Android 5.0 'Lollipop' offers probably the biggest security overhaul of the mobile operating system since it first appeared and most of it is aimed squarely at attracting a bigger uptake in enterprises and mounting a more effective challenge to Apple's iOS.

Although most of the changes have been trailed for some time, enterprises and admins still need to pay close attention to what is heading their way. Not all Android devices will be in line to receive the new version so the first challenge is to work out which current devices will receive it at some point and which won't. For those that aren't in line for the upgrade it might be simpler to replace them, using Android 5.0 as a sort of ground zero, rather than attempt to manage multiple versions with different security capabilities.

Android Work (or Android for Work)

This is a major architectural change that is derived from a subset of Samsung's Knox containerisation technology through a new set of security APIs. It provides a single framework for IT staff to manage business devices but also, importantly, personal devices being used in a BYOD context. The key concept is that while Android Work is built on the principle that separate security policies can be applied to personal and work data and apps, they are not managed in awkward parallel worlds that reduce usability.

Notifications and apps from both appear in the same launcher window – as far as the user is concerned they are using a single device and set of apps that just happen below the surface to work according to entirely different security parameters.

Although based on Knox, not all Knox features will be present in Android 5.0 – the Korean firm has naturally kept some back to give its own handsets the a competitive edge.

App deployment

A second element of Android Work is that IT admins will now be able to specify which Google Play apps will be available for users to install through the work profile. Google has promised to make this easy to do with app licensing across multiple apps being subject to bulk discounts and purchasing via one transaction. This is another huge boost – installing and deploying a range of mainstream apps has until now been a major chore for businesses without private app stores.

Admins have a lot of new control over how apps are offered to users, including being able to provision apps to specific individuals or groups. Policies can also be defined by apps as well as users.

Enterprise Mobility Management (EMM)

Because enterprises increasingly opt to outsource some or all of their mobile management, new APIs on Google Play make is easier for EMM providers to integrate Android Work features into their own services.

SELinux enforcement

A small but important change that appeared in earnest in Android 4.4 Kitkat, SELinux is a Linux-based architecture designed to protect such systems from privilege elevation attacks. Not new by any means, but judging from Google's brief remarks in Android 5.0 this goes form being possible to mandatory for all applications. Tightens up security against software vulnerabilities and clever malware.

Encryption by default

Much to the apparent chagrin of the FBI, Android 5.0 devices will enforce encryption out of the box whether the user knows it or not. The key is the device's PIN code, which means that losing that could be hugely inconvenient if the device must be wiped and reset should it be forgotten. According to Google, the key is secured on the device and can't be accessed by it or the security services. Enterprise versions will be able to manage these access codes centrally.

Device-sharing features

It's not yet 100% clear how the new device-sharing features will integrate with enterprise management but Android 5.0 now has a Chromebook-like 'guest' mode that makes it possible to let a second person use the phone in a locked-down mode that secures data and features. For an even more limited form of sharing, a screen pinning feature will let Android users hand their phone to someone in a way that stops them using anything else beyond that screen.

Alternatively, a multi-user mode will allow users to access their own data by signing into any Android 5.0 device under their own credentials.

Android Smart Lock

Android 5.0 can be set up for the screen to unlock via a trusted device such as an Android Wear smartwatch or while inside a car. Users can already remotely wipe their devices using the Android Device Manager.

Factory Reset Protection

An optional feature that allows the device owner to specify that a handset can't be wiped and reset without the main account credentials. Designed to reduce the attractiveness of stealing devices – can be used in conjunction with remote lock.