Binding an enterprise identity to a mobile device comes with additional considerations (starting with enterprise mobility management, or EMM), and historically the most challenging aspect of mobile identity has been how to get native SaaS apps to participate in single sign-on, but that's starting to change. We'll dive into how the new flows from the OIDF Native Applications Working Group ("NAPPS") can work with the new "work profile" concept within Google's Android for Work program to make enterprise identity (and SSO) more natural to the end user, easier for enterprise IT and the SaaS vendor to implement along with their EMM partners.

1. Enterprise Identity Meets Android
for Work Andy Zmolek - Enterprise Partnerships, Android

2. This talk brings together
two emerging enterprise
mobile identity efforts:
Android for Work
and NAPPS

3. Android for Work is a program
to drive Android adoption in the workplace
Secure Android for
BYOD and corporate
issued devices
Google Play for Work
for app distribution
Standardized
management
Leveraging entire
Android ecosystem

4. Management
Integrated with existing
management tools. to create a
single console across all devices
Devices
Designing new business specific
form factors and enabling AfW
management
Applications
Developer friendly: write once,
deploy and manage on any
device through Google Play
Networking
Securely connect to your
internal systems through VPN
and network applications
Android for Work launched earlier this year
with support from a broad set of initial partners

5. Work Profiles
Extension of Lollipop’s
default encryption,
security enforcement and
multi-user support
A dedicated work profile
isolates and protects work
data - badged work apps
sit right alongside
personal apps
Users know IT only
manages work data and
can’t erase or view
personal content

6. Android for Work app
For devices that can’t run
work profiles natively
Secure mail, calendar,
contacts, documents,
browsing and access to
approved work apps
Can be completely
managed by IT

7. Work Profile vs Android for Work app
Android Lollipop+*
Native App
Work
instance
Personal
instance
Android ICS-Kitkat**
Android
for Work
SDK
Work App
Android
for Work
App
Native
App
* Where OEM has enabled multi-user
** Or lollipop where OEM has not enabled multi-user
Work Profile Android for Work app
Android for Work SDK
Enables apps to run
seamlessly in the secure
container provided by the
Android for Work App.
Supports APIs to access the
container such as
Contacts/Calendar Providers,
Storage Access Framework,
Intents, Application
configuration and
management, KeyStore
access, Clipboard, Download
and Notification Manager.
Provides Extension APIs to
support VPN and File
encryption.
Personal
user
Work
user

8. Work Managed Device
For corporate-liable
deployments which
require management of
the entire device
Set up from initial boot
including NFC-based
provisioning
Deploy only selected apps
-- internal or 3rd party --
to managed devices

9. Built-in
productivity tools
A suite of business apps
for everyday tasks: email,
contacts and calendar
Supports Exchange and
Notes
Edit the most popular
documents with Docs,
Sheets and Slides apps

10. Google Play for Work
Allows IT to securely
deploy and manage
business apps
Any app in the Play
catalog to be deployed to
the Work Profile; a subset
to the Android for Work
app
Simplifies process of
distributing apps and
ensures IT approves every
app deployed to workers

11. IT Admins: Work Storefront - play.google.com/work
● Web-based tool for
Company Admin
● Access to entire public
Google Play catalog
● Bulk App Purchasing
for users
● Admin acceptance of
permissions for
whitelisted apps

12. Points of Integration For App Developers
Managed Configuration
Your app can expose its policy and
configuration settings, to be read by
Enterprise Mobility Managers, and
managed by IT admins.
[Details]
Data Segregation
Users of your app can keep data separate
between their work and personal
profiles. Check that your app works
seamlessly in a work profile.
[Details]
Group Licensing
Your app can be bulk purchased by IT
admins and licenses assigned and
reassigned within the company. Opt-in
via Play Developer Console.
[Coming Soon]
Identity / Authentication
Use Google sign-in to authenticate.
Customers that have integrated to
Google Auth get SSO with your app for
free--or leverage standard SAML/OAuth
[Details]

13. HW
OS
APPS
MGT
VERIFIED BOOT
HARDWARE ENABLED KEY STORE
ENCRYPTION
SELINUX + ANDROID
WORK PROFILE PERSONAL
APPLICATIONS
IDENTITY
APPS
PRIVATE / PLAY
OEM
EXTENSIONS
AND
INNOVATION
EMMs
OEMs

14. OS
APPS
MGT
ENCRYPTION
SECURITY ENHANCEMENTS (SE)
for ANDROID
APPLICATIONS
IDENTITY
APPS
PRIVATE / PLAY KNOX
WORKSPACE
EMMs
KNOX
ANDROID
FRAMEWORK
(VPN, SSO, ODE,
SDP, Attestation)
ENHANCED TIMA
(RKP/Keystore/CCM)
TRUSTED BOOT SECURE BOOT
WORK PROFILE PERSONAL

15. Lollipop Native User Experience
Secure Mobility for Work

16. USER
EXPERIENCE
:: Personal and work applications shown in a single
unified launcher
:: Work apps badged with an orange briefcase
:: A single application binary with two different data
sets - one for work and one for personal
:: PIM Suite, Browser, Docs, Sheets, Slides included

