8 Replies Latest reply on Jul 7, 2020 2:53 AM by stadlmeierroland

    Planning migration to AE / COPE > is it the right decision?

    stadlmeierroland Novice

      Hello community!

       

      I am currently planning to migrate/switch our organization to Android Enterprise. The default management option I focus is COPE - just a few devices would be in COBO mode in case of any special use cases.

      But when I look forward to the upcoming release of Android 11 and its changes to COPE (WPoFMD), I really doubt whether this method would be the right decision for us.

       

      Is anybody currently in the same situation like us?

      Key considerations for my doubts are:

      - no global-proxy config possible (what if I want to secure Internet Access on the whole device through a (cloud-based) proxy (e.g. Cisco or zScaler?)

      - VPN configuration cannot be prevented on the personal side > so there is a high risk the user can bypass our security measures? Or wouldn't it affect the work profile and its managed apps?

      - Will I still be able to deploy a managed WIFI profile to the whole device? To save data costs the user is required to use corp WIFI for Internet Access in any branch worldwide.

       

      Basically I do not care what the user will do in its personal area of the phone. But I want to be able to fully manage the device and I want to be able to see which apps are installed on the device in case of any security issues in our network.

       

      So in case COBO is the more suitable mgmt mode for us, how can I accomplish/manage any COPE-related advantages in COBO mode?

      Even though we do not offer BYOD, we still have a very liberal smartphone usage policy.

       

      Is there any security impact if I would allow the user to add a personal Google account and install 3rd party apps on a fully managed COBO phone?

       

      Thank you,

      kind regards
      Roland

        • 1. Re: Planning migration to AE / COPE > is it the right decision?
          AlessandroRomeo68 Master

          Hi,

           

          Have you already seen the attached document?

           

          ARomeo

          • 2. Re: Planning migration to AE / COPE > is it the right decision?
            stadlmeierroland Novice

            Hello Alessandro,

             

            thank you for your reply.

            Yes, I know this document - but I am not sure how it could help me about my doubts looking forward to Android 11?

            BR

            Roland

            • 3. Re: Planning migration to AE / COPE > is it the right decision?
              chengtmskcc Expert

              Hi Roland,

               

              Do you have access to a sandbox environment like CN135 which runs the latest and greatest UEM console? If so, my recommendation is to experiment with COPE/COBO configuration there and see what you can/cannot control.

               

              We offer both BYOD/COPE as they are pretty much the same in the sense that we foot the bill and let users do what they want while pushing down a list of device profiles. Overall, the separation between Work and Personal profiles after migrating from Android Legacy to Android Enterprise works really well for us.

               

              Best,

               

              Tom

              • 4. Re: Planning migration to AE / COPE > is it the right decision?
                stadlmeierroland Novice

                Hello Tom,

                 

                thank you for your answer.

                 

                Maybe my initial question was misunderstood.

                I already have a COPE configuration in my on-prem environment ... so it is not needed to test anything in a cloud environment.

                But AE/COPE is not in production right now - we are just in a testing state. But I am close at the point to start in production.

                So currently all our users are in legacy mode. But the plan is to start with COPE and to enroll newly bought devices with help of KME to Android Enterprise.

                 

                We decided to use COPE as default configuration for all users. So all my planning and testing so far is and was focussed on COPE.

                 

                But as I understood, COPE won't remain the same in Android 11. End-user privacy will be enhanced - at the cost of administrative features.

                So I fear that I will start with COPE for Android 9/10 - but as soon as Android 11 is available, all my plannings and will be trashed because of the upcoming changes.

                 

                That's why I'm thinking about whether COPE is still the right way to manage our devices in the long run - or should I switch to COBO?

                As I understood, COBO will be untouched in Android 11 - but I do not have the benefits of separated areas (work/personal) like in COPE.

                It's not too late yet to re-think about it. I just want to be sure to decide for the right management mode.

                 

                Thank you,

                Roland

                • 5. Re: Planning migration to AE / COPE > is it the right decision?
                  chengtmskcc Expert

                  Gotcha.

