Google System update overview
Google System updates bring new and useful features that make your Android devices more secure and reliable. It includes updates to the Android operating system provided by Google, Google Play Store, and Google Play services. Google System updates are available for all Google-certified Android devices.
In many cases enterprises need to ensure that system updates are being applied in a timely manner. This article will cover the tools available for managing system updates on devices using Android Enterprise.
Managing system updates using system update policies
IT admins can use their Enterprise Mobility Management (EMM) provider to apply system update policies which change the behavior of Google System updates. System update policies can be useful for organizations that have dedicated devices which are always active and where there is no end user to accept update prompts (e.g. digital signage).
Summary of system update policies:
|AUTOMATIC||This policy will automatically install updates as soon as they are available and will trigger a reboot if required.|
|WINDOWED||This policy will install system updates during a daily maintenance window. This is a single period repeated daily (e.g. 1pm-4pm). If a reboot is required it will be triggered automatically. If 30 days pass without a successful install, then this policy is treated like AUTOMATIC. Installations may be unsuccessful for reasons including no connectivity, insufficient disk space, or low battery.|
This policy postpones the installation of system updates for 30 days. Once the timer expires, updates are handled as if no policy was in place. If another update is released during the 30-day postponement timer the timer resets for another 30 days.
Note: security updates (e.g. monthly security patches) will not be affected by this policy.
IT admins can also specify freeze periods. A freeze period is a range of dates which repeat annually during which system updates should not be installed. This policy will prevent updates from being installed and a user will not be able to manually perform an update. Freeze periods can be configured up to 90 days. There must be at least 60 days separating adjacent freeze periods. When the device is outside of any freeze periods you set, the normal policy behavior (none, automatic, windowed or postponed) applies.
Managing system updates using compliance policies
IT admins can use an Enterprise Mobility Management (EMM) provider to apply compliance policies that ensure devices stay current with Google System updates.
Compliance engines can make use of many signals that are present on the device such as OS version, security patch details, application versions and even connected SSID to ensure devices remain compliant. If a device becomes non-compliant, the compliance engine can trigger an action such as un-enrolling the device, or removing access to corporate resources.
Compliance engines can be configured to monitor time since the last update was applied to a device. A compliance policy can then be configured to apply an action if a desired time period between updates has been exceeded. Compliance policies can also be configured to warn users, and encourage them to act, before a policy is enforced. We recommend using compliance policies to ensure devices remain up to date for most knowledge worker use cases.