VMware Workspace ONE Community
stadlmeierrolan
Contributor
Contributor

Planning migration to AE / COPE > is it the right decision?

Hello community!

I am currently planning to migrate/switch our organization to Android Enterprise. The default management option I focus is COPE - just a few devices would be in COBO mode in case of any special use cases.

But when I look forward to the upcoming release of Android 11 and its changes to COPE (WPoFMD), I really doubt whether this method would be the right decision for us.

Is anybody currently in the same situation like us?

Key considerations for my doubts are:

- no global-proxy config possible (what if I want to secure Internet Access on the whole device through a (cloud-based) proxy (e.g. Cisco or zScaler?)

- VPN configuration cannot be prevented on the personal side > so there is a high risk the user can bypass our security measures? Or wouldn't it affect the work profile and its managed apps?

- Will I still be able to deploy a managed WIFI profile to the whole device? To save data costs the user is required to use corp WIFI for Internet Access in any branch worldwide.

Basically I do not care what the user will do in its personal area of the phone. But I want to be able to fully manage the device and I want to be able to see which apps are installed on the device in case of any security issues in our network.

So in case COBO is the more suitable mgmt mode for us, how can I accomplish/manage any COPE-related advantages in COBO mode?

Even though we do not offer BYOD, we still have a very liberal smartphone usage policy.

Is there any security impact if I would allow the user to add a personal Google account and install 3rd party apps on a fully managed COBO phone?

Thank you,

kind regards
Roland

Labels (2)
8 Replies
Alex_Romeo
Leadership
Leadership

Hi,

Have you already seen the attached document?

ARomeo

Blog: https://www.aleadmin.it/
stadlmeierrolan
Contributor
Contributor

Hello Alessandro,

thank you for your reply.

Yes, I know this document - but I am not sure how it could help me about my doubts looking forward to Android 11?

BR

Roland

Reply
0 Kudos
chengtmskcc
Expert
Expert

Hi Roland,

Do you have access to a sandbox environment like CN135 which runs the latest and greatest UEM console? If so, my recommendation is to experiment with COPE/COBO configuration there and see what you can/cannot control.

We offer both BYOD/COPE as they are pretty much the same in the sense that we foot the bill and let users do what they want while pushing down a list of device profiles. Overall, the separation between Work and Personal profiles after migrating from Android Legacy to Android Enterprise works really well for us.

Best,

Tom

stadlmeierrolan
Contributor
Contributor

Hello Tom,

thank you for your answer.

Maybe my initial question was misunderstood.

I already have a COPE configuration in my on-prem environment ... so it is not needed to test anything in a cloud environment.

But AE/COPE is not in production right now - we are just in a testing state. But I am close at the point to start in production.

So currently all our users are in legacy mode. But the plan is to start with COPE and to enroll newly bought devices with help of KME to Android Enterprise.

We decided to use COPE as default configuration for all users. So all my planning and testing so far is and was focussed on COPE.

But as I understood, COPE won't remain the same in Android 11. End-user privacy will be enhanced - at the cost of administrative features.

So I fear that I will start with COPE for Android 9/10 - but as soon as Android 11 is available, all my plannings and will be trashed because of the upcoming changes.

That's why I'm thinking about whether COPE is still the right way to manage our devices in the long run - or should I switch to COBO?

As I understood, COBO will be untouched in Android 11 - but I do not have the benefits of separated areas (work/personal) like in COPE.

It's not too late yet to re-think about it. I just want to be sure to decide for the right management mode.

Thank you,

Roland

Reply
0 Kudos
chengtmskcc
Expert
Expert

Gotcha.

If you haven't already, check out https://bayton.org/  for some of the tips and tricks on AE migration.

I think ultimately the decision lies with your management team whether user experience with COPE outweighs the control available through COBO.

In my previous position, we rolled out iPhones as COBO and most users ended up leaving them in their drawers since they were totally locked down.

On the other hand, my current position allows COPE to behave the same as BYOD so we run into lots of management issues.

The key is to find a happy medium that benefits both IT and the users, and it can vary from one organization to another.

And don't forget Infosec. Smiley Happy

Karim_Android
VMware Employee
VMware Employee

Hello,

Here is a list of KEY available features available with COPE on Android 11:

Device Management

Wipe device

Set password complexity

Control system update policy

Disable screen capture

Block external storage

Block tethering

Block camera

  Block cross profile data sharing

App Management

Set whitelist / blacklist of permissible apps

Suspend apps

Networking

Data roaming controls

Block SMS usage

Block Bluetooth controls

Block Wi-Fi configuration

And here is a list of the features that will be blocked on COPE for Android 11 to protect privacy:

Device Management

Reset device password

Preventing factory reset

Blocking user from configuring own user accounts

App Management

List all installed apps on personal side

Manage app installs on personal side

Set default app behaviors and configuring personal apps

Logging

Request bug report from device

Network logging

Networking

Manage personal VPN usage

Set DNS for personal usage

Set a global proxy that could intercept personal usage

Keys and Certificate Management

Ability to manage CAs (View, install, uninstall)

Ability to manage keypairs (Generate, associate with certificates, grant to apps)

We have a podcast getting published around the subject sometimes today, also look out for KB article sometimes this week.

A beta testing program will be starting sometimes in the next 2 weeks if you would like to play around with COPE and Android 11 beta version as well.

Thank you,

Karim

stadlmeierrolan
Contributor
Contributor

Hi,

thank you for your answer!

In your post you mention you currently use COPE in your organization.

What is your strategy when Android 11 is available? Will you migrate to "COPE v2" or will you switch to COBO?

Thank you,

Roland

Reply
0 Kudos
stadlmeierrolan
Contributor
Contributor

Hi Karim,

thank you for the list!

You mention some features which are restricted on the personal side of the phone (like VPN, DNS, Proxy...).

Will the ability to change network-based settings only affect the personal side?

On the other hand: Will a - through MDM - provisioned 802.1x corporate WIFI only be available on the Work profile for managed apps? Or is the user able to use the provisioned WIFI for e.g. surfing the Web with an unmanaged browser on the personal side?

Similar question about the proxy: What if I force the usage of any cloud proxy (like Zscaler) - am I still able to do that in "COPEv2"? Or won't any personal traffic from unmanaged apps be routed over the cloud proxy?

I am aware of this VMware Knowledge Base article.

Please provide the link to the mentioned podcast!

Just hypothetical: I understand COBO mode as a very restricted mode (no personal apps, no personal Google Account, only provisioned apps are allowed to use ...). Is it common to have a mode like "COBO light"? What I mean is to have COBO, but also to permit the user to configure/install a personal Google account or apps?

With COPE we are able to separate e.g. corporate contacts from the address book from the personal side of the user. So the user would be able to use e.g. WhatsApp on personal side and no corp contacts are shared with this app. At the same time we force "Signal" as - if you like - "corporate messaging app" and push it on the work profile. The user is able to see the corp contacts within Signal. Would this scenario basically be possible in COBO?

Thank you for your support,

Roland

Reply
0 Kudos