LAST UPDATED: Apr. 15, 2024
General Q&A
Q: What is LifeGuard for Android?
A: LifeGuard (LG) is an operating system update program for Zebra Android products that provides multiple value propositions for Zebra customers:
- Extended availability of OS security updates/patches
- Security support during OS Transition Periods (OTPs)
- Periodic security patches (as frequently as every 30 days)
- Regular Zebra feature enhancements (for devices currently offered for sale)
- Support for new Android versions
Learn more at the LifeGuard product page.
Q: How much does LG cost?
A: There is no extra charge for LifeGuard for devices covered under one of the following Zebra agreements:
- Zebra Initial Purchase Software Warranty
- Zebra OneCare Essential
- Zebra OneCare Select
- Zebra OneCare TSS (technical and software support – excludes break-fix repair)
One-year extensions are available at additional cost.
NOTE: A "software warranty” is generally 90 days; a “hardware warranty” is generally 12 months.
Learn more about Zebra OneCare options.
Q: Why do certain products no longer receive LG updates?
A: Products not covered under full LG support are usually older and/or built with SoC architecture that is no longer in general use. Occasionally the reason relates to software contained in the device that is not directly managed by Zebra.
Q: What is the Android Security Patch Level (SPL)?
A: The Android SPL is a date assigned by Google to cover a known set of Common Vulnerability Exposures (CVEs) addressed by the patch. CVE details are documented in the monthly Android Security Bulletin. Applying the updates associated with each bulletin will set a “Patch Level” on the device that correlates to the Google published Android Monthly Bulletin. This information is provided in each individual product’s release notes at its time of release and can be seen in Settings > About Phone on most devices.
The Patch Level may include two dates:
- The device’s most recent full security update
- The date the device last received "Critical Only" updates
For example, "Patch Level 2016-05-01 Critical 2016-12-01" indicates that the device received its last full security update on May 1, 2016, and received its last critical patch on December 1, 2016.
Q: How does LG help customers maintain security during an OS transition?
A: When Zebra releases a new version of Android, the previous version remains under support for a period of 12 months. This is referred to as the OS Transition Period (OTP), during which customers receive updates approximately every 90 days that address all Common Vulnerability Exposures (CVEs) and include select Zebra feature enhancements.
Q: How are LifeGuard updates installed on a device?
A: The simplest way to install updates is through Zebra's LifeGuard Over the Air service, or LifeGuard OTA. The service can be accessed using:
- The Android Auto-update service (on devices running Android 11 or later)
- Your company's Enterprise Mobility Management (EMM) system (if supported)
- StageNow Smart Profiles
LifeGuard updates also can be installed directly to device(s) via:
- Android Debug Bridge (adb) over USB
- External SD card (if so equipped)
- Zebra StageNow
Q: Where are Zebra LifeGuard updates found?
A: LifeGuard updates are available inside your Enterprise Mobility Management (EMM) system (if supported) and within StageNow Smart Profiles. LifeGuard updates also can be found on the LifeGuard for Android Updates page on the Zebra Support Portal.
Q: What is the size of a LifeGuard update?
A: There are three types of LifeGuard updates:
- Security-only updates typically range from 10MB–50MB
- Maintenance releases (including features and fixes) range from 100MB–400MB
- Baseline and Android-version updates are approximately 1GB
Q: Can LifeGuard updates/patches be reversed or rolled back?
A: Yes. Any patch can be rolled back manually by installing an earlier patch. On devices running Android 11 or later, errors during the update process cause the system to automatically roll back any changes attempted during that update.
Device OS downgrades cannot be performed using LifeGuard OTA. Downgrading the OS on a device causes an Enterprise Reset, wiping all user data and potentially leaving the device in an unmanaged state.
Q: Are security updates always separate from other maintenance releases?
A: No. Security updates can be delivered separately or bundled with bug fixes and/or features in maintenance release. Bundling releases simplifies maintenance by reducing the number of updates that must be applied. See the release notes that accompany the relevant LifeGuard security update for specific information.
