Getting started with Android Enterprise Corporate-Owned devices with Work Profile

Microsoft has recently declared the Android Enterprise Corporate-Owned devices with Work Profile deployment scenario (sometimes also referred to as management scenario) feature complete. That’s really good news and also a really good trigger for a new blog post. This time I’ll skip the different deployment scenarios and use cases, as I’ve written about those here and here. Just to create a good starting point, I’ll start with a quick summary about the main characteristics of this specific deployment scenario in the table below. These characteristics will help with determining if this deployment scenario will fit on the use case. For a complete overview with the different deployment scenarios, please refer to my previous post around this subject.

Deployment scenarioUse casePersonal usePrivacy guaranteedEnrollment methodManagement reachReset requiredUser affinity
Corporate-Owned devices with Work ProfileCorporate-Owned, Personally Enabled (COPE)YesYesNear Field Communication, Token entry, QR code scanning, or Zero touchProfile owner with device-level settingsYesYes

Note: Keep in mind that the user experience will be similar to personal devices with work profile. That means a strict separation between personal apps and data and work apps and data.

Throughout this post, I want to discuss the main enrollment, configuration and distribution options for the Android Enterprise corporate-owned devices with work profile deployment scenario. I want to achieve that by going through the following subjects and touching the most important points for the different configurations. I’ll simply provide the steps to get to the correct profiles, policies and apps that are applicable to this deployment scenario. I’ll end by providing a quick overview of the end-user experience.

Enrollment profile for corporate-owned devices with work profile

The Android Enterprise corporate-owned devices with work profile deployment scenario starts with the enrollment profile, as the enrollment profile determines the deployment scenario that is used. That enrollment profile contains a unique token that does not expire. There can also be multiple enrollment profiles. Having multiple enrollment profiles can be useful for separating devices in different groups, as the enrollment profile name can be used for creating dynamic device groups. The following five steps walk through the process of creating that enrollment profile.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices Android > Android enrolment Corporate-owned devices with work profile to open the Corporate-owned devices with work profile blade
  2. On the Corporate-owned devices with work profile blade, click Create profile to open the Create a profile wizard
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name for the enrollment profile for corporate-owned devices with work profile
  • Description: (Optional) Provide a valid description for the enrollment profile for corporate-owned devices with work profile
  1. On the Scope tags page, configure the required scope tags click Next
  2. On the Review + create page, verify the configuration and click Create

Note: When not using Zero-touch enrollment, or third-party services like Samsung Knox Mobile Enrollment, the easiest method for enrolling these devices is by using the created QR-code.

Device configuration profiles for corporate-owned devices with work profile

The configuration of devices in the Android Enterprise corporate-owned devices with work profile deployment scenario, is similar to most other Android Enterprise corporate-owned deployment scenarios. The different device configuration profiles can be used for configuring device features, assigning certificates or configuring Wi-Fi or VPN. To create a device configuration profile, focus on the profiles shown under the Fully Managed, Dedicated, and Coporate-Owned Work Profile category. The following three steps walk through the creation of a device configuration profile.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices Configuration profiles to open the Devices | Configuration profiles blade
  2. On the Devices | Configuration profiles blade, select Create profile to open the Create a profile page
  3. On the Create a profile page, provide the following information and click Create
  • Platform: Select Android Enterprise
  • Profile: Depending on the required configuration, select Derived credentials, Device restrictions, SCEP certificate, Trusted certificate, VPN or Wi-Fi in the Fully Managed, Dedicated, and Coporate-Owned Work Profile category

When creating a device restrictions profile, the settings are divided in different categories and in every category there a different headers. Those headers include the applicable deployment scenarios for the settings under the header. Make sure that the header includes “corporate-owned work profile“. In most cases that’s applicable to settings that are available for all deployment scenarios, with the exception of two categories. The Work profile password category (see Figure 1) and the Personal profile category (see Figure 2). Those categories are only applicable to Android Enterprise corporate-owned devices with work profile.

Note: Keep in mind that OEMConfig can also be used for configuring the work profile of these devices, when supported by the vendor.

Device compliance policies for corporate-owned devices with work profile

The compliance of devices in the Android Enterprise corporate-owned devices with work profile deployment scenario, is also similar to most other Android Enterprise corporate-owned deployment scenarios. The device compliance policy settings that are available for the existing corporate-owned deployment scenarios, are also applicable to this deployment scenario. A device compliance policy can be used for verifying the compliance with the device risk, device health, platform version and security settings. The following three steps walk through the creation of such a device compliance policy.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices Compliance policies to open the Compliance policies| Policies blade
  2. On the Compliance policies| Policies blade, select Create policy to open the Create a policy page
  3. On the Create a policy page, provide the following information and click Create
  • Platform: Select Android Enterprise
  • Profile: Select Fully managed, dedicated, and coporate-owned work profile

Note: Even though the devices are compliant, I’m currently seeing challenges with device-based Conditional Access, as a certificate should be selected that is not available.

