Intune announcing public preview for Android Enterprise corporate-owned devices with a work profile

Published Jul 17 2020 04:06 PM 22K Views

By: Shanthi Thillairajah | PM | Microsoft Endpoint Manager - Intune


Updated 6/23/21We have received over 49 comments on this Android preview blog post, and in those comments and occasional subsequent support cases, you helped us deliver Android Enterprise corporate-owned devices with a work profile as generally available.

We've excited to announce the general availability of Android Enterprise corporate-owned devices with a work profile in Endpoint Manager! With this release, Endpoint Manager now supports the complete set of Android Enterprise management scenarios, including dedicated devices, fully managed devices, and personally-owned devices with a work profile.


More information about the GA release can be found in our blog here: Announcing general availability of Android Enterprise corporate-owned devices with a work profile


As this feature is now GA, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page or our Twitter @IntuneSuppTeam. Your continued feedback helps make the product better, we are grateful for this community, thank you!


Microsoft Endpoint Manager – Intune support for Android Enterprise corporate-owned devices with a work profile is now in public previewYou can start enrolling devices here in the Microsoft Endpoint Manager admin centerCorporate-owned devices with a work profile is one of the corporate management scenarios in the Android Enterprise solution set. This corporate-owned, personally-enabled (COPE) scenario offers separation between work and personal profilessimilar to that offered for personally-owned work profile devices, while giving admins more device-level control. IT admins can see, control, and configure the work accounts, applications, and data in the work profile, while end users are guaranteed that admins will have no visibility into the data and applications in the personal profileThis scenario is targeted at organizations that wish to enable personal use on corporate-owned single-user devices that they have provided for work. This management scenario is available for Android 8+ (Oreo and higher) devices.


What is available in the first preview release?

This preview release is intended to demonstrate the corporate-owned work profile capabilities that we have built so far. We hope to gather feedback and iterate on the design and functionality before the end-to-end scenario becomes generally available in the Microsoft Endpoint Manager admin center. The following features are included in today’s preview:

  • EnrollmentCreate multiple enrollment profiles with unique tokens that do not expire. This includes device enrollment using NFC, token entry, QR code, Zero Touch, or Knox Mobile Enrollment.  
  • Device Configuration: A subset of the existing settings for fully managed and dedicated devices. 
  • App Management: App assignments, app configuration, app protection policies, and associated reporting capabilities.
  • Device Compliance: The compliance policies that are currently available for fully managed devices 
  • Device Action: Delete device (factory reset), reboot device, and lock device are available. 
  • Conditional AccessThe conditional access capabilities that are currently available for fully managed devices. 
  • Resource Access: Certs, Wi-Fi, and VPN.
  • MTD SupportAdmins can push MTD apps to the work profile.


What is newly available in the September preview update?

Three new features for corporate-owned devices with a work profile were added in the September release:

  • Personal usage policies - These settings allow admins to configure the personal side of the device. Admins can disable camera, disable screen capture, and allow app installations from unknown sources on the personal side. 
  • Work profile password configuration - These settings allow admins to create requirements for the work profile password. Device password configuration is already available in preview.
  • Work profile password reset - This device action allows admins to reset the work profile password on a device.


What is newly available in the October preview update?

Support for app protection policies (APP, also known as MAM) was added in the October release.


Device Enrollment

Intune admins can enable enrollment for this scenario by selecting the “corporate-owned devices with a work profile” enrollment tile (indicated with the red arrow below). Admins can create multiple enrollment profiles with unique tokens that do not expire.


Enrollment Profiles | Corporate-owned devices with work profile (Preview)Enrollment Profiles | Corporate-owned devices with work profile (Preview)


End User Enrollment

There are new screens in the end user enrollment flow that help inform the user about the functionality of the work profile and personal profile on the device. Here are some examples of the screens:


Figure 1. Setting up your work profileFigure 1. Setting up your work profile  Figure 2. Setting up your work profileFigure 2. Setting up your work profile


Next, there are screens that will guide your end user through setting up admin requirements like creating a device password, installing work applications, and registering the device. After a successful enrollment, the user should see two sections labeled work and personal after they swipe up to see their full application list.


Figure 3. Setting up your work profileFigure 3. Setting up your work profile  Successful enrollmentSuccessful enrollment


Device Configuration

You can create device configuration profiles to assign to corporate-owned devices with a work profile to disable device features, assign certificates, or configure VPN.


To create a device configuration profile, select a profile under the “Fully Managed, Dedicated, and Corporate-Owned Work Profile” category shown below. Device configuration profiles in this category can be applied to fully managed, dedicated, and corporate-owned work profile devices.