Zebra typically Zebra publishes two security-only updates per quarter and one maintenance release per quarter, which includes security updates, feature enhancements and bug fixes.
Q: Are security updates cumulative?
A: Yes and No.
- Updates are cumulative on devices running Android 10 and earlier; each contains all previous updates, fixes and patches.
- Updates are incremental on devices with Android 11 and later; each contains ONLY the content required for security updates, feature enhancements or bug fixes.
More about what's new in LG for Android 11.
Q: How can I determine what's inside an update...do they come with release notes?
A: Yes. All LifeGuard security updates are posted with release notes that describe content specific to the update. If accessing an update through an EMM system connecting to Zebra’s OTA services, the release notes also might be available from within the EMM console. StageNow Smart Profiles also provide access to the release notes for a given update.
Q: Can I be notified when a patch is available for my platform?
A: Yes. Subscribe to email notifications at the LifeGuard subscription page.
Q: Do I have to be on the latest board-support package (BSP) or maintenance release (MR) to get the latest LG update?
A: On devices running Android 10 and older, yes, the latest BSP is required on the device prior to loading security updates.
However, devices running Android 11 and later do NOT require the latest BSP. Zebra's OTA service allows any upgrade version to be used, and delivers the smallest package necessary for the update. Updates on Zebra.com are available as either full updates or delta packages between releases:
- Full updates go from the current version to any future release with a single file.
- Delta updates significantly reduce the update file size compared with full updates, but must be installed sequentially,
IMPORTANT: The OS transition period (OTP)–the time between Zebra's release of a new version of Android and the earlier version that it replaces–is based on the Android version number, it ignores the API, BSP and maintenance release levels. If a customer wishes to stay on a specific BSP or MR and continue to receive security updates, this would be considered a custom product and is subject to additional charges.
Q: After Google ends support, how does Zebra determine what to patch?
A: Patching decisions are based primarily on Android Security Bulletins, whether it's during Google support for an OS release or after Google support ends. During the latter period, Zebra assesses each vulnerability and develops relevant patches whenever possible. Certain security vulnerabilities are systemic, requiring significant changes that would impact the stability and interoperability of the platform of an earlier OS release. In such cases, Zebra provides remediation recommendations in lieu of a patch or update.
More about Android Security Bulletins
Security
Q: What are OS security updates?
A: Security updates (aka “security patches") are software updates designed to fortify the device and/or underlying Android OS from specific threats or general vulnerabilities.
Q: Does Zebra guarantee my device is secure if it's up to date?
A: No. Security updates are just one element in a multi-level defense strategy. Customers should install the latest security updates, leverage Android and Zebra MX features for added protection and educate users on safe computing for the greatest level of security.
Q: What is a CVE?
A: CVE stands for Common Vulnerability Exposure, and is the name commonly given to cybersecurity vulnerabilities. All CVE instances have a unique identifier and are stored in the CVE Program database, which is maintained by the MITRE Corporation and sponsored by the U.S. Department of Homeland Security and others.
Q: What types of attacks are the most common?
A: Some of the most common attacks include:
- Remote code execution
- Application privilege escalation (unauthorized access to resources)
- Disclosure of information on the device
- Denial of service
- Phishing
- Social-network exploitation
Q: What is the Android Security Bulletin?
A: Android Security Bulletins are monthly Google publications listing recently discovered Android CVEs along with their respective severity levels and patch samples for mitigation. Companies such as Zebra that manufacture devices for Android are provided access to the bulletins 30 days prior to public release.
More about Android Security Bulletins
More about CVE severity levels
Q: How long do Google and SOC vendors provide security support for Android?
A: The Android Open Source Project (AOSP) is updated for security issues documented in the Public Android Security Bulletins for 3.5 years from date of first public release of a given OS version. Zebra provides updates from AOSP and SOC vendors for a minimum of 24 months from the launch date of products based on that version.
License Terms
Q: What are the available LifeGuard support levels?