Apps for corporate-owned devices with work profile

The deployment of apps to devices in the Android Enterprise corporate-owned devices with work profile deployment scenario, is the same as for any other Android Enterprise corporate-owned deployment scenario. The different app types can be used for installing store apps, line-of-business apps, web links, built-in apps, and Android Enterprise system apps. The following three steps walk through the process of adding such apps.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Apps All apps to open the Apps | All apps blade
  2. On the Apps | All apps blade, click Add to open the Select app type page
  3. On the Select app type page, provide the following information and click Select
  • App type: Depending on the required app, select Managed Google Play app, Web link, Built-in app, Line-of-business app or Android Enterprise system app

Note: Even though the Android Enterprise system apps are applicable, and will be available, most of those apps can only be used by the owner of the device.

App configuration policies for corporate-owned devices with work profile

The configuration of apps for devices in the Android Enterprise corporate-owned devices with work profile deployment scenario, is the same as for any other Android Enterprise corporate-owned deployment scenario. The app configurations can be configured by using the configuration designer, or JSON data. The following three steps walk through the process of adding such app configuration policies.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Apps App configuration policies to open the Apps | App configuration policies blade
  2. On the Apps | App configuration policies blade, click Add > Managed devices to open the Create app configuration policy wizard
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name for the app configuration policy
  • Description: (Optional) Provide a valid description for the app configuration policy
  • Device enrollment type: Managed devices already selected
  • Platform: Select Android Enterprise
  • Profile Type: Select Fully Managed, Dedicated and Corporate-Owned Work Profile Only
  • Targeted app: Select the app that should be configured

Note: When possible, stick with the configuration designer, as it simplifies the app configuration.

App protection policies for corporate-owned devices with work profile

The protection of (the data in) apps for devices in the Android Enterprise corporate-owned devices with work profile deployment scenario, is the same as for any other Android Enterprise deployment scenario. The app protection policies can used for creating restrictions for data transfers, requiring encryption, creating access requirement and adding conditional launch requirements. The following four steps walk through the process of adding such app protection policies.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Apps App protection policies to open the Apps | App protection policies blade
  2. On the Apps | App protection policies blade, click Create policy > Android to open the Create policy wizard
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name for the app protection policy
  • Description: (Optional) Provide a valid description for the app protection policy
  • Platform: Android already selected
  1. On the Apps page, provide at least the following information and click Next
  • Target to apps on all device types: Select Yes, or select No in combination with the following setting
    • Device types: Select at least Android Enterprise
  • Public apps: Select the public apps to which this policy applies
  • Custom apps: Select the custom apps to which this policy applies

Note: Keep in mind that when managed apps are allowed without a managed devices, users can also configure a managed app in their personal container.

Remote actions for corporate-owned devices with work profile

The available remote actions for devices in the Android Enterprise corporate-owned devices with work profile deployment scenario are limited. The remote actions can be used to wipe, delete, remote lock, reset work profile passcode, or restart the device. The following two steps walk through the process of getting to the remote actions.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices All devices to open the Devices | All devices blade
  2. On the Devices | All devices blade, select a specific Android Enterprise corporate-owned device with work profile to open the device Overview

Important: Keep in mind that the Wipe action will factory reset the device and that the factory reset of the device will remove all company apps and data and all personal apps and data.

Tip: The Wipe, Delete and Restart actions can also be performed by using Bulk Device actions.

Note: This figure also provides a nice overview of the combination of a corporate-owned device (see Ownership property) and a work profile (see Reset work profile passcode action).

User experience for corporate-owned devices with work profile

Let’s end this post by having a quick look at the end-user experience for the Android Enterprise corporate-owned devices with work profile deployment scenario. The enrollment process is pretty straight forward, it does take some time, but the steps almost can’t go wrong. That’s why I want to show the user experience for the personal and work profile. Mainly focused on showing the different configuration options and the main difference with personal devices with work profile.

Below in Figure 8 is an example of the personal profile after the enrollment of the device. It doesn’t contain a Company Portal app, as it’s not needed for the enrollment of the device. Below in Figure 9 is an example of the work profile after the enrollment of the device. It does contain the Microsoft Intune app with the device compliance information and the device policy sync option. It also contains multiple apps that are distributed, configured and managed.

Note: As shown in Figure 9, the work profile of my users also contains the Microsoft Tunnel app and I can confirm that Microsoft Tunnel Gateway is also working for my users.

More information

For more information regarding Android Enterprise Corporate-Owned Work Profile, refer to the following articles: