In February 2018, Google made a bold proclamation: It was ready to “raise the bar of excellence for enterprise devices and services,” and it was launching a new program called Android Enterprise Recommended to make that happen.
The program, according to Google, would establish “best practices and common requirements for devices and services, backed by a thorough testing process” conducted by Google itself. It would ensure that any devices with the Android Enterprise Recommended stamp of approval would receive timely and reliable software updates, among other things — including support of the current Android version and delivery of all security patches within 90 days of their release for a minimum of three years.
And all of that was only supposed to be the start: “With each new Android platform release, we will update the Android Enterprise Recommended program requirements and continue to raise the bar to ensure we are delivering the best experience for our enterprise customers,” Google promised at the time.
So now, nearly two and a half years later, how has the Android Enterprise Program held up? Has it flourished and turned into the reliable resource it was meant to be — a place where serious business users can move past the mass of Android device options and find exceptional phones with optimal privacy, security, and performance protections?
As you can probably guess from the title of this story, the answer is a resounding “no.” The closer you look at the Android Enterprise Recommended program, in fact, the worse it appears. And from the looks of it, things are about to go downhill even further.
Android Enterprise Recommended promises vs. reality
At its core, the Android Enterprise Recommended program is an extraordinarily sensible idea. Android, as we all know by now, is an open platform — and that means there’s a lot of diversity and variance in the sorts of experiences you get from one device to another. That’s especially significant when it comes to software and security, as we’ve discussed countless times over the years.
So rather than let people guess or be forced to rely on the research and analysis of lowly writers like yours truly — which is what generally happens with Android phone purchases, since device-makers are anything but upfront about their practices surrounding post-sales software support — Google decided to create its own business-focused resource. After all, what IT department wouldn’t want a place that’d make it easy to know which devices can be trusted to take security seriously?
The whole thing certainly sounds impressive. But then you go to look at the devices Google is actually recommending, and — well…
The very first phone listed on the Android Enterprise Recommended Devices page is the Motorola-made Moto Z4 — a phone that’s “validated by Google” for meeting its “highest standards,” with “regular security updates guaranteed.”
Now for the reality-checking contrast: The Moto Z4 phone received the current Android 10 release 189 days late — this past March, more than six months after the software actually came out. That unacceptably poor performance earned the company a big fat 0% “F” on my latest Android Upgrade Report Card. And if you think full-fledged OS updates have nothing to do with the critical areas of privacy, security, and performance, think again. They’re every bit as important as the monthly security patches that fill in the gaps between their releases.
As for those patches, the Moto Z4’s history on that front isn’t much better: According to a database maintained by the website Android Police, the Z4 went without any security updates from July to November of last year — and then got a November update that was already two months out of date. The site’s data indicates that the Moto Z4 has missed eight patches entirely since its arrival and that it’s “more likely for Z4 owners to not get an update at all.” The phone earned a two out of 10 score in its ranking.
And that’s an Android Enterprise Recommended product — one where “you get timely security patches and major updates guaranteed” in order to “ensure devices stay safe and current.”
Lest you think this is just a random anomaly, when you look through the complete list of Android Enterprise Recommended devices, you see lots of similarly puzzling products — like the also-Motorola-made Moto Z3 Play, which came out in the summer of 2018, received Android 9 an embarrassing 295 days late, and still hasn’t gotten Android 10, nearly 10 and a half months after that software’s release.
On the security update front, user reports indicate a mixed bag for the Z3 Play, with some updates arriving within a month or so of their release and others never showing up — in some cases with multiple months going by with nary an update and a frustrating lack of information available about the device’s support status.
The official Enterprise Recommended list includes curiously dated devices, too, like the BlackBerry KeyOne — a phone that came out in April of 2017, received an update to Android 8 nearly a year after the fact, and never got updated to Android 9, let alone Android 10. The KeyOne hasn’t received a security update since mid-2019, and the BlackBerry brand is no longer even associated with the third-party company that made the phone and remains responsible for its support.
How does any of that gel with the basic premise of what the Android Enterprise Recommended program is supposed to be and the specific, “strict” requirements of the experience its approved devices are promised to provide?
The short answer is simple: It doesn’t. And from the looks of it, Google may be all too aware of these failings and working to correct the program’s course — but not with the type of fix you’d logically expect to see.
