Frequently Asked Questions

LifeGuard

General Q&A

Q: What is LifeGuard for Android?

A: LifeGuard for Android is an operating system security support model for select Zebra Android products that provides three security value propositions:

  1. Extended availability of OS security updates/patches
  2. Security support during OS Transition Periods (OTPs)
  3. Periodic security patches (as frequently as every 30 days)

Learn more


Q: How much does LG cost?

A: There is no extra charge for LifeGuard if covered under one of the following Zebra agreements:

  • Zebra Initial Purchase Software Warranty
  • Zebra OneCare Essential
  • Zebra OneCare Select
  • Zebra OneCare TSS (technical and software support – excludes break-fix repair)

One-year extensions are available at additional cost.

NOTE: A "software warranty” is generally 90 days; a “hardware warranty” is generally 12 months.

Learn more about Zebra OneCare options


Q: Why are certain products excluded from LG?

A: Products not covered under full LG support are usually older and built with SoC architecture that is no longer in general use. Occasionally the reason relates to software contained in the device that is not directly managed by Zebra.


Q: What is a Patch Level?

A: Applying the updates associated with each bulletin will set a “Patch Level” on the device that correlates to the Google published Android Monthly Bulletin. This information is provided in each individual product’s release notes at its time of release and can be seen in Settings > About Phone on most devices.

The Patch Level includes two dates:

  • The device’s most recent full security update
  • The date the device last received "Critical Only" updates

For example, "Patch Level 2016-05-01 Critical 2016-12-01" indicates that the device was last fully patched on May 1, 2016, and received its last critical patch on December 1, 2016.


Q: How does LG help customers maintain security during an OS transition?

A: When Zebra releases an OS with a new version of Android, the earlier version remains under support for a period of 12 months. This is referred to as the OS Transition Period (OTP), during which customers receive updates about once every three months, with coverage for all Common Vulnerability Exposures (CVEs).

More about CVEs


Q: How are security patches installed on a device?

A: The simplest way to install updates is through Zebra's LifeGuard OTA, which can be implemented using:

  • The Android 11 Auto-update service
  • Your company's Enterprise Mobility Management (EMM) system (if supported)
  • StageNow Smart Profiles

Security patches also can be installed directly to device(s) using the Android Debug Bridge (adb) over USB, via external SD card (if so equipped), or with Zebra StageNow.


Q: Where do I find Zebra LifeGuard security updates?

A: Links to LifeGuard security updates can be found on the LifeGuard for Android Updates page on the Zebra Support Portal.


Q: What is the size of a LifeGuard update?

A: There are three types of LifeGuard updates:

  • Security-only updates typically range from 10MB–50MB
  • Maintenance releases (including features and fixes) range from 100MB–400MB
  • Baseline and Android-version updates are approximately 1GB

Q: Can I reverse/roll back an update or patch?

A: Yes. The latest update system automatically rolls back if an error is detected. Also, any patch can be rolled back manually by installing an earlier patch. Updates also can be reversed by performing an Enterprise Reset.

NOTE: Device OS downgrades cannot be performed using LifeGuard OTA. Downgrading the OS on a device removes EMM enrollment information, which could leave the device in an unmanaged state.


Q: Are security updates always separate from other maintenance releases?

A: No. Security updates can be delivered separately or bundled with bug fixes and/or maintenance releases. Bundling releases simplifies maintenance by reducing the number of updates that must be applied. See the release notes that accompany the relevant LifeGuard security update for specific information.


Q: Are security updates cumulative?

A: Yes and No.

  • YES: For devices running Android 10 and earlier, updates are cumulative; each contains all previous updates, fixes and patches.
  • NO: For devices with Android 11 and later, updates are incremental; each contains ONLY the content required to bring the device to the target patch level, allowing updates to be smaller. More about what's new in LG for Android 11.

Q: How can I determine what's inside an update...do they come with release notes?

A: Yes. All LifeGuard security updates are posted with release notes that describe content specific to the update. If accessing an update through an EMM system connecting to Zebra’s OTA services, the release notes might also be available from within the EMM console.


Q: Can I be notified when a patch is available for my platform?

A: Yes. Subscribe to email notifications at the LifeGuard subscription page.


Q: Do I have to be on the latest board-support package (BSP) or maintenance release (MR) to get the latest LG update?

A: On devices running Android 10 and older, yes, the latest BSP is required on the device prior to loading security updates.

However, devices running Android 11 and later do NOT require the latest BSP. Zebra's OTA service allows any upgrade version to be used, and delivers the smallest package necessary for the update. Updates on Zebra.com are available as either full updates or delta packages between releases:

  • Full updates go from the current version to any future release with a single file.
  • If keeping up to date with security patches, delta packages offer a significant reduction in file size compared with traditional patches.

IMPORTANT: The OS transition period is based on the Android version number; it ignores the API, BSP and maintenance release levels. If a customer wishes to stay on a specific BSP or MR and continue to receive security updates, this would be considered a custom product and is subject to additional charges.


