Secure corporate access on personal devices

Business problem

Companies are challenged to provide secure accesson personal devices.

The proliferation of mobile devices has changed the way people work. Employees want to access business apps from wherever they are, whether in a traditional workplace setting or on the way to the airport.

Even when companies supply corporate-owned mobile devices, many employees prefer to use the device they're comfortable with for both personal and work activities. This is usually their personal device.

Companies face a challenge in providing a mobile work environment that accommodates seemingly conflicting requirements:

  • A comfortable and productive environment for employees
  • Secure access to business apps and corporate data

Your company is rolling out a new policy to allow corporate access on personal mobile devices. Employees can access corporate information only through curated and approved apps.

Solutions

Using advanced mobile device management, there are several ways you can provide the business apps employees need on their personal devices while implementing policies that keep corporate data safe.

Create a whitelist of approved apps

A whitelist contains curated and approved apps.

The goal of app whitelisting is to protect corporate resources from potentially harmful apps. An app whitelist contains apps that are curated by an IT department and approved for business use.

Using whitelists for work apps, you can manage work apps on personal mobile devices and leave personal apps under user control. You distribute apps to users in a specific organization or group in Google Groups.

Select apps from the managed Google Play store for Android devices and Apple App Store for iOS devices, then add them to a whitelist. Users see a catalog of whitelisted apps on their devices. When a user installs a whitelisted app, it's managed by your organization. If a device is lost or stolen, you can remove managed apps by remotely wiping the device.

Enforce work profiles on Android devices

Work profiles on Android devices separate work from personal data.

Work profiles on personal Android 5.0 or higher devices separate work from personal apps, accounts, and data. The enterprise manages the business apps and data. Users control everything else on the device. Managed apps—the approved business apps in your Android apps whitelist—come from the managed Google Play store.

When you enable Android app management on your company's Android devices, you can let the employee opt in or you can require employees to use work profiles. When you require work profiles and a user attempts to access corporate resources from a device without a work profile, the user gets a prompt to create one.

Require managed apps on iOS devices

Managed apps on IOS devices prevents file sharing between managed and unmanaged apps.

When you add an app to your iOS apps whitelist, you can make it a managed app. Specifying an app as "managed" gives the enterprise more control of the managed app and its data on personal iOS devices. For example, if users have a personal Gmail account and you specify Gmail as a managed app, users can access their corporate email only through the managed version of Gmail.

File sharing between managed and unmanaged apps isn't allowed. For example, users can't back up data from a managed business app to an external entity such as iCloud or iTunes. If a user creates a PDF in a managed business app, they can't open it in an unmanaged personal app.

If a user already has an unmanaged version of a managed business app on their device, they get a notification asking to allow your organization to manage the app. If they don't accept, they can still use their unmanaged personal app, but they lose access to their corporate account and to all managed apps from that device.

Set up managed configurations on Android devices

Some Android apps have settings that you can save as managed configurations. Using managed configurations, you can preconfigure apps for your users. Also, you can create multiple managed configurations for the same app and apply different configurations to different groups or organizations.

Admins can easily deploy apps with complex settings, such as VPN apps. Employees don't have to configure the apps. This avoids help desk calls for problems caused by misconfiguration.

Automatically push approved apps to Android devices

When setting up a whitelist, you can elect to automatically install core business apps on Android devices and assign the appropriate apps to specific organizations. Users have the apps they need without manually downloading them from Google Play.

Recommendations

Advanced mobile device management offers powerful options for securing corporate access on personal mobile devices. You'll need to sign up for Cloud Identity Premium to get advanced mobile device management.

We recommend creating whitelists of approved business apps, enforcing work profiles on Android devices, and requiring managed apps on iOS devices.

When supported by an app, setting up managed configurations and automatically pushing approved apps to Android devices are big time-savers for both admins and users. They're optional, but recommended.