Create a profile - Device configuration profileCreate a profile - Device configuration profile


Some of the settings in the Device Restrictions profile do not apply to corporate-owned devices with a work profile; however, there are headers under each setting category that indicate which device types a particular setting can be applied to. Below is an example of these headers used in the Users and Accounts category.


Device restrictions profile - Users and AccountsDevice restrictions profile - Users and Accounts


Some settings only apply at the work-profile level for corporate-owned devices with a work profile. These settings still apply device-wide for fully managed and dedicated devices. They are marked with the “work profile-level” descriptor in the setting name, as shown in the example below.


Device restrictions profile - ApplicationsDevice restrictions profile - Applications


Device Compliance

The compliance settings that are available for fully managed and dedicated devices will be applicable to corporate-owned devices with a work profile for this preview. To create a compliance policy, admins should select “Android Enterprise” as the platform and “Fully managed, dedicated, and corporate-owned work profile” as the policy type.


Create a policy - Device compliance policyCreate a policy - Device compliance policy


App Management

IT admins can deploy apps and utilize app configuration for corporate-owned devices with a work profile as a part of this preview release. To create an app configuration policy for managed devices, admins should select “Android Enterprise” for the platform and “Fully Managed, Dedicated, and Corporate-Owned Work Profile” for the profile type.


Create a policy - App configuration policyCreate a policy - App configuration policy

As referenced above, there is no support for app protection policies (APP, also known as MAM) in this preview release.


Customer Support for This Preview

The available preview features are fully supported through ourIntune support channels.


Known Issues

  • There is a known issue with Wi-Fi profiles failing on COPE devices. We are currently investigating and will update this post as we learn more.
    • Devices that have taken an Android 10 maintenance release from December 2019, as well as all subsequent versions of Android, will not be impacted. Please contact your device manufacturer to determine if a given Android 10 build contains this maintenance release.

How Can You Reach Us?

As you validate and build out the Android Enterprise corporate-owned devices with a work profile preview scenarios, we would appreciate your feedback on IT admin's device configuration and end-user's device enrollment experiences. Keep us posted on your Android experience through comments on this blog post, through Twitter (@IntuneSuppTeam), and request any new features on UserVoice.


Android Enterprises Resources

For information about the new privacy protections on company-owned devices, refer to Google’s blog post.




Blog post updates:

  • 7/20/20: We previously noted that previously stated that UI was continuing to roll out. As confirmed by engineering, UI has been rolled out across all tenants and this feature is now fully available to use!
  • 8/18/20: With an update to the known issues section regarding an enrollment bug and the “Updating Device…” screen. A fix will be rolled out in the next month.
  • 9/21/20: There are new features in the September preview update!
  • 9/23/20:
    • We previously noted two known issues which are now resolved:
      • With being able to enforce a device-wide password where end users have the ability to get around device password requirements on corporate-owned devices with a work profile, regardless of admin policy.
      • An enrollment bug where some devices are getting stuck on the “Updating Device…” screen after the end user inputs their corporate credentials.
    • We also updated the known issues section to include a known issue with Wi-Fi profile deployment. We'll update this post as we learn more!
  • 10/29/20: This management scenario is now feature complete! We will declare this scenario Generally Available once we sufficiently document and address the Wi-fi issues customers have been seeing on Android 10 COPE devices. Stay tuned to this blog for more updates coming soon. Also included an update that Android app protection policies (MAM) is now supported in the October release.
  • 11/24/20: With an update to clarify the Android platform bug as noted in the 10/29 update.
  • 12/2/20: Additional clarification to the Android platform bug as noted in the 10/29 update, and an update to the "Known Issue" section.
  • 6/23:21: We've excited to to announce the general availability of Android Enterprise corporate-owned devices with a work profile in Endpoint M...!
Senior Member


I'm curious how this enrollment method will work on Android 11, Google is stating they will decrease support starting Android 11.
Am I misinterpreting something here?  Thanks in advance.

From Bayton's blog:
"Google are no longer supporting the use of work profiles on fully managed devices (WPoFMD) in Android 11. Instead, they’re working on something they’re calling an enhanced work profile experience (what I’ll refer to throughout for simplicity and differentiation as 
enhanced work profile)."

Occasional Contributor
Hi thats true with the new google policy how are things really going to look like ?
Hi @MAslin1425, it is true that fully managed devices with a WP is being deprecated; however, this is a new implementation of COPE (corporate-owned devices with a work profile). There are no plans for deprecation plans for this scenario. It is available for Android 8+ devices.

Hi @Akah Mandela Munab, thank you for the question! Could you clarify what Google policy you are referring to? Thanks!