Q: After Google ends support, how does Zebra determine what to patch?

A: Patching decisions are based primarily on Android Security Bulletins, whether it's during Google support for an OS release or after Google support ends. During the latter period, Zebra assesses each vulnerability and develops relevant patches whenever possible. Certain security vulnerabilities are systemic, requiring significant changes that would impact the stability and interoperability of the platform of an earlier OS release. In such cases, Zebra provides remediation recommendations in lieu of a patch or update.

More about Android Security Bulletins


Security

Q: What are OS security updates?

A: Security updates (aka “security patches") are software updates designed to fortify the device and/or underlying Android OS from specific threats or general vulnerabilities.


Q: Does Zebra guarantee my device is secure if it's up to date?

A: No. Security updates are just one element in a multi-level defense strategy. Customers should install the latest security updates, leverage Android and Zebra MX features for added protection and educate users on safe computing for the greatest level of security.


Q: What is a CVE?

A: CVE stands for Common Vulnerability Exposure, and is the name commonly given to cybersecurity vulnerabilities. All CVE instances have a unique identifier and are stored in the CVE Program database, which is maintained by the MITRE Corporation and sponsored by the U.S. Department of Homeland Security and others.

More about the CVE Program


Q: What types of attacks are the most common?

A: Some of the most common attacks include:

  • Remote code execution
  • Application privilege escalation (unauthorized access to resources)
  • Disclosure of information on the device
  • Denial of service
  • Phishing
  • Social-network exploitation

Q: What is the Android Security Bulletin?

A: Android Security Bulletins are monthly Google publications listing recently discovered Android CVEs along with their respective severity levels and patch samples for mitigation. Companies such as Zebra that manufacture devices for Android are provided access to the bulletins 30 days prior to public release.

More about Android Security Bulletins

More about CVE severity levels


Q: How long do Google and SOC vendors provide security support for Android?

A: The Android Open Source Project (AOSP) is updated for security issues documented in the Public Android Security Bulletins for 3.5 years from date of first public release of a given OS version. Zebra provides updates from AOSP and SOC vendors for a minimum of 24 months from the launch date of products based on that version.


License Terms

Q: How long does Zebra provide security updates under LifeGuard?

A: Security patches are made available for two (2) years past the device end-of-sale (EoS) date. NOTE: Past OS releases for a given product are generally not supported except as defined under an OS Transition Period (OTP), covered elsewhere in this FAQ.


Q: Can end-of-sale dates shift?

A: Yes. Zebra generally classifies product hardware as “years available for sale” or “years available for hardware service.” Thus, a 5/5 device can be purchased for five (5) years and is eligible for service contracts for an additional five (5) years.

Hardware end-of-sale dates can fluctuate based on market conditions and component availability. Zebra works hard to select components that align with its planned hardware life cycle, but cannot make guarantees.


What are the available LifeGuard support levels?

A: There are three LifeGuard support levels:

  • L1-Monthly is the highest level of support, and includes comprehensive updates approximately every 30 days. All relevant Android Security Bulletin CVEs are addressed, regardless of severity. L1 support is provided for the latest current OS release on a product during the period in which Google is providing security support updates.

  • L1-Quarterly support provides quarterly updates approximately every 90 days. All relevant Android Security Bulletin CVEs are addressed, regardless of severity. L1 support is provided for the latest current OS release on a product during the period in which Google is providing security support updates.

  • L2-Quarterly covers all "critical" Android Security Bulletin CVEs. L2 support is provided after Google has terminated security support prior to Zebra’s end-of-security support.

  • L3 covers products not in a Zebra discretionary support window, during which Zebra makes its best effort to address major security vulnerabilities.


Q: Can support be added to a pre-existing device portfolio not already covered under a service plan?

A: Yes. You can purchase a OneCare service contract inclusive of LifeGuard, but additional charges might apply depending on the specific device/OS platform(s) to be covered. Please contact Zebra or your Zebra reseller for more information.


Q: Can I extend LifeGuard support, and if so, how and what is the cost?

A: Yes. Zebra offers one-year security support extensions, allowing customers to extend either the end-of-security-support date or an OS Transition Period (OTP).

The scope of the one-year extension is to a specific product model on a specific OS release (identified within the purchase agreement). Support during the extension period is L2 (Quarterly updates of Critical severity only).

The agreement covers security support only; it does not entitle the customer to general bug fixes or maintenance releases. In some instances, a security patch might be contingent on a bug fix/MR, in which case Zebra will make the necessary patch available to the customer.

In many instances these security updates fall outside of the Google Support window. Though an exception condition, certain security vulnerabilities might be systemic; requiring significant changes that would impact the stability and interoperability of the platform of an earlier OS release. In such cases, Zebra cannot guarantee that it will directly remediate every such vulnerability. Therefore, Zebra provides remediation recommendations and might not provide a patch.