Third-party providers

Third-party EMM providers

To use the features of advanced mobile device management with Cloud Identity, Google needs to be your enterprise mobility management (EMM) provider.

Third-party IdPs

If you have a third-party identity provider (IdP), you can still use advanced mobile device management. In this case, most user authentication occurs in the third-party IdP (the exception is device enrollment). Users sign in with their third-party IdP credentials or using a password on their Cloud Identity accounts.

To manage access to work apps on mobile devices using advanced mobile device management:

  • Create Cloud Identity accounts for your users.
  • When users enroll their devices for management, they must enter their Cloud Identity credentials, not their third-party IdP credentials.

Example

Companies can use advanced mobile device management to secure corporate data on personal devices.

Company A estimates that at least 40% of its workforce uses mobile devices to access corporate resources. They decide against requiring employees to use corporate-owned (and controlled) devices. It's costly, and employees prefer to use their familiar personal devices for both personal and work activities.

To promote a user-friendly work environment, Company A decides to let employees use personal mobile devices for work purposes. They don't want to sacrifice corporate security. Using advanced mobile device management, Company A plans to implement a mobile policy that keeps personal and corporate data safe.

Here's how Company A sets up its mobile environment.

Sign up for Cloud Identity Premium

Because the advanced mobile device management features in Google Mobile Management are only available in the premium edition of Cloud Identity, Company A signs up for Cloud Identity Premium.

Create user accounts and assign apps to organizations

When IT adds users to Cloud Identity, they also specify each user as a member of a specific organization. IT assigns the appropriate apps to specific organizations, such as:

  • Messaging, HR, and collaboration apps to the top-level organization (so everyone gets them)
  • Customer relationship management (CRM) to the sales organization
  • Customer support app to Support

Assign appropriate apps to specific OUs.

Set up advanced mobile device management

IT turns on advanced management: they turn on Android app management for Android users and set up an iOS push certificate for iOS users.

Setting up device approvals is optional, but Company A decides to implement it. Users have reported problems with business apps when their mobile devices aren't running a recent operating system version. IT wants to make sure all mobile devices are up-to-date.

IT uses device approvals to check device characteristics, such as model or operating system, to define which devices an employee can use. They can check characteristics manually, programmatically with an API, or using rules. Rules don't provide as much granular control as the API, but they're easier to deploy. IT uses rules to approve only devices that are running recent versions of operating systems. Users must keep their devices compliant to access corporate resources.

Enforce whitelisted work apps

IT creates whitelists of business apps Company A wants its employees to use, such as messaging, collaboration, and conferencing apps. They select apps from the Google Play store and App Store and add them to a whitelist (one for Android and one for iOS devices).

Company A wants to do more than recommend business apps to their users; they want to require employees to use only approved business apps when accessing corporate resources. IT opts in to enforce work profiles on Android devices. Users can't sync corporate data unless they accept the work profile and they can't opt out. If an Android device without a work profile is already registered for management, its user is prompted to create the profile.

IT also requires managed apps on iOS devices. Advanced mobile device management detects when there's an unmanaged version of an app on a mobile device. To access corporate resources, the user has to enable management for the app.

Preconfigure complex apps for Android devices

To avoid the support calls that VPN configuration generates, Company A decides to move to a VPN app that supports managed configuration on Android devices. IT plans to work with its app vendors so that its other apps have settings that admins can save as managed configurations.

Push approved apps to Android devices

As a convenience for users, IT pushes the approved business apps for each organization to the users in that organization. This also saves IT time by avoiding potential support calls as users find and download apps.

Notify users

IT lets employees know that their mobile devices are managed, and they'll see prompts to enroll their devices in advanced management using their Cloud Identity credentials.

To enroll, users who have Android devices install the Google Apps Device Policy app and a work profile. Users with iOS devices install the Google Device Policy app and a device policy profile. The app and profile verify the device complies with the policies that IT sets. Only enrolled devices can sync corporate data.