A: There are three LifeGuard support levels:
L1-Monthly is the highest level of support, and includes comprehensive updates approximately every 30 days. All relevant Android Security Bulletin CVEs are addressed, regardless of severity. L1 support is provided for the latest current OS release on a product during the period in which Google is providing security support updates.
L1-Quarterly support provides quarterly updates approximately every 90 days. All relevant Android Security Bulletin CVEs are addressed, regardless of severity. L1 support is provided for the latest current OS release on a product during the period in which Google is providing security support updates.
L2-Quarterly covers all "critical" Android Security Bulletin CVEs. L2 support is provided after Google has terminated security support prior to Zebra’s end-of-security support.
L3 covers products not in a Zebra discretionary support window, during which Zebra makes its best effort to address major security vulnerabilities.
Q: Can end-of-sale dates shift?
A: Yes. Zebra generally classifies product hardware as “years available for sale” or “years available for hardware service.” Thus, a 5/5 device can be purchased for five (5) years and is eligible for service contracts for an additional five (5) years.
Hardware end-of-sale dates can fluctuate based on market conditions and component availability. Zebra works hard to select components that align with its planned hardware life cycle, but cannot make guarantees.
Q: Can support be added to a pre-existing device portfolio not already covered under a service plan?
A: Yes. You can purchase a OneCare service contract inclusive of LifeGuard, but additional charges might apply depending on the specific device/OS platform(s) to be covered. Please contact Zebra or your Zebra reseller for more information.
Q: Can I extend LifeGuard support, and if so, how and what is the cost?
A: Yes. Zebra offers one-year security support extensions, allowing customers to extend either the end-of-security-support date or an OS Transition Period (OTP).
The scope of the one-year extension is to a specific product model on a specific OS release (identified within the purchase agreement). Support during the extension period is L2 (Quarterly updates of Critical severity only).
The agreement covers security support only; it does not entitle the customer to general bug fixes or maintenance releases. In some instances, a security patch might be contingent on a bug fix/MR, in which case Zebra will make the necessary patch available to the customer.
In many instances these security updates fall outside of the Google Support window. Though an exception condition, certain security vulnerabilities might be systemic; requiring significant changes that would impact the stability and interoperability of the platform of an earlier OS release. In such cases, Zebra cannot guarantee that it will directly remediate every such vulnerability. Therefore, Zebra provides remediation recommendations and might not provide a patch.
Under the one-year extension agreement, Zebra provides limited phone support. Often referred to as “Level 1” escalation, this will be relegated to basic question and answers.
For more information about extended LifeGuard support, please contact Zebra or your Zebra reseller.
Q: Can I purchase a one-year LifeGuard extension at any time?
A: No. Extensions can be purchased only if the product/OS is under existing security support. Such extensions must be purchased no less than 90 days before the end of the existing support contract.
Q: Do I need LifeGuard for PCI compliance?
A: For questions relating to the Payment Card Industry (PCI), Zebra recommends consulting a Qualified Security Assessor (QSA).
Q: After Google ends support for an OS release, does Zebra guarantee that all vulnerabilities are patched?
A: No. Zebra only provides updates in such cases if the functionality previously existed and/or the update does not impact the integrity of the platform.
Q: Is there anything preventing an entitled customer from sharing an update with others?
A: Sharing updates with entities not entitled to receive them is a violation of the law and of the terms of the EULA agreement.
Q: Can customers still obtain a locked-down image through a custom product request?
A: Yes, but such updates will not eligible to receive LG security patches since updates are validated only against the latest software builds.
Q: What should a customer do if they detect a vulnerability?
A: Customers that detect a vulnerability should immediately report it using Zebra's VULNERABILITY DISCLOSURE form.
Deployment
Q: How long does it take Zebra to release a security update after a security bulletin is published?
A: Zebra’s goal is to release within 2-3 days of a public Android security bulletin. However, updates vary in complexity and scope, are sometimes combined with a maintenance release, and can have dependencies on third-party code that must be obtained separately by Zebra. Therefore, the release of security updates can vary depending on region, product model and third-party software suppliers.
