Enterprise Mobility and Security Blog

RSS

Google has announced the general availability of the Android Marshmallow (also known as Android M or Android 6.0) update. Android is a first class citizen in the Microsoft Intune ecosystem, so we keep close tabs on any new capabilities to see where we can add value and enable scenarios for our customers.

We’ve taken a look at what’s available in Android M, and wanted to outline some of the most useful enterprise features that IT Pros should be aware of. Note that some of the capabilities coming in Android M discussed below are already supported by Intune today, but some aren’t yet available. It’ll be made clear below which items below are things to look forward to in coming planned releases.

Day 0 Support for Android M

Since the day that the developer preview bits first became available back in May 2015, we on the Intune team have been routinely testing our MDM and MAM scenarios with the available Android M preview builds. We always make day 0 support for new versions of operating systems a priority, and we are happy to announce that Intune has day 0 support for Android M. When your users upgrade their devices from prior versions or get one of the new devices with Android M pre-loaded, you can be confident that Intune’s device and app management features will continue to work seamlessly. This applies if you’re using MDM for Office 365, Intune as a standalone cloud service, or Intune integrated with System Center Configuration Manager (also known as hybrid).

Runtime Permissions

Android M gives more control to users over what permissions an app can exercise on their devices. Before, all permissions that an app asks for had to be approved all at once when the app was installed. Now, if an app asks for a permission that is classified as impactful to privacy, the end user will be prompted at the time the permissions are used. For example, the Intune Company Portal writes log information to external storage when the Send Data button is pressed on the Settings page. This would prompt the end user at the time that the data is written. Additionally, users can now retroactively go back and revoke formerly granted permissions.

This Android feature is a great enhancement in end user privacy that users are sure to love. As an MDM agent on the device, there are certain permissions that the Intune Company Portal has to have in order to function properly. We’ve made some changes to the Company Portal to prompt users for permissions when they are requested, and also to inform them why they are needed and what will happen if they are declined.

Stay on the lookout for an update to the Intune Company Portal that will fully support Android M runtime permissions.

Doze and App Standby

Android M also introduced a couple new app states for idle apps in order to optimize power usage. Apps can now drop into a Doze state if they’re idle, or a deeper App Standby state if the device is not actively being used (for example, if the device is on your night table while you’re asleep but it’s not plugged in). In accordance with the latest Android developer guidelines, we’ve tested the Company Portal under these two new app states and have confirmed that management of the device continues to work during these low power modes.

Enterprise Manageability Features

In addition to the items mentioned above that are supported by Intune, there are also some additional new enterprise manageability features in Android M. These features are part of the Android for Work suite of device capabilities and services that represent Google’s initiative to improve management capabilities in the Android platform.

Here are some new capabilities that come with M and Android for Work:

Better Support for Single-Use Devices

Android for Work allows MDM agents on a corporate-owned device to exercise detailed control through a management model referred to as “DeviceOwner.” Google is building on these capabilities to enable kiosk-style devices to be used in the workplace. This enables Android device and apps to be securely used at nurse stations, host stands in restaurants, and on factory floors, for example. Here are some of the single-use device capabilities in M:

  1. Silent app push to device during corporate enrollment by IT
  2. More controls around individual device settings such as status bar appearance, safe boot, and screen timeout behavior
  3. Management control over system updates. Using this, IT can set a policy to either automatically accept a system update, or postpone updates for kiosk devices. Postponing can be useful to defer major changes in order to ensure app compatibility.
  4. IT can prevent an end user from removing a Wi-Fi profile that was defined by policy

BYOD Improvements

BYOD scenarios are enabled through the “work profile” on an Android for Work device. This effectively creates a portion of the device that IT can control, and can also prevent IT from changing things on the personal side of the device. This gives IT more control over what they need to manage, and gives users peace of mind that their personal activity is separated.

  1. New enrollment workflows – There is now a new way to enroll a device into management if using Android for Work. Previously, users had to go to the Play Store and download their EMM’s management agent app in order to enroll. Now, Android automates the download of the management agent from the Play Store if the end user manually adds a work account to the device via Settings > Accounts.
  2. Wi-Fi networks defined by IT are removed from the device when the end user removes their device from management.
  3. Silent certificate installation and access – prevents end users from having to interact with potentially confusing certificate operations

As mentioned in the introduction to this post, we will continue to evolve and improve Intune’s Android management features.  Check back here at this blog for future updates.

Additional Resources

For more information about the new capabilities in Android M for IT professionals and developers, have a look at Google’s Android 6.0 Marshmallow site.

Finally, as always, we want to hear from you about what enhancements you’d like to see.  Visit the Intune feedback site to provide feedback directly to the Intune engineering team.

– Chris Baldwin, Senior Program Manager
Microsoft Intune Device Experiences Team