Android COBO: Setting up mobile devices in compliance with GDPR

There are several ways to use Android devices in a GDPR-compliant manner within a company. The most secure option is Android COBO – Company Owned, Business Only. This ensures that the device’s purpose is exclusively work-related. The following article explains which Android devices are suitable for everyday work use, how to configure them correctly, and what management options are available via MDM.

What advantages does Android COBO offer?

What makes Android COBO devices special is that the administrator or CEO has full control over the device settings. This allows for security settings that go far beyond what users could configure themselves. This ensures that all security policies are implemented exactly as specified by the company, preventing data privacy breaches.
However, if companies want to use Android Enterprise devices in the COBO model, they must carefully consider in advance what their employees should and should not do on the devices.
Samsung devices, in particular, offer extensive options for managing and securing mobile devices, as Samsung provides its own interface (Samsung API) for certain functions. This allows for particularly meticulous device configuration. For example, settings can be hidden on Samsung devices, which is not possible on other devices.
The application of MDM policies for Android COBO devices guarantees security, GDPR compliance, and protection against device misuse. Furthermore, after its useful life or the employee’s departure, the device returns to the company’s ownership and can be completely reset. This ensures not only that all company data is deleted from the device, but also that the device can be reused.

Key Android COBO features:

• Google Play Store restrictions: Only approved apps are installed
• Email account pre-configuration via Exchange Config
• Remote support: Devices can be controlled remotely
• Kiosk mode: Only selected apps are visible
• Lost mode: Locks the device if lost
• App whitelists and blocklists
• Alerts for SIM card swaps and rooting attempts
• Password policies

Full control with COBO: Is an MDM spying on employees?

Setting up and using Android COBO devices is completely compliant with data protection regulations, as an MDM cannot access any personal data. Under the GDPR, there must always be a legitimate reason for collecting, storing, and processing data. When mobile devices are used for work, information such as the IMEI or SIM card number, which could potentially identify the user, may be stored for administrative purposes. Furthermore, only selected, specially trained employees, such as the IT administrator or management, have access to this data. These employees should handle this data in accordance with the company’s compliance rules and the GDPR. Generally, an MDM has no access to content or settings within an app. This means, for example, that photos cannot be viewed or chat messages read. The MDM also does not store passwords, neither for the MDM access itself nor for the devices. Despite its manageability, Android remains committed to ensuring that the device user retains a certain degree of privacy.

Which Android devices are suitable for COBO?

In principle, all Android Enterprise devices can be set up as COBO devices. This is easiest if smartphones or tablets were already ordered as Android Enterprise devices. This makes it clear from the outset that these devices belong to a company. However, this isn’t strictly necessary, as Android devices automatically become Android Enterprise devices once they are registered as COBO devices in the MDM. To fully manage Android smartphones and tablets, however, an Android Enterprise account is always required, which is created for the company. Only when this account is linked to the MDM can you ultimately install and uninstall apps on the devices. In this video, we’ll show you how to do this: Video Android Business (GERMAN).

Note: Google frequently changes the setup process for this account. However, the basic process remains the same, so you can still follow the video to set up the Android Enterprise account for your COBO devices.

When selecting suitable devices, you should generally ensure they meet your company’s requirements. For example, you’ll need a rugged device for particularly harsh work environments. If you have high security requirements, a Samsung device with Samsung Knox as an additional security measure might be the right choice. Another tip is to use the Android Enterprise Recommended list as a reference for device selection. This list includes specific device models that particularly meet Google and Android’s security and hardware specifications. You can find this official list here: Android Enterprise Recommended.

How do I set up an Android Enterprise device with COBO?

The setup process varies slightly with each MDM provider, but the basic principles are always similar. The device can be set up either using a QR code or a code entered in place of a Gmail address. The QR code or email code allows the device to automatically recognize that it belongs to a company and is not for personal use. The final setup then essentially takes place in two steps: First, the setup on the device itself, including configuring the Android Enterprise environment. Second, registering the device with the MDM.

In MobiVisor MDM:

1. Tap the device’s “Welcome” screen seven times until a camera window appears for scanning the QR code generated by MDM.

2. After scanning this code, follow the instructions until you are asked to select whether the device is for work only or also for personal use. Select “Work only.”

3. Grant MobiVisor MDM permission to modify the system settings and then configure the Android Enterprise environment on the device.

4. Log the user into the environment. This is also done via QR code scan.

We have also compiled the complete instructions for you as a PDF or as a video.

Guidelines in the MDM for Android COBO: Compliance with data protection and security requirements

To ensure GDPR compliance for Android devices, they must be integrated into an MDM (Mobile Device Management) system. Each MDM offers various features designed to ensure that mobile devices meet data protection requirements and are protected against cyberattacks.

These are the essential features that an MDM should include, and they should also be usable on Android COBO (Corporate Online Access) devices.

1. Selective Wipe
When an employee leaves the company or a device is lost, only company data can be deleted, not personal data.

2. Device Encryption
MDM can enforce device encryption to prevent data theft. This is usually enabled by default by device manufacturers.

3. Data Sharing Control
This includes, for example, controlling screenshots in apps and disabling personal email accounts on mobile devices.

4. Policy Enforcement
Companies define central security policies for all devices, such as password policies, predefined Wi-Fi connections, or kiosk mode.

5. Audit Logs and Recording
MDM logs administrative actions and accesses. This supports auditing and compliance documentation.

6. Access Control to Company Resources
Only compliant devices are allowed to access company systems, such as email, VPN, or cloud services.

7. Device Compliance Monitoring
The MDM automatically checks whether devices comply with security policies. In case of violations, for example, if the operating system does not meet the requirements or if the SIM card is removed, a notification is sent to the administrator.

8. Remote Wipe in Case of Security Incidents
If a device is lost or compromised, data can be wiped immediately.

9. Minimizing Data Collection
Modern MDM systems can be configured to collect only the necessary device data.

Cybersecurity 
This focuses on protecting IT infrastructure from attacks.

1. Device Protection
MDM Disables features such as connecting to untrusted Wi-Fi networks, USB debugging, and installing apps from untrusted sources.

2. App Management
Companies can approve or block apps, distribute them centrally, and set up automatic app updates.

3. Network Security

An MDM can automatically activate VPNs, configure secure Wi-Fi profiles, and block untrusted networks.

4. Patch Management
Security updates for operating systems and apps can be enforced. Users cannot decline or postpone them.

5. Lost Mode / Device Lock
If a device is lost, it can be locked by putting it into Lost Mode. This prevents unauthorized access to the device’s data. In Lost Mode, the device can also be located and potentially recovered.

How to correctly apply Android guidelines on COBO devices:

The most important part of setting up and connecting mobile devices to an MDM is the correct application of the created policies. MobiVisor MDM offers pre-built, BSI-compliant policy templates that you can use directly. These already cover the standard requirements of the GDPR. To apply a policy to a mobile device, you can create a group, assign it to the device, and save the policy within that group. The user of the device then doesn’t need to do anything else on the device. You can do this either before or after setting up the device with the MDM.

Conclusion:

For companies that want to use mobile devices exclusively for work, Android COBO is the ideal solution. It offers maximum control over mobile devices, allowing the company to fully ensure compliance with all regulations. This is achieved through the use of important MDM features, such as Google Play Store configuration and the remote wipe feature. Many companies are still unaware of the possibilities of integrating Android Enterprise devices, even though these can save considerable time and effort. With MobiVisor MDM, you also have a reliable partner at your side who will support you step-by-step in setting up your mobile devices.