MOBILE OPERATING SYSTEM TRANSITION Insights and Considerations TABLE OF CONTENTS
1. Introduction 2. Legacy Operating Systems 3. Android Enterprise Evolution 4. How Honeywell Helps 5. Android Lifecycle Management 6. Conclusion and Recommendations
Mobile Operating System Transition | 2 INTRODUCTION
A shift in the mobile operating system landscape has occurred over the last several years. The transition from legacy Windows® is well underway. While there remain several distinct choices on the roadmap, the tradeoffs and compromises associated with each have become clearer. This paper will elaborate on these points and provide the reader with guidance on recommended solutions.
Mobile Operating System Transition | 3 LEGACY OPERATING SYSTEMS 1
Customers currently running applications that require a legacy Microsoft® operating system (Windows CE 6 or Windows Mobile/ Windows Embedded Handheld 6.5) will soon face the end of support for their platform. Mainstream support, which includes regular updates, has ended for both legacy systems.
Microsoft extended support (security As end of support dates for legacy fixes) ended for Windows CE 6 in operating systems approach, customers early 2018 and will end for Windows need to make decisions and plans to move Embedded Handheld 6.5 in early 2020. forward, as application development can After those dates, vendors will be unable require considerable time and effort. to provide patches should a vulnerability Android’s large market presence supports a or error be found in Microsoft code. For broad variety of OEMs and hardware form this and other reasons, many customers factors, making it more likely that a device is have begun planning a transition to new available to meet the customer’s use case applications running under Android™. and cost requirements, including devices that offer integrated physical keypads.
Mobile Operating System Transition | 4 ANDROID ENTERPRISE EVOLUTION 2
Prior to 4.0 Ice Cream Sandwich, Android offered little in the way of enterprise features. The consumer-focused operating system was augmented by OEM extensions and third- party software to allow it to be controlled and managed in the enterprise environment.
Enterprise features gradually began Added features include bulk provisioning As its market share has grown, Android appearing in the 4.2 Jelly Bean and 4.4 to speed device setup, Device has become a target for exploits and KitKat releases, culminating with the Owner (Android Enterprise) mode to malware attacks. Google has responded introduction of Android for Work in 5.0 allow fully managed devices at the by increasing the protections to prevent Lollipop. Android for Work provided corporate level, always-on VPN, and the introduction of Potentially Harmful an extended set of management APIs encryption enabled by default to Apps (PHAs), as well as implement and a container system for separating protect personal and corporate data. defenses inside the OS that limit the and independently managing ability of the system to be compromised Popular mobile operating systems such personal and work apps and data. should a PHA be installed. A few of as Android enable companies to access those protections are discussed below. a large ecosystem of applications, Google® has continued investing heavily development tools, and resources, but Detailed information is available in in enterprise capabilities in each of its also involve security risks that must be Google’s Android Security 2018 Year last several versions, renaming Android addressed and mitigated. Google has in Review report located here: for Work to Android Enterprise. steadily evolved its approach to security https://source.android.com/ security/reports/Google_Android_ Security_2018_Report_Final.pdf
Mobile Operating System Transition | 5 HOW HONEYWELL HELPS 3
Honeywell is strongly committed to cybersecurity. Our global businesses include aerospace and process solutions that demand a very high degree of security in all aspects of operations.
A corporate-level cybersecurity task force measures are intended to reduce the Another important aspect of security sets and maintains security policies and avenues through which threats can is maintaining an updated system. standards, including test procedures enter the customer environment. Researchers are constantly discovering used during product development and responsibly reporting vulnerabilities Many enterprise customers will choose that specifically identify software in the Android code base that could to restrict end users further by “locking issues that could make systems more potentially be subject to malicious down” the device through the use of vulnerable to exploits. This approach exploits. Google even offers a bounty an Enterprise Mobility Management eliminates potential vulnerabilities program to encourage researchers (EMM) agent or app such as Honeywell before products are even released. to find and report potential issues. Enterprise Launcher. These tools control user access to system resources and Google and chipset providers such as The cybersecurity team monitors can restrict the system to execute only Qualcomm® provide security patches to multiple information sources to learn designated apps. Removing the user’s OEMs on a regular basis for incorporation of potential system security issues ability to install or run unauthorized apps into their software builds. Honeywell as early as possible (typically well makes the system far less vulnerable to updates its Android system images before the mainstream media) and has security exploits caused by user actions. on a regular 60-day cadence, with implemented an escalation protocol that patches for extremely critical exploits Honeywell offers tools that enable mobilizes resources company-wide on available within just a few days (as customers to establish application white a priority basis to address these issues. necessary). Patches are delivered lists or black lists, control availability as incremental updates to baseline Once an Android vulnerability is revealed of a wide range of device features, and images, minimizing the size of the and a corrective action posted by control which IP addresses are accessible update package for easier deployment Google, Honeywell’s Android security through the firewall. Honeywell Launcher across the customer’s network. Unlike experts implement the fix and deliver replaces the standard Android home consumer OEMs, Honeywell packages it to customers. Direct distribution of screen with a kiosk experience that are downloadable from a web portal patches and updates enables Honeywell allows the user to see and execute only to allow for customer acceptance to reduce response time compared to the apps needed to perform their job. testing prior to full-scale deployment. OEMs who must go through secondary Honeywell also offers an Enterprise An email notification subscription is channels to deliver their updates. Browser that enables web page rendering available so customers will be informed using standard Android controls, but Security Manuals are published as soon as new updates are posted. for all Honeywell products to guide controls the sites that users are allowed customers in implementing best to access. By limiting what the user practices to secure their environment can do with the device, IT support and devices. Guidance is provided in becomes easier and opportunities for configuration of device settings, network the introduction of malware into the settings, and maintaining a secure system are substantially reduced. IT environment. These preventative
Mobile Operating System Transition | 6 ANDROID LIFECYCLE MANAGEMENT 4
Customers deploying mobile computer solutions in the rugged enterprise environment expect a longer usage cycle than consumers. Where smartphones in consumer use cases generally turn over in 2–3 years, enterprises are expecting their systems to last 3–5 years or longer.
