Microsoft has told all its employees in China that they will soon only be allowed to use iPhones for work purposes. The ban on Android devices is part of a security-related Microsoft initiative for providing a unified way of managing and verifying employee identities.
The mandate, set to come into effect in September 2024, was announced in an internal memo seen by Bloomberg News. It will require Microsoft’s China-based workers to verify their identities when logging in to work computers or phones. The change is part of Microsoft’s global Secure Future Initiative that is intended, among other things, to ensure that all staff use the Microsoft Authenticator password manager and Identity Pass app.
While Apple’s iOS store is available in China, Google Play isn’t. Local smartphone giants such as Huawei and Xiaomi operate their own platforms in the country, but Microsoft has chosen to block access from those companies’ devices to its corporate resources because they lack Google’s mobile services, reads the memo.
Any staff in the country using Android handsets, including those from Huawei or Xiaomi, will be provided with an iPhone 15, as a one-time purchase. The Redmond giant is designating collection points across China where employees can pick up their iPhones.
Microsoft is also introducing the iPhones-only rule in Hong Kong, despite the Google Play Store being available in the special administrative region of China.
This is less of a “iPhones are more secure” thing and more “Google play is banned in China” thing.
Apple willingly extinguishes freedom of speech to protect app store profits:
https://www.theverge.com/2023/10/3/23901205/apple-app-store-government-license-china
https://edition.cnn.com/2024/04/19/tech/china-apple-whatspp-threads-removal-hnk-intl/index.html
It’s not like Microsoft can’t send APKs over-the-air. Whatever the reason, it’s not because of Google Play.
Man, I’d hate to see an IT department you were in charge of.
I may be completely off the mark, but I’m pretty sure that Intune device management doesn’t allow you to push arbitrary APKs out to managed Android devices. There would still also be the issue of getting the device managed to start with.
Microsoft isn’t about to roll out their own version of the Play Store just to serve APKs to their Chinese employees.
They also are not going to try and manage rolling out updates to whatever cluster mess of different android devices those employees use, tracking update compliance, etc
Any other solution to this involves considerable extra work for their internal IT team(s). Easier to just force everyone needing access to corporate devices to use a single standard (and buy company phones for the few who raise a stink).
I think that intune has the same control over Android as it does iOS. One a device is enrolled, it can be wiped and sandboxed apps can be approved or denied. I’m not sure about pushing apps to phones, I think the end user had to download it still. Regardless, is not about Microsoft and it’s control, it’s about China and their control, and Apple gets on their knees and opens wide.
Intune and all other Mobile Device Management services depend on working with the provided APIs from the underlying OS.
For Android, this is the Android Management API and is part of the Google Services Framework, which is what’s blocked in China. No GSF no management API either. MS could build their own, but that’s a lot of time and money for “just” their China based employees
It’s not just Google play that’s blocked, the entirety of the Google Services Framework is blocked in China, including the security framework that is part of it.
MS would have to build their own bespoke Android security framework in addition. Which is a whole hell of a lot more than just “sending the APK over the air”
Yes, device management systems can push apps directly to devices, but the devices have to be managed first. So I think it probably is about the lack of Google Play.
One of the hardest parts of managing devices is getting them enrolled in device management in the first place. Microsoft uses the Microsoft Authenticator app to authenticate users as part of the enrollment process, so they know which employee is using the device and how to configure it. They need a reliable app store to distribute that app, and they need to do it before the device is managed. So usually they rely on Google Play.