Senior Member

@Intune Support Team So this COPE is basicly the same use case/functionality that Google is deprecating, but this one MS is implementing is based on new technology/api from Google?
Another question, do you have any estimate when SCEP certificates and wifi will be supported for COPE?
Thanks for clarifying!

@MAslin1425, the functionality for this scenario (corporate-owned devices with a work profile) is different from the deprecated scenario (fully-managed with a work profile) because for this scenario the admin only has a scoped amount of device-level control, and end users have a guarantee that their company will have no vision into the personal data and applications in the personal profile.


SCEP and Wi-Fi support is also available within this preview!

Frequent Visitor

Hi, when we tried the orginal Android work profile but we had issues in syncing contacts from Outlook to the native contacts app, including Whatsapp where the contact name didn't sync, only the phone number


Has this been corrected in this new enrolment scenario? 



Occasional Contributor

The mention of personal Google accounts: Does this mean that the work profile can now have a work G-Suite account in it and can use its associated Play store?

Senior Member

This looks good but not quite there. Fully Managed Company Owned, and we still cant force a pin reset or remotely unlock the device but only the Work container? Too often the customer forgets their PIN and in all scenarios except COBO we have no way to help get them back into the device with AfW or now with COPE even. Falls short of our needs to provide the customer with the service they expect. Even with Find My Device there is no option to unlock or reset PIN except with Samsung devices.

Hi @Richard Barnes, there hasn't been any new COPE-specific policies added for contact syncing. With that said, be on the lookout for an incoming private message to understand the Outlook scenario a bit more. Thanks!

Senior Member

@Intune Support Team  I'm quoting the blogpost "Resource Access: Certs, Wi-Fi, and VPN. Support for PFX Create is not available in this preview. "
But you say it is supported in this preview. Do you mean in an upcoming preview phase? I cannot get it to work. Just says pending on scep distribution.

@OffColour1972, thank you for your comment! G-Suite account support is not currently supported at this time, but if this feature is important to your organization, you can share your interest through UserVoice.

@Wesley Bell, PIN reset will not be supported for the device password for privacy reasons, but we plan to add work profile password reset in an upcoming preview update. Stay tuned!


@MAslin1425, thanks for the feedback, we’ve followed up with you over direct message to talk through the scenario.

New Contributor

Awesome work team, I have tested my own device in COPE profile and all works very good :D

Occasional Contributor

@Intune Support Team 

"G-Suite account support is not currently supported at this time, but if this feature is important to your organization, you can share your interest through UserVoice."


It's been on there for at least a year and still not implemented. Makes Work Profiles pretty useless without it for a lot of organisations.


Senior Member

**Edit: unassigning APP from all users fixes this (even with setting user exclusions). Intune Company Portal will show as installed inside of Intune, but will not show installed on the device itself.**


When trying to open Outlook in the Work Profile apps. I get the message:

The Intune Company Portal is required for the account "". You will not be able to use Outlook until the Company Portal is installed or this account is removed. To install the Company Portal, choose Keep Account and follow the on-screen prompts.

If you choose to keep account, it launches the Google Play store at the Intune Company Portal app page, but gives the message:

Your administrator has not given you access to this item.

Intune Company Portal is a required app and is showing installed on that device in Managed Apps in that device blade.

New Contributor

@Ben_Allgood, did you ever get this to work? I am having the same issue during testing.

Senior Member

@markdevr , I did for a Samsung Galaxy S10 and it is working fine. But, then once I had everything set up, I tried it with a Note 9, and the enrollment failed when trying to go to the Company Portal. The problem is the devices don't think they have the Company Portal installed, but Intune reports that they do have it installed. They do have the Intune app installed which I am thinking is part of the problem. The app assignment is confusing the Intune app with the Intune Company Portal app.

New Contributor

@Ben_Allgood, what did you have to do for the S10? I have a feeling this is because they don't have MAM support yet and I have MAM turned on regularly. I think once the app sees MAM is on it wants Company Portal and Company Portal isn't used on CO devices. 

Senior Member

@markdevr That's what I thought had fixed the problem with the S10. I turned off deployment for the Android platform Application Protection Policy. I had tried to just do an exclusion for the user without success. So, I turned off the APP and re-enrolled. The S10 worked perfectly like that then. Then I tried a Note9, still with APP not targeted to anyone. It failed.

Hi @markdevr and @Ben_Allgood, confirming that support for app protection policies is still in development. We anticipate adding in the support in subsequent preview updates prior to general availability. Stay tuned, it's coming!


If APP policies are still applying, have a look at our Troubleshooting + support | Troubleshoot tool to validate which policies have been applied.

