Navigation

Introduction

As organizations become increasingly dependent on mobile devices for day-to-day operations, securing these endpoints has never been more critical. From frontline workers using rugged Android devices to corporate teams accessing sensitive data on the go, mobile devices have become an integral part of business workflows. However, this growing reliance also introduces security risks.

With more company data being accessed and stored on mobile devices, they have become prime targets for cyber threats, including malware, phishing attacks, and unauthorized access. A compromised device can expose potentially sensitive corporate information, disrupt operations, or even be used as a means for adversaries to move laterally within a network. To mitigate these risks, organisations should take a proactive approach to securing their Android fleet.

This is where Workspace ONE UEM comes in. By leveraging its security and management capabilities, businesses can enforce policies, lock down devices against threats, and ensure devices remain in compliance. In this post, we’ll explore some essential steps to harden Android devices using Workspace ONE UEM, helping organizations strike the right balance between security and usability.

Key Methods

Here’s a rundown of the key methods organisations can use to harden Android devices via Workspace One (WS1).

Apply a Lockscreen Passcode Profile

This is one of the most basic security measures that can significantly improve device security, as it automatically enables device encryption and limits what can be done if an adversary gains physical access to a device. Many users enable lockscreen security on their own, however applying a profile ensures consistency and eliminates access to some of the weaker options. When deploying a Passcode profile, consider:

  • Setting a Minimum Passcode Length
  • Requiring a complex or complex numeric password/PIN
  • Setting a maximum number of failed attempts before the device is wiped
  • Setting a maximum number of repeating characters
  • Defining a passcode history, which sets how many times a passcode must be changed before a previous passcode can be used again
  • Requiring external SD card encryption (Samsung devices)

Apply Device Restrictions

Device restrictions prevent usage of certain functions and features on devices. Many of which can potentially be exploited by adversaries. When hardening devices, the principle of least privilege should always apply eg. only give a user access to what they need for their role, and nothing more. Consider disabling the following:

  • USB File Transfers – this reduces the risk of data exfiltration from devices
  • App Installation from Unknown Sources
  • Screenshots / Screen Capture
  • Developer Options / ADB / USB Debugging
  • Factory Reset
  • Unenrollment (via the device)
  • Safe Mode
  • Guest Mode / Multiple Users
  • Adding or removing Google accounts
  • Access to Network Settings
  • Bluetooth or NFC if not required

There are many additional device restrictions that can be applied to Zebra and Samsung devices via OEM specific configurations, which I’ll delve into in future posts.

Use a Secure Launcher

This is an app that replaces the default homescreen on Android devices and can be fully managed by IT using their endpoint management platform of choice. Workspace One has their own which is called Workspace One Launcher, and has a great deal of flexibility in how it can be configured:

  • Restrict devices to a single app (Single-App Mode) or a set of pre-approved apps (Multi-App Mode)
  • Can be used in Multi-user mode
    • This prevents access to any apps until the device is logged into with valid credentials
  • Launcher profiles can be tied to a user or group, to tailor the configuration for different groups of users
  • Launcher can restrict access to device settings, only allowing those approved by IT
  • Users cannot modify the launcher’s configuration, as it is centrally managed through Workspace ONE UEM
  • Users cannot exit the launcher to the default Android home screen, as the exit button is password protected

Deploy Managed App Configurations

Managed App Configurations allow IT admins to configure apps remotely. Apps like Google Chrome and Gboard support managed configurations through Android Enterprise and can be customized via Workspace ONE UEM.

Google Chrome has a wide range of settings that can be applied, for hardening the browser and improving privacy. Once set, these cannot be overridden by the user. Some notable options include:

  • Allow/disallow access to a list of URLs – limits access to websites based upon an allow/denylist set by IT
    • 💡These options can be leveraged to block access to Chrome’s inbuilt debugging tools
  • Disabling the password manager
  • Disabling printing
  • Blocking use of cookies
  • Disabling Popups
  • Disabling Autofill
  • Disabling Browser Sign-in
  • Download Restrictions
  • Locking bookmarks to a pre-determined collection
  • Enforcing Google Safe Search
  • Enforcing Safe Browsing
  • Setting a minimum YouTube restricted mode
  • Enforcing HTTPS
  • Enabling Site Isolation

GBoard has a smaller set of settings available, however these can still be useful:

  • Set Keyboard Theme
  • Opt-out of telemetry/usage data
  • Disable Clipboard
  • Set Language/Locale
  • Disable Floating Keyboard, Voice Input

Data Loss Prevention (DLP) Policies

Workspace One can be leveraged to apply Intune app protection policies, which makes it extremely difficult to exfiltrate data from these apps. This is achieved by integrating Workspace One UEM with Intune. Workspace One Apps (Hub, Launcher, Content, Web) support DLP as well. Other apps may support DLP via managed app configurations, and support can be built into in-house apps by integrating the AirWatch Software Development Kit (SDK) for Android to those apps.