The future of Android Enterprise Recommended
When device-makers aren’t keeping up with their end of the bargain and the list of Google-approved phones is laughably far from meeting the program’s basic promises, you’d think the answer would be to re-emphasize the requirements, push manufacturers to follow them, and cut the list of approved devices down only to those that comply — right?
That’d certainly make sense. But it appears that Google may be going in a different direction and instead scaling back the requirements of its Android Enterprise Recommended program in order to make them easier to meet.
A set of documents reportedly shared with vendors (and published initially by the website XDA Developers) suggests that as of Android 11, Google will revise the Enterprise Recommended guidelines to completely remove the guarantee of getting all security updates within 90 days of their release along with the guarantee of three full years of reliable security patches. Instead, the documents indicate, device-makers will be required only to provide “Emergency Security Maintenance Release” updates — presumably those that are deemed to be particularly critical and pressing.
The one positive is that as part of the change, the documents say makers of Android Enterprise Recommended devices will need to be more transparent about their OS and security update plans — making it possible for potential purchasers to see exactly how long any given phone will be supported with updates as well as how often those updates will arrive.
That’s fantastic and something that should happen universally, across all of Android, so that everyone can make an educated decision based on official software support information. But it absolutely shouldn’t be a replacement for the reasonable requirement of providing timely and reliable updates on devices that are presented as being optimally up to date, secure, and appropriate for enterprise use. What happened to “raising the bar” with each new release to ensure “the best experience” for enterprise customers?
I reached out to Google to confirm the details mentioned in the documents — and while the company notably didn’t take the opportunity to deny the authenticity of any of the information, it also declined to share any comment or explicit confirmation.
Regardless, though, while the potential for the program’s requirements to be weakened even further is concerning, the reality is that even in its current state, Google’s Android Enterprise Recommended program is utterly meaningless. Instead of being a guide to thoroughly vetted, exceptionally supported devices, it’s ultimately just a random list of phones — most of which aren’t being updated regularly and many of which are now so dated that their inclusion is almost comical.
So if you can’t rely on these official recommendations, what can you do? That answer, thankfully, is actually quite simple.
The cold, hard Android update truth
I’ve said it before, and I’ll say it again: If you want the best possible user experience on Android and a phone that’s guaranteed to remain optimally up to date and with the strongest privacy, security, and performance protections possible, Google’s self-made Pixel phones are the only fully advisable options you should consider. They use Google’s own core Android software, without the interface-muddying and sometimes privacy-jeopardizing modifications other manufacturers love to make, and they reliably receive all software updates within days of their release, directly from Google, for a full three years from their launch dates.
No matter what narrative you may hear about upgrades improving and certain other companies getting somewhat better at providing them, the reality is that no other device-maker even comes close to Google’s own standard. I’m optimistic that Microsoft’s arrival in the Android arena later this year could change that, but for now, the Pixel line is the only path with any kind of elevated software support guarantee and history of consistently timely update deliveries.
The one other possibility worth considering is a phone associated with Google’s Android One program, which is almost like a less publicized, lower-end version of what the Enterprise Recommended program is meant to be. Android One phones also use Google’s own Android software and are guaranteed to get reasonably timely OS updates for two years from their launch dates along with monthly security updates for three. Those updates often arrive significantly later than what you’d see with a Pixel, but it’s typically a delay of a few months at most instead of “indefinite,” as is often the case with other devices. (Just be sure to look up when any device actually launched — whether it’s a Pixel or an Android One phone — and consider that prior to making a purchase, as that date will tell you how long the phone’s been out and thus how long is left in its active support period.)
I’d love to see Google pivot away from this Android Enterprise Recommended mess and instead offer an “Android Pro”-style subscription that’d better emphasize Pixel phones as the best all-around options for businesses and anyone else serious about security and then allow users to pay a monthly fee to ensure they’re always using an optimally up-to-date device. Maybe one day.
For now, though, if you want what the Android Enterprise Recommended program pretends to provide, you should disregard that effort entirely and instead look at Pixel or Android One devices. As it stands, the Android Enterprise Recommended program is little more than a misleading disservice — and the smartest thing you can do is ignore it, lest you be led astray.
Sign up for my weekly newsletter to get more practical tips, personal recommendations, and plain-English perspective on the news that matters.
[Android Intelligence videos at Computerworld]
Copyright © 2020 IDG Communications, Inc.