Occasional Contributor

In our environment we have a working SCEP-profile deployed to Fully Managed devices along with a WiFi-profile configured to use the SCEP certificate.

The SCEP certificate is deployed successfully to my testing device enrolled as a Corporate Owned with Work Profile but the Wifi configuration fails to deploy. Any specific consideration or pitfalls that might cause the deployment failure?

Senior Member

Is Google backup supported for personal profile on Android 8/9/10/11? I tried on Android 9 and didn't get any prompt for restoring from previous backup and even if I enable it from settings the service stays disabled.

Occasional Visitor

Glad to see the COPE is on the radar.  I've configured fully managed and work profile.  But with this preview, I'm having issues with the SCEP, cert and Wifi Profile.  Same as this gentleman below.  Can you tell me what his fix was?


@Intune Support Team  I'm quoting the blogpost "Resource Access: Certs, Wi-Fi, and VPN. Support for PFX Create is not available in this preview. "
But you say it is supported in this preview. Do you mean in an upcoming preview phase? I cannot get it to work. Just says pending on scep distribution.

Senior Member

@Jeff Nguyen FYI 
Got it working with SCEP certificate and WiFi EAP authentication, the SCEP certificate delivery is rather slow and unreliable as of now and the error codes doesn't tell you much. Did not find a specific root cause but reassigning all certificates and scep profiles did the trick. 

PS. It can be difficult to verify if the SCEP certificate was actually issued on the device, instead use "My Certificates" app in the work profile to see if SCEP was issued. Hope everything works out for you!

Hi @Petri Limnell, thanks for the question! There is no current support for Google backup to personal profile, but we appreciate your feedback! Please share your interest through UserVoice. Thanks!

Occasional Visitor

We're having a really strange behaviour on the apps side: all the Google Play Store Managed Apps we've deployed now show up as "Not Applicable" on Android Corporate-Owned Work Profile enrolled devices. Yet they've clearly been installed during enrollment, so this is really weird ... any ideas?


PS- App protection policy is really welcome news! Keep it up guys!!

New Contributor

Where are the work profile configuration policies for this configuration? I am missing settings like the some of the ones below in the corp-owned profile. Ex. "Data sharing..., Work profile notifications..., Display work contact caller-id in personal profile, Allow widgets from work profile apps, etc".




Occasional Visitor

Hi,  we plan to rollout to our entire company (circa 500 users) using the Android corporate owned with work profile configuration.  

Can you advise when the service is likely to be launched fully?  i.e. advanced from Preview?


Also, we have an inconsistent experience when enrolling devices.  i.e. it often takes over an hour or fails.  We do not see the device on intune at any point.  

Are you aware of any issues?  

New Contributor

I have opened a ticket with MS for the missing contacts issue. I'll report back once I have information.

Hi @NiallPhillips, thanks for your comment! Though we don't have any ETAs to currently share, stay tuned to this post for any future updates as well as our In development and What's new docs for new announcements regarding this feature.


Regarding the inconsistencies with enrolling devices, this does not sound expected so lets get you over to our support folks for further investigation. Please open a support request from within the Intune admin console, or any of the methods here. Once created, please direct message us with your support case number so we can have an eye on the case. Thanks!

Hi @Petri Limnell, restore from personal profile for COPE is supported! After a user logs in to their personal Google account, a screen will be presented asking the user if they are interested in restoring a backup. Hope this helps!

Frequent Visitor

Works well with Android 8,9&10 devices however Android 11 not so much. It appears Google have changed the way COPE works on Android 11 switching to something called enhanced profiles. Intune doesn't seem to work with this well at the moment.


When testing with Android 11 the work profile has Apps installed to it as part of the initial setup process that were not included in our managed play store or assigned to the work profile, for example Netflix and some of the standard Samsung email/calendar apps. The Android 11 device is using the same profile and settings as older versions which do not have this problem. Not sure if this problem is specific to Samsung devices being synced from Knox or any Androud 11 device?


Also when initially enrolling Android 11 devices the personal profiles play store doesn't work preventing users from installing their Apps. A while (several minutes) after the enrollment completes the device randomly reboots and the play store works. Logged with MS support and told currently expected behaviour.


Worth being aware if you plan to use for the most modern Android devices. A real shame as I was looking forward to finally rolling COPE out! Hopefully it will be resolved.

Hi @Stevec2085, thank you for the feedback!


Our Intune engineering team is currently working with Google to investigate other apps downloading in the work profile. In the meantime, you can block those apps in the policy to prevent them from installing.


Regarding the Google Play Store issue, Google has fixed the issue for Play Store version 23.9.06 and later. You may need to update the Play Store for the fix to be applied.