Some of the policies available for Microsoft 365 apps include:

  • Disallow Apps to Transfer Data to Other Apps
  • Disallow Apps to Receive Data from Other Apps
  • Prevent “Save As”
  • Restrict Cut/Copy/Paste with Other Apps
  • Restrict Web Content to Display in Managed Browser
  • Encrypt App Data
  • Disable Contents Sync
  • Disable Printing

And for the Workspace One / Workspace One SDK integrated Apps:

  • Disallow Bluetooth
  • Disallow Camera
  • Restrict Composing Email
  • Restrict Copy and Paste to/from other apps
  • Restrict Data Backup
  • Restrict Location Services
  • Disable Printing
  • Disable Screenshot
  • Apply Watermark

Blocklist/Allowlist Apps

Workspace One allows you to apply a blocklist or allowlist to prevent use of specific apps. This can be used to prevent users from accessing apps:

  • Known to contain malware, spyware or other security vulnerabilities
  • That are not considered to be work-related, such as social media, streaming services and games
  • That may allow data exfiltration, such as cloud storage and file sharing apps
  • Which may interfere with enterprise apps or system processes eg. VPN apps, Launchers, security tools

A blocklist specifies which apps are blocked, whilst an allowlist specifies apps which are the only ones allowed. Whilst an allowlist is more secure, it is quite restrictive to users and requires significant admin as users will undoubtedly request access to additional apps on a regular basis.

OS / Security Updates

Each month Google releases an Android security update to Android Original Equipment Manufacturers (OEMs), and publishes bulletins here. There are often several high severity CVEs that are addressed each month, and it’s important to get these out to devices soon as possible to mitigate those vulnerabilities. However, there are a number of challenges organisations face with getting these updates out quickly:

  • Release of the update relies upon the OEM of the device
    • The update must be packaged by the OEM before it is made publicly available
    • Each OEM works a bit differently, some much faster than others
    • Different device tiers may receive updates at varying frequencies. For example, budget devices might get updates twice a year, mid-range devices quarterly, and flagship models monthly.
    • Some devices are only guaranteed updates for a limited period, often based on their tier and manufacturer support policies. This varies significantly between OEMs, and should be a deciding factor when evaluating models for purchase.
  • Deployment of updates
    • OEMs have different mechanisms to deliver updates to devices, with varying degrees of manual input required eg.
      • Google devices auto-update without any interaction needed by the user or IT
      • Samsung devices will prompt when an update is available, unless you purchase Knox E-FOTA which allows IT to manage updates remotely
      • Zebra devices can be updated via EMM platforms such as Workspace One, by either pushing the update file/s to devices, or via integration with Zebra over-the-air (OTA) updates. Both are managed by IT.
  • There may be additional costs associated with updates eg.
    • Zebra Lifeguard Subscription
    • Samsung E-FOTA (to manage updates centrally)
  • Regression testing of in-house / custom apps
    • Security & OS updates often include changes to the OS, which can cause compatibility issues with apps
    • Testing apps to ensure compatibility with the latest updates is critical to avoid potential business disruption
    • Regression testing takes time and may involve additional cost, particularly if a 3rd party app developer is involved

App Updates

Apps can contain vulnerabilities, which is why it’s important to keep these updated wherever possible. App updates can usually be managed via your EMM and set to occur automatically if the app was deployed using your EMM via Google Play.

Workspace One gives you flexibility here – you have the ability to set a time window each day for updates to occur, and the priority of updates. This can be set on a per-app basis. Internet browsers often have the most vulnerabilities, so in addition to setting a managed app config for Chrome, I’d recommend setting the updates for this app to High Priority. This ensures the app updates as soon as possible once an update is released by Google.

Mobile Threat Detection (MTD)

MTD provides real-time threat detection, automated response and remediation to help keep devices secure. There are a range of options available, many of which can integrate with EMM solutions such as Workspace One to improve visibility and improve automated response. This usually involves deploying an agent app to devices which feeds data back to the MTD platform. Some of the well known MTD solutions out there include:

Compliance Policies

Workspace One has a powerful compliance engine, which when set up can check for anomalies such as rooted devices, or devices running an older version of Android and perform automated actions based upon the rules you set up. For example, a simple rule could be:

  • If a rooted device is detected, send an email Alert to IT and mark as non-compliant
    • 1 day later, if device is still in the same state, factory reset device

Multiple policies and rules can be set up for different device models, platforms and use cases.

Enterprise Factory Reset Protection

Enterprise Factory Reset Protection lets you define which Google Accounts are permitted to activate a device after a factory reset when protection is enabled. This ensures that only authorized users can regain access to and utilize reset devices. This feature can be enabled by deploying a profile containing an Enterprise Reset Protection payload.

Device Enrolment Programs

Android Zero-Touch and Samsung Knox Mobile Enrolment (KME) are enterprise device enrolment programs designed to streamline and secure the deployment of corporate-owned Android devices. These programs provide a seamless out-of-the-box experience by automatically enrolling devices into an Enterprise Mobility Management (EMM) or Unified Endpoint Management (UEM) solution, such as Workspace ONE UEM, during the initial setup process.

When a device is powered on for the first time or factory reset, the setup wizard automatically checks for an assigned enrolment profile.
If enrolled in Zero-Touch or KME, the device bypasses manual setup and forces enrolment into an organisation’s UEM. This ensures the device is fully configured with the correct security policies, apps, and settings before it can be used. If a device is lost or stolen, and factory reset, it becomes useless until it is re-enrolled into a UEM with valid credentials.

Conclusion

Hardening Android devices is essential to protecting corporate data and ensuring compliance. As mobile threats evolve, organizations must take a proactive approach by enforcing strict security policies, managing app configurations, and ensuring timely OS updates.

With Workspace ONE UEM, businesses can lock down devices, automate compliance checks, and integrate threat detection for a layered defense strategy. Security isn’t a one-time task—it requires ongoing monitoring and adaptation.

In future posts, I’ll cover steps to implement each of the above hardening methods in more detail.

Category: Security
Tags: