Android 13 and Ivanti UEM: What to Know About the Latest Enterprise Features
Android 13, the latest release from Google, is here. For IT administrators, this means making sense of new enterprise features and enhancements: what changed, why should you care – and most importantly, what should you do about it?
Is Ivanti Android 13 ready?
For Ivanti customers, one thing you won’t need to worry about is whether the new OS is supported by your UEM solution. Ivanti UEM products are Android 13 ready, with day zero support for a seamless transition. Customers can access product-specific support through the Ivanti Community.
What’s new in Android 13 for Enterprise: the features admins should know
Android 13 brings several new enterprise features and many enhancements to user privacy, control and comfort. There are a number of changes to pay attention to:
- More user control over privacy, battery management and notifications.
- Enhanced 5G/cellular support.
- New device and security settings, as well as security enhancements to the OS.
- More options for corporate out-of-the-box deployment.
Let’s dig into each of these areas.
End user privacy and usability enhancements
Android fans have reason to cheer: it’s not often that privacy and usability improve simultaneously, and Android 13’s new user controls offer both. Administrators will want to ensure that any work apps that should be exempt from these controls are configured to do so.
Users can stop unwarranted services. Users can view and stop apps with foreground services from the notification drawer. Some apps are exempt from this action, including Ivanti/MobileIron Go. To get rid of this user control entirely, you will need to configure “Disallow User Control.”
New rules help preserve and optimize battery use. The system will place an app in the restricted bucket when app behavior matches certain criteria. Although some apps are exempt, other apps – including work apps – may be subject to this new rule. To avoid work apps being placed in the restricted bucket, admins can configure “Disallow User Control.”
New runtime permissions offer more quiet time and privacy. Android apps run in a limited-access sandbox, and if an app needs to use resources or information outside of that sandbox, it must define permissions. Android 13 adds more than 20 new permissions, but three are of particular interest:
- POST_NOTIFICATIONS determines whether an app is eligible to send exempt (i.e. general) notifications. All apps that require pushing notifications would require user consent or preapproval from a UEM console.
- USE_EXACT_ALARM determines whether an app is eligible to send time-related notifications and reminders, limiting these to alarm clock, timer and calendar apps.
- NEARBY_WIFI_DEVICES, part of the NEARBY_DEVICES permission group, helps apps that manage a device’s connection to nearby access points over Wi-Fi request specific permissions, rather than privacy-sensitive location permission.
Android’s developer site offers further details on the new permissions.
5G and cellular support enhancements
For both 5G and non-5G users, the Android 13 release offers improvements for handling traffic.
Admins have more options for 5G slicing. This feature, first introduced as part of Android 12, now allows admins to have many slices configured and to extend them to company-owned assets – meaning you can use dedicated 5G slices to expedite traffic routing.
APNs can be configured with a specific enterprise ID. Carriers must share the APN endpoint name with the IT admin so that the admin can input that information into the APN configuration, which will help in tagging traffic.
Android’s developer site offers further details on network configurations.
Security enhancements
Android 13 brings a number of additional device and security controls worth investigating:
- DISALLOW_ADD_WIFI_CONFIG disallows a user from adding a new Wi-Fi configuration.
- DISALLOW_CHANGE_WIFI_STATE disallows a user from enabling or disabling Wi-Fi. Even if the user manages to put the device in airplane mode, the device remains connected.
- DISALLOW_SHARING_ADMIN_CONFIGURED_WIFI disallows a user from sharing Wi-Fi for admin-configured networks.
- DISALLOW_WIFI_DIRECT disallows a user from using Wi-Fi Direct.
- DISALLOW_WIFI_TETHERING disallows a user from using Wi-Fi tethering, including existing control tethering.
- EnableTrustOnFirstUse allows a user to accept the Root CA cert, which is received from the network server during an initial connection to a new network. It still requires user action and explicit acceptance.
- SetMinimumRequiredWifiSecurityLevel prohibits devices from connecting to networks that do not meet a minimum level of security.
- SetWifiSsidPolicy(WifiSsidPolicy) allows admins to define a list of SSIDs to allow and disallow.
- Control MAC randomization with these four different options.
Two notable changes to the OS also improve Android’s security.
NIAP-compliant security logs track Wi-Fi and Bluetooth connectivity events. These logs meet the requirements of the Common Criteria Protection Profile for Mobile Device Fundamentals.
Intent filters block non-matching intents. When an app sends an intent to an exported component of another app that targets Android 13+, that intent is only delivered if it matches an <intent-filter> element in the receiving app. (Note that explicit intents address a specific package name and are not affected by this change.)
Corporate out-of-the-box deployment enhancements
Finally, Android 13 offers more deployment options:
- EXTRA_PROVISIONING_ALLOW_OFFLINE allows enrollment of Android devices in completely closed networks. If you are using the QR code method for enrollment, you need to add an additional flag to the QR code.
- EXTRA_PROVISIONING_KEEP_SCREEN_ON allows the device screen to be active during provisioning.
- EXTRA_PROVISIONING_USE_MOBILE_DATA is a Boolean setting that allows the device to be provisioned using mobile data, or not.
Android’s developer site offers further details on provisioning.
Taking advantage of Android 13’s latest enterprise features
The release of Android 13 emphasizes again the importance of adopting Android Enterprise from legacy Device Admin, which was deprecated in Android 10. We strongly recommend that you plan this migration.
It is also important to note that while Google’s Pixel devices receive updates on day one, other device manufacturers follow their own cadence for over-the-air updates. You can check with your vendors for updates and schedules.
To get details on Android 13 compatibility and support for your specific UEM product, visit the Ivanti Community or speak to your customer success manager.