Delivering security and privacy for Exchange on Android

For many Android users, Microsoft Exchange is the backend for their company email. Until recently, many email applications on Android used Device Admin capabilities to enforce the necessary security requirements on users’ devices, whether they were issued by their company or personally owned.

These APIs, which we began deprecating in Android 9 Pie, gave IT control over core security features such as device passcode requirements and remote data wipe. While this gives IT admins controls to promote data protection on the devices when using Exchange email clients, it also adds unnecessary complexity.

We've worked closely with Microsoft to create a new set of APIs that give email developers tools to secure their apps while adhering to the high standards we've set in Android for user privacy.

Google and Microsoft work together for user privacy

We teamed up with Microsoft to build a new way to offer the security that IT needs when using Microsoft Exchange, while offering the privacy employees have come to expect on personal Android devices.

IT admins have the option to require a user to follow a specified level of password complexity (options are for high, medium or low) to use their Exchange email app. If they don’t follow the set guidelines, they won’t be able to sync and access their corporate email. If IT needs to restrict or remove access on the device, no personal information, such as photos or downloads, will be removed. 

Combined with other Android technologies like the SafetyNet Attestation API, Android hardware-backed brute force protections and Google Play Protect, IT professionals can feel confident their data is protected by enterprise-grade security while giving their employees greater autonomy over their device. 

Bringing these improvements to more users

To make sure as many users as possible can benefit from this change, the Android team has developed a backwards-compatible implementation of this approach in Google Mobile Services. Email app developers can migrate away from Device Admin on any version of Android they support.

Both Gmail and Outlook will showcase this functionality later this month. As Android app developers update apps to meet the official Device Admin deprecation requirements in Android 10 later this year, look for your favorite email client to take advantage of this functionality soon.

For companies whose needs evolve and would benefit from even greater management capabilities, we invite them to learn more at android.com/enterprise.