A: LifeGuard for Android is an operating system security support model for select Zebra Android products that provides three security value propositions:
- Extended availability of OS security updates/patches
- Security support during OS Transition Periods (OTPs)
- Periodic security patches (as frequently as every 30 days)
A: There is no extra charge for LifeGuard if covered under one of the following Zebra agreements:
- Zebra Initial Purchase Software Warranty
- Zebra OneCare Essential
- Zebra OneCare Select
- Zebra OneCare TSS (technical and software support – excludes break-fix repair)
One-year extensions are available at additional cost.
NOTE: A "software warranty” is generally 90 days; a “hardware warranty” is generally 12 months.
Learn more about Zebra OneCare options
A: Products not covered under full LG support are usually older and built with SoC architecture that is no longer in general use. Occasionally the reason relates to software contained in the device that is not directly managed by Zebra.
A: Applying the updates associated with each bulletin will set a “Patch Level” on the device that correlates to the Google published Android Monthly Bulletin. This information is provided in each individual product’s release notes at its time of release and can be seen in Settings > About Phone on most devices.
The Patch Level includes two dates:
- The device’s most recent full security update
- The date the device last received "Critical Only" updates
For example, "Patch Level 2016-05-01 Critical 2016-12-01" indicates that the device was last fully patched on May 1, 2016, and received its last critical patch on December 1, 2016.
A: When Zebra releases an OS with a new version of Android, the earlier version remains under support for a period of 12 months. This is referred to as the OS Transition Period (OTP), during which customers receive updates about once every three months, with coverage for all Common Vulnerability Exposures (CVEs).
A: The simplest way to install updates is through Zebra's LifeGuard OTA, which can be implemented using:
- The Android 11 Auto-update service
- Your company's Enterprise Mobility Management (EMM) system (if supported)
- StageNow Smart Profiles
Security patches also can be installed directly to device(s) using the Android Debug Bridge (adb) over USB, via external SD card (if so equipped), or with Zebra StageNow.
A: Links to LifeGuard security updates can be found on the LifeGuard for Android Updates page on the Zebra Support Portal.
A: There are three types of LifeGuard updates:
- Security-only updates typically range from 10MB–50MB
- Maintenance releases (including features and fixes) range from 100MB–400MB
- Baseline and Android-version updates are approximately 1GB
A: Yes. The latest update system automatically rolls back if an error is detected. Also, any patch can be rolled back manually by installing an earlier patch. Updates also can be reversed by performing an Enterprise Reset.
NOTE: Device OS downgrades cannot be performed using LifeGuard OTA. Downgrading the OS on a device removes EMM enrollment information, which could leave the device in an unmanaged state.
A: No. Security updates can be delivered separately or bundled with bug fixes and/or maintenance releases. Bundling releases simplifies maintenance by reducing the number of updates that must be applied. See the release notes that accompany the relevant LifeGuard security update for specific information.
A: Yes and No.
- YES: For devices running Android 10 and earlier, updates are cumulative; each contains all previous updates, fixes and patches.
- NO: For devices with Android 11 and later, updates are incremental; each contains ONLY the content required to bring the device to the target patch level, allowing updates to be smaller. More about what's new in LG for Android 11.
A: Yes. All LifeGuard security updates are posted with release notes that describe content specific to the update. If accessing an update through an EMM system connecting to Zebra’s OTA services, the release notes might also be available from within the EMM console.
A: Yes. Subscribe to email notifications at the LifeGuard subscription page.
Q: Do I have to be on the latest board-support package (BSP) or maintenance release (MR) to get the latest LG update?
A: On devices running Android 10 and older, yes, the latest BSP is required on the device prior to loading security updates.
However, devices running Android 11 and later do NOT require the latest BSP. Zebra's OTA service allows any upgrade version to be used, and delivers the smallest package necessary for the update. Updates on Zebra.com are available as either full updates or delta packages between releases:
- Full updates go from the current version to any future release with a single file.
- If keeping up to date with security patches, delta packages offer a significant reduction in file size compared with traditional patches.
