thank you for your reply.
Yes, I know this document - but I am not sure how it could help me about my doubts looking forward to Android 11?
Do you have access to a sandbox environment like CN135 which runs the latest and greatest UEM console? If so, my recommendation is to experiment with COPE/COBO configuration there and see what you can/cannot control.
We offer both BYOD/COPE as they are pretty much the same in the sense that we foot the bill and let users do what they want while pushing down a list of device profiles. Overall, the separation between Work and Personal profiles after migrating from Android Legacy to Android Enterprise works really well for us.
thank you for your answer.
Maybe my initial question was misunderstood.
I already have a COPE configuration in my on-prem environment ... so it is not needed to test anything in a cloud environment.
But AE/COPE is not in production right now - we are just in a testing state. But I am close at the point to start in production.
So currently all our users are in legacy mode. But the plan is to start with COPE and to enroll newly bought devices with help of KME to Android Enterprise.
We decided to use COPE as default configuration for all users. So all my planning and testing so far is and was focussed on COPE.
But as I understood, COPE won't remain the same in Android 11. End-user privacy will be enhanced - at the cost of administrative features.
So I fear that I will start with COPE for Android 9/10 - but as soon as Android 11 is available, all my plannings and will be trashed because of the upcoming changes.
That's why I'm thinking about whether COPE is still the right way to manage our devices in the long run - or should I switch to COBO?
As I understood, COBO will be untouched in Android 11 - but I do not have the benefits of separated areas (work/personal) like in COPE.
It's not too late yet to re-think about it. I just want to be sure to decide for the right management mode.
If you haven't already, check out https://bayton.org/ for some of the tips and tricks on AE migration.
I think ultimately the decision lies with your management team whether user experience with COPE outweighs the control available through COBO.
In my previous position, we rolled out iPhones as COBO and most users ended up leaving them in their drawers since they were totally locked down.
On the other hand, my current position allows COPE to behave the same as BYOD so we run into lots of management issues.
The key is to find a happy medium that benefits both IT and the users, and it can vary from one organization to another.
And don't forget Infosec.
Here is a list of KEY available features available with COPE on Android 11:
●Set password complexity
●Control system update policy
●Disable screen capture
●Block external storage
Block cross profile data sharing
●Set whitelist / blacklist of permissible apps
●Data roaming controls
●Block SMS usage
●Block Bluetooth controls
●Block Wi-Fi configuration
And here is a list of the features that will be blocked on COPE for Android 11 to protect privacy:
●Reset device password
●Preventing factory reset
●Blocking user from configuring own user accounts
●List all installed apps on personal side
●Manage app installs on personal side
●Set default app behaviors and configuring personal apps
●Request bug report from device
●Manage personal VPN usage
●Set DNS for personal usage
●Set a global proxy that could intercept personal usage
Keys and Certificate Management
●Ability to manage CAs (View, install, uninstall)
●Ability to manage keypairs (Generate, associate with certificates, grant to apps)
We have a podcast getting published around the subject sometimes today, also look out for KB article sometimes this week.
A beta testing program will be starting sometimes in the next 2 weeks if you would like to play around with COPE and Android 11 beta version as well.
thank you for your answer!
In your post you mention you currently use COPE in your organization.
What is your strategy when Android 11 is available? Will you migrate to "COPE v2" or will you switch to COBO?
thank you for the list!
You mention some features which are restricted on the personal side of the phone (like VPN, DNS, Proxy...).
Will the ability to change network-based settings only affect the personal side?
On the other hand: Will a - through MDM - provisioned 802.1x corporate WIFI only be available on the Work profile for managed apps? Or is the user able to use the provisioned WIFI for e.g. surfing the Web with an unmanaged browser on the personal side?
Similar question about the proxy: What if I force the usage of any cloud proxy (like Zscaler) - am I still able to do that in "COPEv2"? Or won't any personal traffic from unmanaged apps be routed over the cloud proxy?
I am aware of this VMware Knowledge Base article.
Please provide the link to the mentioned podcast!
Just hypothetical: I understand COBO mode as a very restricted mode (no personal apps, no personal Google Account, only provisioned apps are allowed to use ...). Is it common to have a mode like "COBO light"? What I mean is to have COBO, but also to permit the user to configure/install a personal Google account or apps?
With COPE we are able to separate e.g. corporate contacts from the address book from the personal side of the user. So the user would be able to use e.g. WhatsApp on personal side and no corp contacts are shared with this app. At the same time we force "Signal" as - if you like - "corporate messaging app" and push it on the work profile. The user is able to see the corp contacts within Signal. Would this scenario basically be possible in COBO?
Thank you for your support,