Dual-SIM Whatsapp problem / 2 neat solutions

Most Whatsapp Dual SIM owners complain against the lack of DUAL-SIM Support for Whatsapp. I found two neat solutions working on most Android smartphone

Solution 1: Add a second user

Most Android smartphones support multiple users. In order to use Whatsapp, you will have to add a second user on your smartphone and add a new Google Play Account.

From the Administrator user, you must grant some privileges to access SMS and the telephone. Here’s an example to administrate Whatsapp for the association “Repair Café Fribourg”

Advantages

Whatsapp works for each user account, data is clearly separated
The switch between the two users is efficient
The second SIM is only used for the activation. It’s OK to use the same SIM card for data connection, for both users

Drawbacks

Contacts are not shared across the two profiles. You should also synchronize your contacts for the second user
You have to customize the whole second user profile. I would suggest to only use Whatsapp on the second profile and disable/uninstall all other apps
You have to switch to the second user to see the notifications

Solution 2: Add a work profile

The second solution I have found is even better and works flawlessly. The goal is to setup a Work profile with the TestDPC application from Google, as if you would use a “business profile” on your smartphone. A second Whatsapp will be whitelisted and made available in the work profile.

Step 1: Download the TestDPC application from Google and setup a work profile.

https://play.google.com/store/apps/details?id=com.afwsamples.testdpc&hl=en_US

Step 2: Whitelist Whatsapp

Open the badged version of Google Play (in the work profile), add a Google Play account and proceed with the standard activation. You will have two Whatsapp activated: the application in the private profile and the Badged version in the work profile.

On Samsung smartphones, you will find the “work profile” in the “Workspace directory”.

Advantages

The two Whatsapp apps can be accessed quickly
Notifications are working for both apps without switching the user
You could even protect the access to the work profile with a PIN code in the work profile settings.

Drawbacks

This method does not work if your device already has a work profile (MDM registration from your Company with Android Enterprise)
Contacts are not synced between the personal and business space.
Data exchange between the private profile and work profile might be limited, depending on the settings you have in the TestDPC application. Media received in the work profile will not appear in the photo, video application of the personal space. You may have to download more application in the “business” profile to actually play videos, enable a gallery app etc.
Warning: if you remove the work profile, all business data will be wiped and you will lose the Whatsapp data for the work profile (messages, images etc.)

The TestDPC application offers many other settings – explaining them is out of scope of this blog article. However, feel free to post a comment on this thread if you have a question!

Testing Android Enterprise

There are two useful tools to test Android Enterprise on a device:

TestDPC Application on Google Play

https://play.google.com/store/apps/details?id=com.afwsamples.testdpc

I mainly use this application while developing Android applications, e.g. to setup a work profile in two clicks and distribute a custom application in the work profile (debug mode). It’s very handy to test a managed app configuration (so called Android restrictions) and to load the default restrictions registered in the Android Manifest file.

Recap: DPC = Device Policy controller, the UEM client application managing all policies and configurations, making the link with the UEM server.

Android Enterprise Management Experience

https://enterprise.google.com/android/experience

First Android Enterprise Experience without UEM
Test some features that are not implemented in a UEM yet
Make sure the “promised” feature is working in Android Enterprise and possibly detect a buggy behavior with the UEM configuration
You will need to download the Google Android Device Policy app – the same DPC is used for the Google MDM. Alternatively, you may use a hashtag for DO devices (see below)

https://play.google.com/store/apps/details?id=com.google.android.apps.work.clouddpc

The hashtag afw#demo will allow you to set a device Owner devices (COBO, COSU or COPE).
Recap: the hashtag should be entered in the Google Account field during the device provisioning

Kerberos and Android Enterprise SSO

Single-Sign on has always been a challenge on mobile phones. Now that companies have to switch to Android Enterprise (Device Admin’ is being deprecated), the Android world is kind of lacking an important feature which used to work with EMM Proprietary solution: Native Kerberos SSO or Kerberos Constrained Delegation.

Fortunately there is some neat solution, swiss-made and cross-EMM compatible, called Hypergate. Hypergate is an Android application that can be configured with Android Enterprise (AppConfig) and that will fill the gap on Android Enterprise – it allows native Kerberos for all your Android Apps (Chrome, cordova based or native Android Apps) and offer a nice SDK for the integration.