IMPORTANT: The OS transition period is based on the Android version number; it ignores the API, BSP and maintenance release levels. If a customer wishes to stay on a specific BSP or MR and continue to receive security updates, this would be considered a custom product and is subject to additional charges.
A: Patching decisions are based primarily on Android Security Bulletins, whether it's during Google support for an OS release or after Google support ends. During the latter period, Zebra assesses each vulnerability and develops relevant patches whenever possible. Certain security vulnerabilities are systemic, requiring significant changes that would impact the stability and interoperability of the platform of an earlier OS release. In such cases, Zebra provides remediation recommendations in lieu of a patch or update.
A: Security updates (aka “security patches") are software updates designed to fortify the device and/or underlying Android OS from specific threats or general vulnerabilities.
A: No. Security updates are just one element in a multi-level defense strategy. Customers should install the latest security updates, leverage Android and Zebra MX features for added protection and educate users on safe computing for the greatest level of security.
A: CVE stands for Common Vulnerability Exposure, and is the name commonly given to cybersecurity vulnerabilities. All CVE instances have a unique identifier and are stored in the CVE Program database, which is maintained by the MITRE Corporation and sponsored by the U.S. Department of Homeland Security and others.
A: Some of the most common attacks include:
- Remote code execution
- Application privilege escalation (unauthorized access to resources)
- Disclosure of information on the device
- Denial of service
- Social-network exploitation
A: Android Security Bulletins are monthly Google publications listing recently discovered Android CVEs along with their respective severity levels and patch samples for mitigation. Companies such as Zebra that manufacture devices for Android are provided access to the bulletins 30 days prior to public release.
More about CVE severity levels
A: The Android Open Source Project (AOSP) is updated for security issues documented in the Public Android Security Bulletins for 3.5 years from date of first public release of a given OS version. Zebra provides updates from AOSP and SOC vendors for a minimum of 24 months from the launch date of products based on that version.
A: Security patches are made available for two (2) years past the device end-of-sale (EoS) date. NOTE: Past OS releases for a given product are generally not supported except as defined under an OS Transition Period (OTP), covered elsewhere in this FAQ.
A: Yes. Zebra generally classifies product hardware as “years available for sale” or “years available for hardware service.” Thus, a 5/5 device can be purchased for five (5) years and is eligible for service contracts for an additional five (5) years.
Hardware end-of-sale dates can fluctuate based on market conditions and component availability. Zebra works hard to select components that align with its planned hardware life cycle, but cannot make guarantees.
A: There are three LifeGuard support levels:
L1-Monthly is the highest level of support, and includes comprehensive updates approximately every 30 days. All relevant Android Security Bulletin CVEs are addressed, regardless of severity. L1 support is provided for the latest current OS release on a product during the period in which Google is providing security support updates.
L1-Quarterly support provides quarterly updates approximately every 90 days. All relevant Android Security Bulletin CVEs are addressed, regardless of severity. L1 support is provided for the latest current OS release on a product during the period in which Google is providing security support updates.
L2-Quarterly covers all "critical" Android Security Bulletin CVEs. L2 support is provided after Google has terminated security support prior to Zebra’s end-of-security support.
L3 covers products not in a Zebra discretionary support window, during which Zebra makes its best effort to address major security vulnerabilities.
Q: Can support be added to a pre-existing device portfolio not already covered under a service plan?
A: Yes. You can purchase a OneCare service contract inclusive of LifeGuard, but additional charges might apply depending on the specific device/OS platform(s) to be covered. Please contact Zebra or your Zebra reseller for more information.
A: Yes. Zebra offers one-year security support extensions, allowing customers to extend either the end-of-security-support date or an OS Transition Period (OTP).
The scope of the one-year extension is to a specific product model on a specific OS release (identified within the purchase agreement). Support during the extension period is L2 (Quarterly updates of Critical severity only).
The agreement covers security support only; it does not entitle the customer to general bug fixes or maintenance releases. In some instances, a security patch might be contingent on a bug fix/MR, in which case Zebra will make the necessary patch available to the customer.
