area as administrator or prevent the installation of an app there and
- to locate the location of a device.
The release of Android 11 and thus the coming into effect of the new “Enhanced Work Profile” is currently scheduled by Google for the end of Q3/beginning of Q4 2020.
How will the migration succeed?
Companies now have two options for COPE devices: Either they decide to switch to the COBO model and prevent private use of the devices. Or they stick to the COPE model with the new “Enhanced Work Profile” and forgo some management options. This decision cannot be postponed in the long term.
For existing devices, the profile is automatically changed to the “Enhanced Work Profile” as soon as a device is upgraded to Android R. Existing policies that affect the privacy settings described above will then be deleted and become ineffective. Administrators will no longer have access to related information. New devices must be provided with the new “Enhanced Work Profile” via Zero Touch or QR Code enrollment.
The migration to the “Enhanced Work Profile” is not too big for many companies. This is because many companies have not made – or have not been able to make – use of the previous options for the COPE model, which concerned private areas, to protect the privacy of employees. This is because some UEM providers have previously supported companies not being able to implement privacy settings.
However, companies should consider at an early stage whether they can do without the information and management options that will no longer be available in the future – or whether the COBO model could be the better alternative.
Please contact us so we can advise and support you with regard to the conversion.