Under the one-year extension agreement, Zebra provides limited phone support. Often referred to as “Level 1” escalation, this will be relegated to basic question and answers.

For more information about extended LifeGuard support, please contact Zebra or your Zebra reseller.


Q: Can I purchase a one-year LifeGuard extension at any time?

A: No. Extensions can be purchased only if the product/OS is under existing security support. Such extensions must be purchased no less than 90 days before the end of the existing support contract.


Q: Do I need LifeGuard for PCI compliance?

A: For questions relating to the Payment Card Industry (PCI), Zebra recommends consulting a Qualified Security Assessor (QSA).

Learn more


Q: After Google ends support for an OS release, does Zebra guarantee that all vulnerabilities are patched?

A: No. Zebra only provides updates in such cases if the functionality previously existed and/or the update does not impact the integrity of the platform.


Q: Is there anything preventing an entitled customer from sharing an update with others?

A: Sharing updates with entities not entitled to receive them is a violation of the law and of the terms of the EULA agreement.


Q: Can customers still obtain a locked-down image through a custom product request?

A: Yes, but such updates will not eligible to receive LG security patches since updates are validated only against the latest software builds.


Q: What should a customer do if they detect a vulnerability?

A: Customers that detect a vulnerability should immediately report it using Zebra's VULNERABILITY DISCLOSURE form.


Deployment

Q: How long does it take Zebra to release a security update after a security bulletin is published?

A: Zebra’s goal is to release within 2-3 days of a public Android security bulletin. However, updates vary in complexity and scope, are sometimes combined with a maintenance release, and can have dependencies on third-party code that must be obtained separately by Zebra. Therefore, the release of security updates can vary depending on region, product model and third-party software suppliers.

In addition, releases for WWAN devices might lag due to additional testing and/or carrier certification, which can take from 2-6 weeks. It is also possible for a carrier-certified update to contain a security patch level earlier than that of a prior release. Therefore, after installing any major carrier-certified update, Zebra recommends checking the patch level and loading any necessary Zebra patches.


Q: Does Zebra advise customers to install all updates?

A: Yes, Zebra recommends that all updates be applied in a timely manner. Zebra acknowledges that all software updates carry some degree of functional risk. Customers operating in a peak season (with a potential code lockdown) should assess the individual CVEs being addressed in a release and proceed accordingly. Customers might also be using techniques and/or solutions such as Android Lock Task mode, application white-listing or Zebra's Enterprise Home Screen to mitigate some threats, updates will provide an added level of defense and should generally be applied as soon as possible.


Q: Are Zebra updates ever covertly pushed to devices?

A: No. Unlike some device platforms, Zebra does not push LifeGuard updates without full disclosure to the customer and/or device user.


Q: Does Zebra provide security patches for GMS?

A: No. GMS libraries are typically updated by Google through the Google Play store, usually through a Google account on the device (though Google retains the right to update without an account). In rare cases, Zebra provides GMS libraries as part of a larger update, but the GMS version in such updates might not be the latest.


Q: How does Zebra handle Zero-day vulnerabilities and attacks?

A: Zebra monitors for such events and makes a best effort to respond in relative real time. When a major vulnerability or attack surfaces between a scheduled update or security bulletin, Zebra addresses the events outside of the standard LG release schedules.


How do I install a hot-fix or custom release?

A: Installation of hot-fix and custom builds is not supported by LifeGuard OTA. Such updates must be installed directly to the device using legacy methods.

Learn more


How do I get a hot-fixed device back to a standard build?

A: A hot-fixed device can be restored to a standard build by applying the most recent (or desired) build directly to the device using legacy install methods.

Learn more


Administrative

How can I get a Zebra account?

A: The first step to creating an account is to visit the Zebra.com User Registration page to verify an email address. Further instructions will follow.

Zebra recommends using a general email address to represents your organization rather than that of an individual user to avoid having to re-register if the individual leaves your organization. NOTE: Entering a valid contract number during registration maps any existing download entitlements to the account.


How can I determine when my device was last updated?

A: Check the update status within your EMM tool, if applicable. Otherwise, navigate to Settings > About Phone > System Update on the device to see the date of the most recent update.


Can I update manually even though I am using LifeGuard OTA?

A: Yes. Zebra devices can always be "sideloaded" using adb or StageNow. Please note that downgrading the OS on a device removes any EMM enrollment information, which could leave the device in an unmanaged state.

Learn more


How will I know whether an update is compatible with my company's apps and solutions?

A: Zebra recommends referring to the release notes that accompany all LifeGuard security updates for specific information and thoroughly testing updated devices before deployment. Zebra attempts to capture and communicate in release notes relevant changes that could impact installed applications.


Where can I find the schedule for LifeGuard releases?

A: Zebra does not publish a formal roadmap of releases. OS updates are released monthly with security fixes, and every third update also delivers any available new features. See the release notes that accompany the relevant LifeGuard security updates for specific information about a given update.