In many instances these security updates fall outside of the Google Support window. Though an exception condition, certain security vulnerabilities might be systemic; requiring significant changes that would impact the stability and interoperability of the platform of an earlier OS release. In such cases, Zebra cannot guarantee that it will directly remediate every such vulnerability. Therefore, Zebra provides remediation recommendations and might not provide a patch.
Under the one-year extension agreement, Zebra provides limited phone support. Often referred to as “Level 1” escalation, this will be relegated to basic question and answers.
For more information about extended LifeGuard support, please contact Zebra or your Zebra reseller.
A: No. Extensions can be purchased only if the product/OS is under existing security support. Such extensions must be purchased no less than 90 days before the end of the existing support contract.
A: For questions relating to the Payment Card Industry (PCI), Zebra recommends consulting a Qualified Security Assessor (QSA).
Q: After Google ends support for an OS release, does Zebra guarantee that all vulnerabilities are patched?
A: No. Zebra only provides updates in such cases if the functionality previously existed and/or the update does not impact the integrity of the platform.
A: Sharing updates with entities not entitled to receive them is a violation of the law and of the terms of the EULA agreement.
A: Yes, but such updates will not eligible to receive LG security patches since updates are validated only against the latest software builds.
A: Customers that detect a vulnerability should immediately report it using Zebra's VULNERABILITY DISCLOSURE form.
A: Zebra’s goal is to release within 2-3 days of a public Android security bulletin. However, updates vary in complexity and scope, are sometimes combined with a maintenance release, and can have dependencies on third-party code that must be obtained separately by Zebra. Therefore, the release of security updates can vary depending on region, product model and third-party software suppliers.
In addition, releases for WWAN devices might lag due to additional testing and/or carrier certification, which can take from 2-6 weeks. It is also possible for a carrier-certified update to contain a security patch level earlier than that of a prior release. Therefore, after installing any major carrier-certified update, Zebra recommends checking the patch level and loading any necessary Zebra patches.
A: Yes, Zebra recommends that all updates be applied in a timely manner. Zebra acknowledges that all software updates carry some degree of functional risk. Customers operating in a peak season (with a potential code lockdown) should assess the individual CVEs being addressed in a release and proceed accordingly. Customers might also be using techniques and/or solutions such as Android Lock Task mode, application white-listing or Zebra's Enterprise Home Screen to mitigate some threats, updates will provide an added level of defense and should generally be applied as soon as possible.
A: No. Unlike some device platforms, Zebra does not push LifeGuard updates without full disclosure to the customer and/or device user.
A: No. GMS libraries are typically updated by Google through the Google Play store, usually through a Google account on the device (though Google retains the right to update without an account). In rare cases, Zebra provides GMS libraries as part of a larger update, but the GMS version in such updates might not be the latest.
A: Zebra monitors for such events and makes a best effort to respond in relative real time. When a major vulnerability or attack surfaces between a scheduled update or security bulletin, Zebra addresses the events outside of the standard LG release schedules.
A: Installation of hot-fix and custom builds is not supported by LifeGuard OTA. Such updates must be installed directly to the device using legacy methods.
A: A hot-fixed device can be restored to a standard build by applying the most recent (or desired) build directly to the device using legacy install methods.
A: The first step to creating an account is to visit the Zebra.com User Registration page to verify an email address. Further instructions will follow.
Zebra recommends using a general email address to represents your organization rather than that of an individual user to avoid having to re-register if the individual leaves your organization. NOTE: Entering a valid contract number during registration maps any existing download entitlements to the account.
A: Check the update status within your EMM tool, if applicable. Otherwise, navigate to Settings > About Phone > System Update on the device to see the date of the most recent update.
A: Yes. Zebra devices can always be "sideloaded" using adb or StageNow. Please note that downgrading the OS on a device removes any EMM enrollment information, which could leave the device in an unmanaged state.
A: Zebra recommends referring to the release notes that accompany all LifeGuard security updates for specific information and thoroughly testing updated devices before deployment. Zebra attempts to capture and communicate in release notes relevant changes that could impact installed applications.
A: Zebra does not publish a formal roadmap of releases. OS updates are released monthly with security fixes, and every third update also delivers any available new features. See the release notes that accompany the relevant LifeGuard security updates for specific information about a given update.