Enterprise mobile security smackdown: iOS vs. Android vs. Windows
A comprehensive collection of articles, videos and more, hand-picked by our editors
The Samsung Approved for Enterprise program adds IT administration features to certain Android smartphones and tablets, which could make managing and securing devices significantly easier.
Samsung Approved for Enterprise (SAFE) is one of several efforts by manufacturers to beef up Android devices, overcome the OS' shortcomings and increase its enterprise appeal. SAFE offers proprietary extensions IT administrators can use to assert broader, deeper control over some Android smartphones and tablets.
Filling Android's gaps
Many consumers love Android, but IT often fears it. Although Google continues to improve Android's enterprise-readiness, this mobile OS is still playing catchup on remote administration and platform security. Some highly sensitive organizations narrow the gap by installing custom Android builds, such as Security-Enhanced Android, to find and address gaps in security, but that approach requires significant IT effort and won't help on user-owned devices. Organizations that want more advanced control over off-the-shelf Android devices may prefer ones that ship with manufacturer and carrier-blessed enhancements. That's where SAFE comes in.
SAFE-certified devices, including the Galaxy Note II, Galaxy S III and Galaxy Tab 2, contain proprietary Samsung capabilities and application program interfaces (APIs) that go beyond industry standards. The APIs are tested for interoperability with third-party mobile device management (MDM) software and virtual private networks (VPNs). There is no need to load a SAFE-certified device with alternative firmware, although you may choose to install a third-party MDM agent or VPN client to get the most out of SAFE.
Some of the enhancements you'll find in every off-the-shelf SAFE-certified smartphone or tablet include:
Deeper device management: Using SAFE APIs, admins can permit and disable features, such as camera, voice recording, screen capture and removable storage that IT administrators can't control through ordinary Android Device Admin APIs. Admins also have better control over Bluetooth and Wi-Fi network use. Employers who are concerned about expenses can also use SAFE to define and enforce voice and short message service (SMS) budgets.
Broader application management: SAFE APIs let third-party MDM clients silently install and remove applications (including those pulled from app stores), add and remove widgets, configure the home screen and notifications, and disable certain keys to create kiosk-mode devices. These enhancements help IT enable consumer-grade smartphones for business use without ever physically touching the devices.
Enhanced Exchange ActiveSync: One common Android challenge is that consumer-grade native mail clients can have limited Exchange ActiveSync (EAS) support. SAFE-certified phones support 50 EAS attributes and client capabilities such as out-office responses, message flags, download limits and SMS/voicemail synchronization. They also let users view messages by category or conversation. Some employers will still prefer third-party enterprise email clients such as NitroDesk TouchDown for Android or Good for Enterprise, but SAFE extensions yield a native client that is more business-friendly than most from original equipment manufacturers.
Stronger data encryption: A major Android security concern is the lack of full-device encryption. Android 3.0 Honeycomb (for tablets) and Android 4.0 Ice Cream Sandwich (for smartphones) added OS encryption features, but most currently deployed Android devices still lack hardware support for encryption. SAFE-certified devices not only support Federal Information Processing Standards (FIPS) 140-2 certified Android device encryption, they also provide Samsung On-Device Encryption (ODE), a hardware-accelerated second layer of protection for preferences, databases and Secure Digital card contents. ODE can be turned on using MDM software, EAS or manual settings. To better protect data in motion, SAFE also offers enhanced control over native and certified third-party VPN client configurations.
Tapping into SAFE extensions
End users can configure some SAFE enhancements, such as ODE, but most require a third-party server. This is not a limitation of SAFE, but rather a key part of SAFE's appeal. SAFE's goal is to help IT remotely secure and manage off-the-shelf Android devices by integrating with existing enterprise infrastructure. For example:
- MDM agents can remotely read or write device attributes, install or remove applications, or initiate actions such as remote wipe, find and lock. With SAP Afaria, Juniper Junos Pulse MSS, MobileIron MyPhone@Work, SOTI Mobicontrol or AirWatch, companies that use MDM can access many of the above-noted SAFE extensions. MDM vendors constantly adapt to new APIs from Samsung and other OEMs, so expect to find differences in SAFE controls that will surface through each MDM agent's graphical user interface. All SAFE-certified MDM products have passed rigorous interoperability tests with Samsung.
- Companies that use VPN tunnels to authenticate and encrypt mobile enterprise access will find that IT can remotely configure quite a bit more on SAFE-certified devices. Notably, businesses that use Cisco, Juniper or F5 VPN gateways can benefit from SAFE-tested VPN clients and configuration settings, including Cisco AnyConnect client extensions.
More on SAFE-certified Android devices
How to tell secure Android apps from malware
Android enterprise security settings and controls
Securing Android devices
Businesses that use any of the above-mentioned third-party servers to manage and secure Android devices can freely use SAFE to gain deeper, broader control over some Samsung phones and tablets. Unfortunately, SAFE can't be used on other Android devices, or with other third-party MDM software.
Think about SAFE as a way to raise the bar for certain users, groups or use cases. You might not be able to take advantage of SAFE on every personal device, but you might offer better support or additional apps to devices that are SAFE-certified. You might also procure SAFE-certified Android devices in situations that warrant enterprise ownership or platform standardization, such as tablets used in kiosk scenarios or phones field workers share to replace old, ruggedized Windows CE devices.
Finally, Samsung isn't the only Android vendor to offer proprietary device management or EAS extensions. Other examples include Motorola, with its Enterprise Device Management, and Nitrodesk, with TouchDown. Don't assume you're limited to industry-standard Android APIs. If you're looking for tighter control over Android devices that employees use for business, dig further and take a hard look at enhancements such as SAFE.