Using Android Enterprise with Harmony Mobile

Android Enterprise is a Google-led initiative that enables the operation of Android devices and apps in the workplace. The program offers APIs and other tools for developers to integrate support for Android into their enterprise mobility management (EMMClosed Enterprise Mobility Management. A set of tools and processes to secure and manage company-owned or employee-owned (BYOD) devices irrespective of their locations.) solutions. For more information, see here.

For example, through one or more API(s) your UEMClosed Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. platform can disable a camera, Bluetooth, or prevent an access to system settings.

For information about configuring Android Enterprise on your device, see here.

Profiles

Single profile configuration is supported out-of-the-box. No additional setup is needed.

In the Work / Personal Profile, the Administrator registers and sees the protected part of the device.

Note - If you protect only part(s) of the device, you must limit the Harmony Mobile on your UEM to only Work or only Personal.

Android Enterprise Deployment Scenarios

Android Enterprise supports these deployment scenarios:

  • Company-owned fully managed devices (COBO)

  • Company-owned fully managed devices with a work profile (COPE)

  • Company-owned devices for dedicated use (COSU)

  • Employee-owned devices (BYOD)

COBO and COSU devices have a single profile. Follow integration guide instructions for Android Enterprise devices to deploy Harmony Mobile Protect app on your devices. For more information, see the Android Enterprise online guide.

COPE and BYOD devices have Work and Personal profiles. With Harmony Mobile Protect app you can protect one profile or both profiles.

For the highest protection level we recommend to protect both Work and Personal Profiles. See Configuring Harmony Mobile Protect app to Protect your Devices.

Note - If you protect only the Work profile, skip the next section.

Configuring Harmony Mobile Protect app to Protect your Devices

Note - The deployment of the Harmony Mobile Protect app on the Personal profile of BYOD device cannot be automated by Android design (Personal profile of BYUD device is not managed).

With the Android Enterprise, you can protect the whole device or part(s) of it.

If you protect the whole device, install the Harmony Mobile Protect app to both Work and Personal Profiles.

Note - If you protect only the Personal profile, skip this section.

Deploying Android Enterprise on your Devices

With the Android Enterprise, you can protect the whole device or part(s) of it.

If you protect the whole device, install the Harmony Mobile Protect app to both Work and Personal Profiles.

To protect the whole device:

  1. On the Harmony Mobile dashboard, go to Settings > Integrations.

    • For a new UEM configuration:

      1. Go to Settings > Integrations > Add > UEMs and select the UEM type.

      2. In the Synchronization tab, enter these:

        • Groups - Select the groups for synchronization.

        • Android Enterprise Groups - Select and add the group(s) which contain users/devices that have both work and personal profiles.

    • For existing UEM configurations:

      1. Go to Settings > Integrations.

      2. In the UEM to be configured, click Edit.

      3. In Synchronization > Android Enterprise Groups, select and add groups which contain users/devices that have both work and personal profiles.

  2. Click Verify.

  3. Click Save.

  4. (Optional) Send an email or SMS to all the users with installation instructions.

  5. Click Sync Now to fetch the data from the UEM.

    Notes:

    • Only groups existing under Synchronization > Groups are available in the Android Enterprise Groups list.

    • If one or more devices in the selected group have Harmony Mobile Protect App version earlier than 3.6.4.4348, the operation stops until the devices are upgraded.

    • If you add a group of devices in Android Enterprise Groups, make sure to configure the devices with both Personal and Work profiles.

    • If you remove a group of devices from Android Enterprise Groups, the solution deletes the personal device record on every device in this group from the Harmony Mobile dashboard.

    • iOS devices are ignored in the Android Enterprise context.

    • If a device belongs to more than one group and, only one group is selected in Android Enterprise Groups, then the deployment will be both for Work and Personal profiles.

To view and filter the devices:

  1. On the Harmony Mobile dashboard, go to Devices.

  2. In the OS column, filter the devices in the list according to their protection profile.

    Profile

    Icon

    Filter

    Work

    OS - Android Enterprise

    Personal

    OS - Android

Policies

Check Point recommends creating different policies for personal side and working profile of the device.

  1. To create a new policy, go to Policy and click the + next to Policy Profiles

  2. Create a policy called Policy-Personal side and a second one called Policy-Work Profile.

  3. Then you have to apply these policies to the different groups.

  4. At the top of the RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.-base click +New.

  5. Give your new rule a name, choose the relevant group (work or personal), and select the relevant policy you just created.

  6. Confirm your changes and click on Save.

    Example:

To change policy for inactive personal profile:

You can raise the risk level of the Work Profile if the personal side of the device is not protected with Harmony mobile, or if Harmony Mobile on the personal side has detected a risk with a level of High:

  1. On the Harmony Mobile Dashboard, go to Policy > The policy applied to the Work Profile, or the local one > Device

  2. Go to Android Enterprise Security Settings. And select the risk level you want to give to the Work Profile is the personal side of the device is compromised or not protected:

Risk Handling

  • If the Harmony Mobile protection is inactive on the Personal profile, the risk level is raised to according to the Android Enterprise Security Settings policy on the Work profile.

    Example:

  • If the Personal profile has the High Risk status, the risk level is raised to High on the Work profile.

    The Harmony Mobile informs the user that the personal profile is at risk.

    Example:

  • You can enable mitigation by UEM on the personal profile, if you tag a risk on the work profile.