Updated 6/23/21 - We have received over 49 comments on this Android preview blog post, and in those comments and occasional subsequent support cases, you helped us deliver Android Enterprise corporate-owned devices with a work profile as generally available.
We've excited to announce the general availability of Android Enterprise corporate-owned devices with a work profile in Endpoint Manager! With this release, Endpoint Manager now supports the complete set of Android Enterprise management scenarios, including dedicated devices, fully managed devices, and personally-owned devices with a work profile.
As this feature is now GA, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on ourTech Community pageor our Twitter@IntuneSuppTeam. Your continued feedback helps make the product better, we are grateful for this community, thank you!
Microsoft Endpoint Manager – Intune supportfor AndroidEnterprise corporate-owned devices with a work profile is now in public preview! You can start enrolling deviceshere in the Microsoft Endpoint Manager admin center. Corporate-owned devices with a work profileis one of the corporate management scenarios in the Android Enterprise solution set.This corporate-owned, personally-enabled (COPE) scenario offers separation between workand personal profiles, similar to that offered forpersonally-owned work profile devices, while giving admins more device-level control. IT admins can see, control, and configure the work accounts, applications, and data in the work profile, while end users are guaranteed that admins will have no visibility into the data and applications in the personal profile. This scenario is targeted at organizations that wish to enablepersonal use on corporate-owned single-user devices that they have provided for work.This management scenario is available for Android 8+ (Oreo and higher) devices.
What is available in the first preview release?
Thispreview release is intendedto demonstratethecorporate-owned work profile capabilities that we have builtso far. Wehope to gather feedback and iterate on the design and functionality before theend-to-endscenario becomes generally available in theMicrosoftEndpoint Manageradmin center.Thefollowing featuresareincludedin today’s preview:
Enrollment: Create multiple enrollment profiles with unique tokens that do not expire. This includes device enrollment using NFC, token entry, QR code, Zero Touch, or Knox Mobile Enrollment.
Device Configuration: Asubset of the existing settings for fully managed and dedicated devices.
Conditional Access: The conditional access capabilities that are currently available for fully managed devices.
Resource Access: Certs, Wi-Fi, and VPN.
MTD Support: Admins can push MTD apps to the work profile.
What is newly available in the September preview update?
Three new features for corporate-owned devices with a work profile were added in the September release:
Personal usage policies - These settings allow admins to configure the personal side of the device. Admins can disable camera, disable screen capture, and allow app installations from unknown sources on the personal side.
Work profile password configuration - These settings allow admins to create requirements for the work profile password. Device password configuration is already available in preview.
Work profile password reset - This device action allows admins to reset the work profile password on a device.
What is newly available in the October preview update?
Support for app protection policies (APP, also known as MAM) was added in the October release.
Intune admins can enable enrollment for this scenario by selecting the “corporate-owned devices with a work profile” enrollment tile (indicated with the red arrow below). Admins can create multiple enrollment profiles with unique tokens that do not expire.
Enrollment Profiles | Corporate-owned devices with work profile (Preview)
End User Enrollment
Thereare new screens in theend userenrollment flow that helpinformtheuserabout the functionality ofthe work profile andpersonal profile on the device. Here are some examples of the screens:
Figure 1. Setting up your work profileFigure 2. Setting up your work profile
Next, there are screens that will guide your end user through setting up admin requirements like creating a device password, installing work applications, and registering the device. After a successful enrollment, the user should see two sections labeled work and personal after they swipe up to see their full application list.
Figure 3. Setting up your work profileSuccessful enrollment
You can create device configuration profiles to assign to corporate-owned devices with a work profile to disable device features, assign certificates, or configure VPN.
To create a device configuration profile, select a profile under the “Fully Managed, Dedicated, and Corporate-Owned Work Profile” category shown below. Device configuration profiles in this category can be applied to fully managed, dedicated, and corporate-owned work profile devices.
Create a profile - Device configuration profile
Some of the settings in the Device Restrictions profile do not apply to corporate-owned devices with a work profile; however, there are headers under each setting category that indicate which device types a particular setting can be applied to. Below is an example of these headers used in the Users and Accounts category.
Device restrictions profile - Users and Accounts
Some settings only apply at the work-profile level for corporate-owned devices with a work profile. These settings still apply device-wide for fully managed and dedicated devices. They are marked with the “work profile-level” descriptor in the setting name, as shown in the example below.
Device restrictions profile - Applications
The compliance settings that are available for fully managed and dedicated devices will be applicable to corporate-owned devices with a work profile for this preview. To create a compliance policy, admins should select “Android Enterprise” as the platform and “Fully managed, dedicated, and corporate-owned work profile” as the policy type.
Create a policy - Device compliance policy
IT admins can deploy apps and utilize app configuration for corporate-owned devices with a work profile as a part of this preview release. To create an app configuration policy for managed devices, admins should select “Android Enterprise” for the platform and “Fully Managed, Dedicated, and Corporate-Owned Work Profile” for the profile type.
Create a policy - App configuration policy
As referenced above, there is no support for app protection policies (APP, also known as MAM) in this preview release.
There is a known issue with Wi-Fi profiles failing on COPE devices. We are currently investigating and will update this post as we learn more.
Devices that have taken an Android 10 maintenance release from December 2019, as well as all subsequent versions of Android, will not be impacted. Please contact your device manufacturer to determine if a given Android 10 build contains this maintenance release.
How Can You Reach Us?
As youvalidate and buildout the AndroidEnterprisecorporate-owneddevices with awork profilepreview scenarios, we would appreciate your feedback on IT admin'sdeviceconfiguration and end-user's device enrollment experiences. Keep us posted on your Android experience through comments on this blog post, through Twitter (@IntuneSuppTeam), and request any new features on UserVoice.
Android Enterprises Resources
For information about the new privacy protections on company-owned devices, refer toGoogle’s blog post.
7/20/20: We previously noted that previously stated that UI was continuing to roll out. As confirmed by engineering, UI has been rolled out across all tenants and this feature is now fully available to use!
8/18/20: With an update to the known issues section regarding an enrollment bug and the “Updating Device…” screen. A fix will be rolled out in the next month.
We previously noted two known issues which are now resolved:
With being able to enforce a device-wide password where end users have the ability to get around device password requirements on corporate-owned devices with a work profile, regardless of admin policy.
An enrollment bug where some devices are getting stuck on the “Updating Device…” screen after the end user inputs their corporate credentials.
We also updated the known issues section to include a known issue with Wi-Fi profile deployment. We'll update this post as we learn more!
10/29/20: This management scenario is now feature complete! We will declare this scenario Generally Available once we sufficiently document and address the Wi-fi issues customers have been seeing on Android 10 COPE devices. Stay tuned to this blog for more updates coming soon. Also included an update that Android app protection policies (MAM) is now supported in the October release.
11/24/20: With an update to clarify the Android platform bug as noted in the 10/29 update.
12/2/20: Additional clarification to the Android platform bug as noted in the 10/29 update, and an update to the "Known Issue" section.