Historically, embedded operating TIMING OF DELIVERY TO CUSTOMERS updates received from Honeywell to their systems used in rugged mobile WILL BE QUARTERLY, or less if no satisfaction prior to rolling out an update computers had a lifecycle corresponding severe patches applicable to the to their estate. to enterprise use cases. Windows CE supported operating system version CUSTOMERS CAN RECEIVE THESE and Windows Embedded Handheld are reported. Applicable patches will BENEFITS under the terms of a were supported by Microsoft for 10 generally be delivered within 90 days service contract, either standalone years after initial introduction. of public disclosure with exceptions or incorporated into another type of possible for imminent threats. Although Android has been augmented service agreement. Customers without a by Google with a variety of new enterprise CUSTOMERS UTILIZING THIS SERVICE contract will not receive security patches features with each major release, WILL BE EXPECTED to apply all after Google security patch support ends. extended support is not among them. previously released patches in order to This program is available on Honeywell Android major versions (or “dessert apply the most recent patch. In other devices running Android 6.0 Marshmallow releases”) occur on a roughly annual words, patches are cumulative. Specific and later versions, upon expiration of basis and are generally supported patches cannot be applied individually. Google security patch support. with security patches from Google SECURITY PATCHES WILL BE TESTED and chipset vendors for a period FOLLOWING Honeywell standard test of 3 years thereafter. This creates a procedures applicable to all software gap in support coverage relative to releases. It remains the responsibility enterprise expectations. Selecting of the customer to test any software OEM chipsets that are supported for subsequent dessert releases will help extend the timeline, but ultimately Google support policy stops short of enterprise customer expectations. Launch +1 year +2 year +3 year +4 year +5 year Honeywell offers the Sentinel™ program to provide patches for severe Rugged Device LIFESPAN security vulnerabilities applicable to the supported operating system Consumer PATCHES & UPDATES NO COVERAGE on a periodic basis for 2+ years after
Google security patch support ends. Honeywell PATCHES & UPDATES EXTENDED SECURITY
Mobile Operating System Transition | 7 CONCLUSION AND RECOMMENDATIONS
Android is a secure operating system, utilizing application isolation and exploit mitigation techniques to provide a high level of security to the user. Implementing lockdown techniques via an EMM or Honeywell Enterprise Launcher can further reduce the risk of malware intrusion by limiting what the user can do and what apps can run on the system.
Honeywell’s products are designed from MOBILITY EDGE multiple devices in multiple form the start to meet Honeywell’s rigorous One way businesses can simplify the factors, more rapidly and at a lower cost security standards. Security is evaluated migration process is by selecting than typical mobile deployments. throughout the development process, devices that are built on a unified mobile Businesses wishing to extend product identifying and mitigating vulnerabilities platform, like Honeywell's Mobility lifecycle and gain a better return on even before products are released. Edge™. Devices built on this common their technology investment will be hardware and software platform are Education of customers and constant assured by the fact that Mobility Edge easier and less costly to deploy and monitoring of security vulnerabilities platform devices can be upgraded manage, and have longer lifecycles and exploits, with defined processes through Android R. Honeywell also than similar competitive devices. for addressing those issues that provides critical security updates for up are discovered, further protect our Mobility Edge devices feature a common to two years past Google’s last security customers’ systems from compromise. A hardware System On Module, or SOM, patch through its Honeywell Sentinel subscription-based notification model which is a single, certified module that service, giving customers a product enables customers to take immediate includes the device’s CPU, memory, lifecycle through at least 2025. action to mitigate risk while software is WWAN (in selected devices), WLAN, being patched and tested. Customers Bluetooth®, near-field communication HONEYWELL MARKETPLACE can be assured that their systems are (NFC), and Zigbee (in selected For businesses needing help with their designed and supported to the highest devices). They also feature a common Android transition strategy, the Honeywell standards and they can operate their OS software image and a common Marketplace offers a helpful resource. businesses with confidence knowing software ecosystem, which includes Honeywell Marketplace is an enterprise Honeywell is working to help them not only Honeywell software, but also app store that provides businesses with maintain the security of these systems. software from Honeywell-approved direct access to software and solutions independent software vendors (ISVs). With its large market share and extensive developed by Honeywell and third- ecosystem of apps, developers, and Having a common SOM and OS software party independent software vendors. VARs, Android has become the clear image provides flexibility and reduces Companies can search for solutions by choice for many enterprises in a variety costs for businesses to deploy additional industry, by solution type (developer of industries. Transitioning to Android device form factors, because there are tools, ERP, etc.), or by technology involves writing new apps, adapting no added development or certification (mobile computer, wearables, etc.) and workflows, and changing the mobile costs. Companies can validate all find a diverse set of applications to devices workers use. This can be a their mobile devices, use cases, and help ease their mobile transitions. costly and complicated endeavor. software once, and then deploy across
Mobile Operating System Transition | 8 For more information www.honeywellaidc.com Mobility Edge and Sentinel are trademarks or registered trademarks of Honeywell International Inc. Android is a trademark or registered trademark of Google LLC. Honeywell Safety and Productivity Solutions Bluetooth is a trademark or registered trademark of 9680 Old Bailes Road Bluetooth SG, Inc. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. All Fort Mill, SC 29707 other trademarks are property of their respective owners. 800-582-4263 Mobile Operating System Transition White Paper | Rev B | 06/19 www.honeywell.com © 2019 Honeywell International Inc.