Security posture signals Stay organized with collections
Save and categorize content based on your preferences.
Important: Device Trust from Android Enterprise is a unique API solution that
makes available these and more signals to evaluate the security posture of an
Android-powered device. For additional information see: Device Trust from Android Enterprise
.
Android provides a variety of device signals that administrators can use to
determine the security posture of a device. In a Zero Trust security model,
these signals are used to assess whether a device should be allowed to access
corporate information.
Feature
Description
Work profile on company-owned devices
Work profile on personally-owned devices (BYOD)
Unmanaged devices
A Trust
broker
can retrieve the following signals: Device integrity
App integrity
Play license details
Environment details including the new Play Protect verdict
Yes
Yes
Yes
Yes
A Trust broker can verify that their PKI credentials were generated
and stored in secure hardware
Yes
Yes
Yes
Yes
As part of key attestation, device properties can be included as part
of the attestation record
Yes
Yes
Yes
Yes
A Trust broker can validate the OS Security Patch Level
Yes
Yes
Yes
Yes
A Trust broker can check if there is a pending device OS update
available
Yes
Yes
Yes
N/A
A Trust broker can read the security patch level for the installed
mainline train
Yes
Yes
Yes
Yes
A Trust broker can access a unique device ID specific to that
enterprise. This ID survives work profile re-creation and device factory
reset
Yes
Yes
Yes
N/A
A Trust broker can use this to determine if a device is managed
Yes
Yes
Yes
N/A
A Trust broker can check if the device is encrypted (if Android 8 support is needed)
Yes
Yes
Yes
Yes
A Trust broker can check the device OS version and confirm it exceeds
a certain version
Yes
Yes
Yes
Yes
A Trust broker can get information about the active network state
(cellular and WiFi)
Yes
Yes
Yes
Yes
A Trust broker can get information about the active WiFi network
Yes
Yes
Yes
Yes
A Trust broker can get information about the current default HTTP
proxy settings.
Yes
Yes
Yes
Yes
A Trust broker can ensure a device has a certain quality screen lock
configured before granting access
Yes
Yes
Yes
Yes
A Trust broker can identify a device as having a broader attack
surface when developer options are enabled
Yes
Yes
Yes
Yes
A Trust broker can leverage this to ensure that that the Private DNS
mode is enabled
Yes
Yes
Yes
Yes
A Trust broker can determine whether a particular URL has been
classified by Google as a known threat.
Yes
Yes
Yes
Yes
A Trust broker can be notified when an external storage is mounted
Yes
Yes
Yes
Yes
A Trust broker can study usage patterns of individual apps
Yes
Yes
Yes
A Trust broker can leverage this data as part of their contextual
engine to ensure compliance and create a behavior based fingerprint
Yes
N/A
A Trust broker can leverage this data as part of their contextual
engine to ensure compliance and create a behavior based fingerprint
Yes
N/A
A Trust broker can query app's network usage within a given time
interval
Yes
Yes
A Trust broker can query what apps are installed on the device
Yes
Yes
A Trust broker can get mobile network info, the status of any ongoing
calls, and a list of PhoneAccount
registered on the device Yes
Yes
Yes
Yes
A Trust broker can get the system uptime
Yes
Yes
Yes
Yes
A Trust broker can leverage this to access the list of accounts in
the Accounts Service
Yes
A Trust broker can monitor significant changes in battery level
Yes
Yes
Yes
Yes
A Trust broker can access the device physical location
Yes
Yes
1
With user consent
2
Work profile only
3
Access limited to work profile information
Retrieve Mainline version
A Trust broker can access the PackageInfo
for the com.google.android.modulemetadata
module and retrieve from there the versionName
:
private
fun
mainlineVersion
(
context
:
Context
):
String?
{
val
moduleProvider
=
"com.google.android.modulemetadata"
return
try
{
val
pm
=
context
.
packageManager
val
packageInfo
=
pm
.
getPackageInfo
(
moduleProvider
,
0
)
packageInfo
.
versionName
}
catch
(
e
:
PackageManager
.
NameNotFoundException
)
{
null
}
}
You can parse the returned string into a Date
object using the SimpleDateFormat
class:
private
val
VERSION_NAME_DATE_PATTERNS
=
Arrays
.
asList
(
"yyyy-MM-dd"
,
"yyyy-MM"
)
private
fun
parseDateFromVersionName
(
text
:
String
):
Date?
{
for
(
pattern
in
VERSION_NAME_DATE_PATTERNS
)
{
try
{
val
simpleDateFormat
=
SimpleDateFormat
(
pattern
,
Locale
.
getDefault
()
)
simpleDateFormat
.
timeZone
=
TimeZone
.
getDefault
()
return
simpleDateFormat
.
parse
(
text
)
}
catch
(
e
:
ParseException
)
{
// ignore and try next pattern
}
}
return
null
}
Remember that for Android 11 and newer you have to add a query declaration in
you AndroidManifest.xml
file to satisfy Android's package visibility
:
<manifest package="com.example.game"> <queries> <package android:name="com.google.android.modulemetadata" /> </queries> ...
</manifest>
Retrieve management state
A Trust broker can use these methods to verify if a device is under management
mode and which management mode is active.
Check for device management
Use getActiveAdmins()
to check if a device is under management. If this
method returns null
the device is unmanaged.
Check for fully managed device
Use isDeviceOwnerApp()
to check if the device is fully managed.
Check for work profile on a company-owned device
Use isOrganizationOwnedDeviceWithManagedProfile()
to check if a device
is using a work profile management mode for corporate-owned devices
Check for work profile on a personally-owned device
Use isProfileOwnerApp()
to check if an app is running inside a work
profile and verify that isOrganizationOwnedDeviceWithManagedProfile()
returns false
.
Note: If the isProfileOwnerApp()
check is done from an app running outside the
work profile it will always return false
.
