Using Android Enterprise? Learn how to close security gaps for the different deployment models

By Yaelle Harel, Threat Prevention Technical Product Manager

Mobile security is a top concern for many companies these days, and for a good reason. Attackers have been taking advantage of the Work From Home routine to target employees’ smartphones and steal sensitive business data. And while many companies have adopted Android enterprise’s new features to minimize the attack surface both for company-owned and BYOD scenarios, it is not enough to keep corporate data safe. Read more to learn how SandBlast Mobile, the market-leading mobile threat defense solution, provides tailored protection for every possible Android enterprise deployment model to close this security gap.

With Android 11, Unified Device Management (UEM) solutions cannot manage the personal side of a mobile device, even if the company owns the device. On the one hand, it brings privacy to company-owned devices. On the other hand, it opens the door for uncontrolled threats , as malware on the private profile can still take advantage of common infrastructure and access sensitive corporate data.

Segregation doesn’t remove mobile threats

While data segregation is very important, it doesn’t remove mobile threats. All known mobile attack vectors are still relevant. For example, malware installed on a personal profile may take advantage of Android’s Accessibility Services (AAS) and read sensitive date from the work profile’s screen. It can passively collect anything the user types in, including credentials and passwords and it can even grant itself additional permissions without user assistance. The AAS permissions can’t be revoked by UEM solutions; however, SandBlast Mobile prevents all kinds of known mobile malware on both work and personal profiles, including AAS-based attacks.

Phishing attacks are another type of threat that is still relevant in secure containers. The mobile phishing vectors include corporate emails, personal emails, SMS messages, messaging applications and web browsing in both work and personal profile. Malicious websites can exploit vulnerabilities in the browser to gain access to both work and personal profiles, install malware on the device, change the device’s configuration and take over the device remotely. SandBlast Mobile detects both known and unknown phishing attacks and blocks them on both work and personal profiles.

Secure all Deployment Scenarios

Personally owned devices that are also used for work (BYOD) must be protected. BYOD devices can be set up with a work profile that allows work apps and data to be stored in a fully managed separate, self-contained space within a device. In this deployment, the organization has no visibility or access to a device’s personal profile. However, malware on the personal space can still compromise corporate data on the work profile. For example, it can record calls or collect messages from the work profile. Therefore, Check Point recommends protecting the entire device. SandBlast Mobile can protect both the personal data and corporate data and enforce different policies for each.

Company-owned devices that organizations issue to their employees can be fully managed. There are three deployment options available for company-owned devices: fully managed, fully managed with a work profile that allows organizations to enforce two separate sets of policies for work and personal profiles and fully managed devices dedicated to a set of apps. SandBlast Mobile supports all possible Android Enterprise deployment modes. The solution can be deployed on both profiles with a dedicated entity that allows using different policies for each profile. Since malware on the personal profile can compromise data on the work profile, Check Point recommends protecting both profiles.


SandBlast Mobile provides full protection for all Android Enterprise deployment use cases. To prevent corporate data loss, compromise of sensitive information, and attempts to access the corporate’s network, Check Point recommends protecting both the work profile and the personal profile. SandBlast Mobile protects both types of profiles using a single license.

The solution can be managed from any location using the cloud-based management solution, with intuitive and simple-to-use deployment and configuration solutions and with effective remediation techniques.

For more information, download the solution brief.

To try SandBlast Mobile, click here  if you are new to Check Point. If you are an existing Check Point customer, you can get your free trial though your user center account.