17. ● OS based data separation
● Data sharing restricted across profiles
● Separate file store for each profile
Data Sharing
Between Apps

18. Recent task
switching
with badging
● Work apps are badged
● Seamless switching between personal apps to
work apps
● Work and personal instances of same app run
side-by-side with sandboxed data stores
Native Task
Switching

19. ● Notifications are badged to separate work
from personal
● EMM policy can redact or limit detail
displayed
Badged
Notifications

20. Android for Work App
User Experience
Secure Mobility for Work

21. ● Same look and feel as Android for
Work native experience in Lollipop
● All Applications shown in launcher
● Work apps indicated by orange
briefcase badge
● Consistent across all Android for
Work devices
CONFIDENTIAL
USER
EXPERIENCE

22. ● Application management and security
framework
● Suitable for BYOD scenarios
● Screenlock protected, controlled apps
● Management of the profile and
associated apps vs full device
● Wipe removes the profile, data and
apps, leaving the rest of the device
unaffected
CONFIDENTIAL
Android for
Work App

23. Managed Domains & Identity
Secure Mobility for Work

24. Google Play for Work Store
● Android Work will provide a
Managed Google Play Store to build
collections of IT-approved apps
Managed Google Account
● Eliminates the use of personal
accounts for Play for Work access
● Enables installation of approved
apps presented in Work Profile
● Facilitates app management
including volume purchases, with no
license keys or user intervention
Google Play for
Work

25. 1 2 3 4
Register
Managed Domain
Create Admin Account Verify Domain Ownership
Generate EMM API
Token
Google Domain
Identity

26. Registration Process
Step 1: Admin enters basic business contact
information
Step 2: Admin enters basic information
about the business
● Business name
● Address
● Number of Employees
1
Registration of
Domain

27. Admin creates the account for the Managed
Domain
2
Create Admin
Account

28. Admin verifies Domain ownership
Option 1: Add meta tag to corporate homepage
● Google verifies by scanning homepage
Option 2: Add a TXT or CNAME record to domain’s DNS
● Google verifies by checking DNS records
Option 3: Add an HTML file to root of company’s website
● Google verifies by scanning the company website
3
Domain
Verification

29. ● Generated for binding to customers’
EMM provider
● Enables Android for Work management
via API’s
● Allows management of ONLY specific
Managed Domain devices
4
EMM Binding
Token

30. The IT admin can populate the managed
accounts directly into managed domain:
Option 1: Delegate to EMM via Directory API’s
Option 2: Google Active Directory Sync
Authenticate accounts via enterprise SAML-
based SSO (recommended) or password sync
Account
Management

31. Native Application SSO
aka “NAPPS”
Secure Mobility for Work

32. Searching for
NAPPS?
http://openid.net/wg/napps/
not found at
napps.org!

33. ● NAPPS can always work with system browser
● User experience can be improved: eliminate
unnecessary app flips and browser pops
● Android for Work partners and product team
working closely to define best practices
● Opportunity to leverage capabilities that
already exist natively in Android OS
● Stay tuned for more!
“Native”
NAPPS

34. ● Multiple methods exist for IdP discovery
(aka “tenant discovery”) with NAPPS, such as:
Non-managed: Smart Lock for Passwords
Managed: Android App Restrictions
● With managed profiles or devices, Android “app
restrictions” can point to enterprise IdP
● App developer exposes app configuration
schema specific to their app in manifest
● Play publishes restrictions for EMMs who set
configurations via Android framework
IdP Discovery
via App
Restrictions

35. Thank You!
Secure Mobility for Work

36. EMM
App search &
install
COMPANY
Mgmt front end
/ console
Business Customer signup for Android for Work
1. IT admin signs up for Android for Work through
google.com/android/work/partners.
2. IT admin verifies domain ownership
3. IT admin enrolls Android for
Work account with EMM
6. User installs EMM DPC
app from Google Play
5. EMM sets which apps
users have available.
8. User is signed in to their
corp Google account.
4. Company synchronises user directory with Google
auth. Optionally synchronises credentials or
integrates SAML federated login to enable SSO.
GOOGLE AUTH
7. User follows
setup wizard in
EMM DPC app
APIs for mgmt
and config
9. User browses for
works apps to install
in Work Play Store

37. EMM
APIs for mgmt
and config
App catalog and
delivery
COMPANY
Mgmt front end
/ console
App Management Flow
1. IT admin discovers apps
through Google Play for Work
2. IT admin approves app and accepts permissions (free apps) in
either Google Play for Work or EMM console. Purchases can only
be made in Google Play for Work (paid apps).
3. IT admin push installs app or makes
it available to users through the Play
Store client app via the EMM Console
6. User installs approved
apps from Play Store client
and accepts permissions.
7. Admin pushes managed configuration
to devices via EMM Console
5. User is signed in to their
corp Google accounts.
4. Company synchronises user directory with Google
auth. Optionally synchronises credentials or
integrates SAML federated login to enable SSO.
GOOGLE AUTH

38. EMM
SERVERCOMPANY
EMM
CLIENT
YOUR APP
Publish config options
Present admin config UI Push config Push config to profile
Read app’s
config
options
Managed Configuration Flow

39. Make any place your workplace