                   

                  If you haven't already, check out https://bayton.org/  for some of the tips and tricks on AE migration.

                   

                  I think ultimately the decision lies with your management team whether user experience with COPE outweighs the control available through COBO.

                   

                  In my previous position, we rolled out iPhones as COBO and most users ended up leaving them in their drawers since they were totally locked down.

                   

                  On the other hand, my current position allows COPE to behave the same as BYOD so we run into lots of management issues.

                   

                  The key is to find a happy medium that benefits both IT and the users, and it can vary from one organization to another.

                   

                  And don't forget Infosec.

                  • 6. Re: Planning migration to AE / COPE > is it the right decision?
                    Karim_Android Lurker
                    VMware Employees

                    Hello,

                     

                    Here is a list of KEY available features available with COPE on Android 11:

                     

                    Device Management

                    Wipe device

                    Set password complexity

                    Control system update policy

                    Disable screen capture

                    Block external storage

                    Block tethering

                    Block camera

                      Block cross profile data sharing

                    App Management

                    Set whitelist / blacklist of permissible apps

                    Suspend apps

                    Networking

                    Data roaming controls

                    Block SMS usage

                    Block Bluetooth controls

                    Block Wi-Fi configuration

                     

                    And here is a list of the features that will be blocked on COPE for Android 11 to protect privacy:

                    Device Management

                    Reset device password

                    Preventing factory reset

                    Blocking user from configuring own user accounts

                    App Management

                    List all installed apps on personal side

                    Manage app installs on personal side

                    Set default app behaviors and configuring personal apps

                    Logging

                    Request bug report from device

                    Network logging

                    Networking

                    Manage personal VPN usage

                    Set DNS for personal usage

                    Set a global proxy that could intercept personal usage

                    Keys and Certificate Management

                    Ability to manage CAs (View, install, uninstall)

                    Ability to manage keypairs (Generate, associate with certificates, grant to apps)

                     

                    We have a podcast getting published around the subject sometimes today, also look out for KB article sometimes this week.

                    A beta testing program will be starting sometimes in the next 2 weeks if you would like to play around with COPE and Android 11 beta version as well.

                     

                    Thank you,

                    Karim

                    • 7. Re: Planning migration to AE / COPE > is it the right decision?
                      stadlmeierroland Novice

                      Hi,

                       

                      thank you for your answer!

                       

                      In your post you mention you currently use COPE in your organization.

                      What is your strategy when Android 11 is available? Will you migrate to "COPE v2" or will you switch to COBO?

                       

                      Thank you,

                      Roland

                      • 8. Re: Planning migration to AE / COPE > is it the right decision?
                        stadlmeierroland Novice

                        Hi Karim,

                         

                        thank you for the list!

                         

                        You mention some features which are restricted on the personal side of the phone (like VPN, DNS, Proxy...).

                        Will the ability to change network-based settings only affect the personal side?

                        On the other hand: Will a - through MDM - provisioned 802.1x corporate WIFI only be available on the Work profile for managed apps? Or is the user able to use the provisioned WIFI for e.g. surfing the Web with an unmanaged browser on the personal side?

                         

                        Similar question about the proxy: What if I force the usage of any cloud proxy (like Zscaler) - am I still able to do that in "COPEv2"? Or won't any personal traffic from unmanaged apps be routed over the cloud proxy?

                         

                        I am aware of this VMware Knowledge Base article.

                         

                        Please provide the link to the mentioned podcast!

                         

                        Just hypothetical: I understand COBO mode as a very restricted mode (no personal apps, no personal Google Account, only provisioned apps are allowed to use ...). Is it common to have a mode like "COBO light"? What I mean is to have COBO, but also to permit the user to configure/install a personal Google account or apps?

                        With COPE we are able to separate e.g. corporate contacts from the address book from the personal side of the user. So the user would be able to use e.g. WhatsApp on personal side and no corp contacts are shared with this app. At the same time we force "Signal" as - if you like - "corporate messaging app" and push it on the work profile. The user is able to see the corp contacts within Signal. Would this scenario basically be possible in COBO?

                         

                        Thank you for your support,

                        Roland