In addition, releases for WWAN devices might lag due to additional testing and/or carrier certification, which can take from 2-6 weeks. It is also possible for a carrier-certified update to contain a security patch level earlier than that of a prior release. Therefore, after installing any major carrier-certified update, Zebra recommends checking the patch level and loading any necessary Zebra patches.
Q: Does Zebra advise customers to install all updates?
A: Yes, Zebra recommends that all updates be applied in a timely manner. Zebra acknowledges that all software updates carry some degree of functional risk. Customers operating in a peak season (with a potential code lockdown) should assess the individual CVEs being addressed in a release and proceed accordingly. Customers might also be using techniques and/or solutions such as Android Lock Task mode, application white-listing or Zebra's Enterprise Home Screen to mitigate some threats, updates will provide an added level of defense and should generally be applied as soon as possible.
Q: Are Zebra updates ever covertly pushed to devices?
A: No. Unlike some device platforms, Zebra does not push LifeGuard updates without full disclosure to the customer and/or device user.
Q: Does Zebra provide security patches for GMS?
A: Typically no. GMS libraries are most often updated by Google through the Google Play store, usually through a Google account on the device (though Google retains the right to update without an account). In rare cases, Zebra provides GMS libraries as part of a larger update, but the GMS version in such updates might not be the latest.
Q: How does Zebra handle Zero-day vulnerabilities and attacks?
A: Zebra monitors for such events and makes a best effort to respond in relative real time. When a major vulnerability or attack surfaces between a scheduled update or security bulletin, Zebra addresses the events outside of the standard LG release schedules.
Q: How do I install a hot-fix or custom release?
A: Installation of hot-fix and custom builds is not supported by LifeGuard OTA. Such updates must be installed directly to the device using legacy methods (adb, SD Card, StageNow).
Q: How do I get a hot-fixed device back to a standard build?
A: A hot-fixed device can be restored to a standard build by applying the most recent (or desired) build directly to the device using legacy install methods.
Administrative
Q: How can I get a Zebra account?
A: The first step to creating an account is to visit the Zebra.com User Registration page to verify an email address. Further instructions will follow.
Zebra recommends using a general email address to represents your organization rather than that of an individual user to avoid having to re-register if the individual leaves your organization. NOTE: Entering a valid contract number during registration maps any existing download entitlements to the account.
Q: How can I determine when my device was last updated?
A: Check the update status within your EMM tool, if applicable. Otherwise, navigate to Settings > About Phone > System Update on the device to see the date of the most recent update.
Q: Can I update manually even though I am using LifeGuard OTA?
A: Yes. Zebra devices can always be "sideloaded" using adb or StageNow. Please note that downgrading the OS forces an Enterprise Reset and removes all user data, including EMM enrollment, which could leave the device in an unmanaged state.
A: Yes. Zebra devices can always be "sideloaded" using adb or StageNow. Please note that downgrading the OS
Q: How will I know whether an update is compatible with my company's apps and solutions?
A: Zebra recommends referring to the release notes that accompany all LifeGuard security updates for specific information and thoroughly testing updated devices before deployment. Zebra attempts to capture and communicate in release notes relevant changes that could impact installed applications.
Q: Where can I find the schedule for LifeGuard releases?
A: Zebra does not publish a formal roadmap of releases. OS updates are released monthly with security fixes, and every third update also delivers any available new features. See the release notes that accompany the relevant LifeGuard security updates for specific information about a given update.
Q: Which device apps and/or services are required for LifeGuard over-the-air updates, from where are they available, and which Android versions are supported for each?
A: This and other relevant information is on the LifeGuard OTA page of the Zebra Developer Portal.
Q: What is ZDS?
A: The Zebra Data Service (ZDS) system is a set of background services running on all supported Zebra devices that is responsible for collecting and uploading analytics data coming from ZDS plug-ins and Zebra-authorized third-party apps. It also plays a role in updating the LifeGuard OTA client app.
Learn more about ZDS.