An Introduction to Android for Work
What is AfW and what does it do?
Android for Work (AfW) is a platform from Google that improves Android usability, security, and flexibility in work environments. AfW covers enterprise mobility management, security, and mobile application management. AfW is a platform, not just a product. But, AfW can be activated through the AfW mobile application.
When AfW is activated on Android devices that are utilized for both personal and work use, AfW separates your business apps from your personal apps, but everything is stored on the same device. This keeps data private for both parties. For corporate-liable devices, AfW provides enhanced control over both hardware and software, allowing an administrator to specify which apps and hardware features may be used.
For software developers or EMM providers, such as MobileIron, AirWatch or SOTI, AfW provides application programming interfaces (APIs) to enable Android devices to be used in different business environments. Such uses include kiosks and other purpose-enabled devices, or allowing custom management functionality of business devices.
For an in-depth introduction to Android for Work, see Google’s intro page.
What "modes" is it used in? (COSU, COBO, COPE, BYOD). What are these?
These modes present a spectrum of device usage from company-owned to personal, and from single-use to multi-use.
- COSU- Corporate-owned, single-use. These may be referred to as “kiosks” or “purpose-built devices”. This mode gives the company the most control over what employees (and customers) can do with the device. One application is intended to run on the device; that’s it.
- COBO- Corporate-owned, business only. Like COSU, COBO devices are used only for business purposes. But they are typically multi-use devices. They may have several or many apps installed, and employees can typically access corporate data.
- COPE- Corporate-owned, personally enabled. Gives more control to the company than BYOD mode, but allows more freedom for employees than COBO mode. The company issues a device to an employee, but the employee can also use it for personal tasks, as well as access business data outside the office.
- BYOD- Bring your own device. Gives a much lower level of control to IT, and maximum freedom for workers. Employees can access business emails and other data outside the office. Security is a concern with BYOD, but but AfW's separation and security is designed to answer that concern.
Blackberry has written a paper that provides some pros and cons of each approach.
Why is AfW useful to companies and organizations?
Depending on the use case, as described above, Android for Work has several advantages:
- More security if the company has implemented a BYOD or COPE approach vs. not using AfW.
- Employees have privacy; the company can’t access their personal apps and data.
- Employees can access work accounts from outside the office.
- IT can remotely wipe data from the employee’s work apps without affecting personal apps.
- Android is familiar to many users, so employees don’t have to adjust to using a new interface.
- AfW provides greater control and tracking of company devices.
- AfW provides more deployment options, like BYOD, that can lower costs for IT departments.
What is the difference between the Android for Work app that works in Android 4.x and the integrated support found in Android 5 and later?
Beginning in Android L (5.x or “Lollipop”), Android for Work became an integrated part of the Android operating system. This article intentionally covers mostly Android L and M (6.x or “Marshmallow”). For devices running Ice Cream Sandwich through Kitkat (4.0-4.4), or that don’t run work profiles natively, Google created an Android for Work app. The app delivers secure mail, calendar, contacts, documents, browsing and access to approved work apps, but it does not provide full device control.
What changed between Android 5 and 6?
Android Marshmallow changes include:
- A notification appears when you’re using a work app.
- Work contacts appear for incoming calls, rather than using just personal contacts.
- Access VPN (Virtual Private Network) apps in settings.
- Faster deployment because device provisioning and user setup has been streamlined.
- IT can remotely configure individual app permissions.
- Admins can silently give work apps access to certificates and can set a third party app to delegate certificate installation.
- To keep tabs on corporate data plans, IT can monitor data usage for apps in the Work Profile or on Work Managed Device.
- To lock down a device for a single purpose, IT can remotely control the lockscreen, status bar and screen and restrict the safe boot function.
- Admins can auto-accept system updates and specify windows for updates.
- IT can push out and remove apps to a managed device without user intervention.
How can I use it?
Directions for setting up Android for Work on your device can be found here.
How does AfW support kiosk applications?
In Android Marshmallow, IT can remotely control the lockscreen, status bar and screen, and restrict the safe boot function to lock down the device for a single purpose. AfW also provides programming interfaces to set the “device owner,” an app which is able to control certain device features, and lock itself as the “home screen.” In this way, an app can make itself a single-purpose device. Only one app can be the device owner, and it can install itself only from a factory-default configuration or through EMM software.
How does SDG Systems support AfW today (February 2016)?
SDG Systems provides an application called Blue Agent Writer. It allows an IT administrator to provision an Android 5 or higher device with a device owner application, like a kiosk app or a device policy controller (DPC). This essentially provides greater control over the hardware to “pin” or lock the kiosk app (i.e., make it the only app that can be accessed) and to provide device management. Learn more about Blue Agent Writer here.
As a demo in Blue Agent Writer, we provide a demo kiosk application. This kiosk application was described, with source code, in a separate blog article. SDG’s software engineers can integrate this capability into your existing apps to turn them into kiosk-mode programs. We can also create a custom launcher to allow your device to run just a few applications. Please contact us for more details.