Here’s a nice example of App Configuration (example with MobileIron)

I had the chance to integrate it in some test labs and I have to say that it does a great job – Single-Sign On can even be achieved without user interaction, as the application supports certificate-based authentication to a KDC (Key-Distribution Center)

It will definitely work with Linux and Microsoft Application backends, or for example for an authentication to and IDP (ADFS, PingOne etc.)

I could test it with Apache for a ticketing system integration and I know some customers are already using it for Office 365 SSO on Android.

Of course, the connectivity has to be done with a per-App VPN like MobileIron Tunnel. The application is highly customizable and most IT admins will just love it.

In short, it provides what Android was lacking and what iOS was providing since iOS v7: a nice SSO configuration for your apps.

More details can be found on the following web page:

https://hypergate.com

Android zero-touch enrollment – one year later, where do we stand?

Android zero-touch enrollment was revealed with Android 8.0, about a year ago. What can we say one year later? How does it compete against Apple DEP?

Is the “zero-touch” promise really working as advertised?

I could test zero-touch enrollment with the first compatible Tablet, a Huawei Mediapad M5 (Wifi only, model CMR-W09). The result is impressive, when compared to a traditional BYOD setup. It’s however not much faster than the traditional Device Owner Setup.

I see two advantages of the zero-touch approach: first, it provides a factory reset protection and you can rest assured that the device will be enrolled in the UEM, even if the user wants to bypass the Wifi connectivity setup. Also, the URL of the UEM Server can be configured so that the user only has to provide their username/password. It’s a good step towards more productivity and flexibility for companies.

I was however disappointed by the following facts:

my “Android recommended” tablet was not whitelisted in the Google API and I had to escalate to Google so that the model was recognized, although it was listed in the official device directory (zero-touch compatible)
Zero-touch does not really mean zero-touch: the user still has to go through some setup screens, and this might depend on the OEM.

We see that Google is catching up really fast, zero-touch is a nice solution but we still see some challenges for a smooth worldwide adoption.

The following paragraph will list some advantages and drawbacks of each solution. Event though I’m a big Android fan, I have to say that Apple DEP is still faster & more reliable than zero-touch enrollment.

Apple DEP vs. Android zero-touch enrollment

Pro’s Apple DEP

A new business Portal (business.apple.com) has been released
More customizations in regard to the setup screens
Fast and reliable. The big advantage is that it works seamlessly across all iPhones, iPads
Provisional DEP let you add standard devices (iOS 11+) to DEP

Con’s Apple DEP (device enrollment)

The initial setup is very time consuming for the customers, with a very challenging “company validation” until the customers can use their Apple DEP Account
A yearly token has to be renewed for the UEM pairing – it often gets forgotten

Pro’s zero-touch enrollment

The enrollment only depends on the UEM and carrier, reseller.
The setup on the zero-touch portal is really fast. A change of configuration is done in a few clicks
No specific configuration has to be created on the EMM
the DPC (client MDM app) can receive parameters

Con’s zero-touch enrollment

One year after the zero-touch release, we don’t find many partners and resellers around the world. It’s a challenge for international companies that have to buy devices in multiple countries. Well, it also took a long time to Apple to be available in multiple countries – so we just have to give more time to Google and they will surely catch up.
the listed devices on the zero-touch page do not always work out-of-the-box – even if the device is listed as “zero-touch compatible” (Android Enterprise recommended), it does not mean that the model will be listed in the API and recognized in the zero-touch portal.
Have a look at the following page to check the compatible models:

Devices directory
https://androidenterprisepartners.withgoogle.com/devices/
API compatibility
https://developers.google.com/zero-touch/resources/manufacturer-names

Samsung is not zero-touch compatible yet.
In spite of the zero-touch approach, some devices may still have some more “branded” screens, e.g. from Huawei (terms and conditions) and we end up with more than 5 touches on the screen.

Speed Comparison (GIFs, courtesy of Nomasis AG, Switzerland)

Android zero-touch enrollment

Android Device Owner enrollment

Android BYOD

Apple DEP

Some images have been downloaded from the following link for the Apple DEP GIF:

https://learn.winona.edu/WSU_iPad_First_Time_Setup_iOS_8_DEP

Useful articles around Enterprise mobility, IT & Security

Android Enterprise