Cyber Essentials for Android: configuration guide

Cyber Essentials for Android: configuration guide

Android is the trickiest mobile platform for Cyber Essentials v3.3 because OEM patching cadence varies wildly - Pixel, Samsung Knox, and the latest Sony flagships are safe; many budget Android OEMs stop receiving security updates two years after launch, dropping out of the supported-OS clause. The scheme requires a 6-character minimum PIN, automatic updates, device encryption (automatic on supported modern Android), Google Play Protect, and verified boot. Use Android Enterprise (Fully Managed or Work Profile) - legacy Device Administrator API is deprecated and won't satisfy the secure-configuration clause.

1. Pick the right Android Enterprise mode

• Fully Managed (Work-only device): corporate-owned, IT-controlled end to end. Best for high-security roles.
• Work Profile (BYOD): creates a separate, encrypted profile on the user's personal device. Work apps and data live there; personal life stays private.
• Fully Managed with Work Profile (COPE): corporate device with a personal profile. Less common in UK SMEs.

All three satisfy Cyber Essentials. Do not use Device Administrator API - it's deprecated and limits what you can enforce.

2. Supported-OS is where Android posts fail

Google Pixel devices get 5–7 years of security updates. Samsung Galaxy S20+ and later get 4+ years. Recent Sony / Motorola / OnePlus flagships get 3+ years. Anything older than that, or a budget OEM you don't trust, should be replaced.

As of 2026:

• Supported: Android 13, 14, 15 on devices still receiving monthly security patches
• Questionable: Android 12 unless the OEM still ships patches
• Out of scope: anything below Android 12 or any device past its OEM patch-support date

Check the device's Settings > About > Android security update date. If it's older than 90 days, the device is at risk of failing.

3. Baseline MDM policy

Via Intune, Jamf, Mosyle, Workspace ONE, or Android Enterprise console:

Password / Passcode

• Minimum length 6, complexity high (Cyber Essentials requires 6+)
• Auto-lock 2 minutes
• Max failed attempts before wipe: 10

Encryption

• Device encryption required. Automatic on Android 10+ file-based encryption.

Play Protect

• Enforce Play Protect on
• Block apps with PHA (potentially harmful app) warnings

Verified Boot

• Require integrity verified (detects rooted / unlocked bootloaders)
• Block access to work profile if verified boot fails

OS Updates

• Update mode: Automatic (OS updates install within maintenance window)
• Security patch level: no older than 90 days (tighter than CE v3.3's 14-day clause - use 14 days for high/critical patches via Play System Updates)

App install

• Work managed Google Play only
• Blocked apps: sideloaders, unknown sources

4. Work Profile specifics (BYOD)

• Block cross-profile copy/paste unless required
• Require separate work profile password if the device unlock password is shorter than 6 characters
• Remote wipe of work profile on user departure (leaves personal data intact)

5. Google Play and Managed Google Play

• Bind your IdP to Managed Google Play (Workspace → Android Enterprise enrolment).
• Only Play-reviewed apps appear in the managed Play Store by default. Internal apps are fine if published via Managed Google Play's private channel.
• Disable unknown sources globally. Sideloading bypasses Play Protect and fails malware-protection controls.

6. Evidence assessors expect

• MDM compliance report showing every enrolled Android with OS version, patch level, encryption status, and Play Protect state
• Enrolment mode proof (screenshots from Android Enterprise management console)
• List of supported device models (as evidence that the fleet is on OEMs with active patch support)
• Work Profile / Managed Play configuration export

7. Common failure points

1. A fleet of 2020-era budget Androids outside their OEM patch-support window. Replace or remove from scope.

2. Device Administrator API enrolments from old MDM deployments. Migrate to Android Enterprise.

3. Sideload-enabled devices - typically developer phones. Tight exception scope and document business need.

4. Samsung Knox devices without Knox Mobile Enrollment configured properly; policies silently don't apply. Verify via the Knox Admin portal.

5. Mixed personal + work use without a Work Profile - basically impossible to satisfy user-access-control. Force Work Profile or Fully Managed enrolment.

What Fig checks

Our CE readiness scan reviews Android Enterprise compliance reports, patch-level distribution, and Work Profile coverage against each v3.3 clause. Android fleets with Pixel / Samsung / Sony flagships and Work Profile pass first-time at >93%; older fleet compositions raise the bar.

Start Cyber Essentials - from £299.99 + VAT | Pricing | CE Plus with on-device testing