Frequent Visitor

@Intune Support Team Thanks for the reply. I took a look at your suggested work around of blocking the Apps using device restrictions. Unfortunately it looks like the Allow or Block Apps device restriction is only available on an Android Device Administrator configuration profile, not on Android Enterprise. Also a number of the Apps that have been added to the work profile are Samsung bespoke such as Galaxy Store, Calendar & Bixby. These therefore are not on the Google Play store so had the feature been available I don't think I would have been able to block them.

New Contributor

Apologies for the length, but I'm frustrated with this and not a lot of avenues for support\info since it's in Preview.  It seemed appropriate to post here for now.

I am familiar with the COPE concept and have used it since the Blackberry10 days.  Sad to see the vendors struggle with it so much these days, it's not a new concept.  Primarily still using Knox workspace, KME, and Workspace One for this as most are Android 9, but need to get more 10 and 11.  I have a few frustrations with it and haven't even gotten very deep into it yet.


Seen lots of weird issues with Outlook Contacts\ Calendar.  Annoying and makes me not trust the app to apply policies correctly which I have seen as a variety of quirky problems for over the years with MDM.  I'm suspecting Outlook needs to open once to get the policies AND RESTART to apply policies. Or is there a bypass somewhere?

The config - Super simple setup - No conditional access restrictions, compliance or app protection policies in place.  Just app configuration and some basic device config (passcodes, updates control, etc.).  All permissions are set to "Auto grant" in the app policy (device based, not app based, but have tried both).  Sync calendar and contacts are on.

What happens

After installing Outlook on the work side, it tells you 1 account is available.  It completes authentication using the broker.  Calendar does not sync to native app.  Option to sync calendars is not even an option in the account settings.  App permissions (toggling on and off does nothing).  BUT, if I open Outlook the first time, do not set it up, close it, and reopen Outlook and run through the setup it works. Key difference is when I open it the second time it tells me 1 account found, but also gives me the option to "Create New account", which we do not choose.  From there it syncs without issue.  Other settings seem to be fine in general, it's primarily calendar and contact issues.

What has been tried

Have attempted with and without the "configure email account settings".  Have let it sit to update policies, forced syncs, and nothing.  Have tried to make it a required and non-require app.  Change scope, tried app based app policy and device based app policy.  And many other things I can't even remember anymore.  So strange.


We are primarily using Android 10.  I had to setup KME in a specific way to enroll the device into InTune when it was 11, or it would enroll as device only.  It seems proper device enrollment isn't supported unless you are using KME or Google No Touch and I'm sure I read this somewhere, but can't find it again.  Wonder if this is all related and with @Stevec2085 was referring to.

Senior Member

In the first section it is mentioned that the WiFi issue is an Android platform bug.

Following the link to the Google post it was an issue for WiFi configs with SCEP configurations which was fixed by Google end of 2019.

Is anybody using Samsung Android 10 devices successfully with WiFi/SCEP in this setup?

None of your Samsung devices is getting the WiFi config.

I cannot imagine that Samsung hasn't patched this bug after a year... or has this to be fixed by MS even if the manufacturers are using the patch on their devices?
And can someone confirm that Samsung Android 11 devices are working fine again?


Senior Member

@niklasf , the issue is only with Android 10. I just verified this yesterday with it working fine on both Android 9 (Samsung S8+) and Android 11 (Samsung S21U) but still not working with android 10 (Samsung S9+). This is expected to be resolved in the April timeframe I believe. 

Occasional Visitor

You should at least allow backup and restore feature when work profile has been disabled or better yet allow this feature on COPE as it is deemed important for users.

New Contributor



Intune Release 2102 is out there. COPE Enrollment is still badged with "Preview" label. When will this feature go to GA state?



Senior Member

I need to know when this feature goes to GA too! We need to deploy this option to manage our company phones, it looks like it largely works albeit taking a long time to enrol. We dont want to go live with anything in preview and having to make do with an unsupported hybrid setup due to no other choice. 



Occasional Visitor

Hi All,


We have this implemented to around 5 devices, everything working and is compliant. We are seeing an issue where android devices their carrier, cell phone number, storage/other things are not polling properly or are not polling at all.

Anyone seen this/have recommendations to correct?



Frequent Contributor

@Intune Support Team  Any update on when this will reach General Availability? There's no additional information provided in Microsoft 365 Roadmap or Intune In Development. Thanks

Senior Member

Can someone confirm that it is possible to access the work profile contacts via the hands-free system of a car?
Or will the option "Contact sharing via Bluetooth" be added like it is already available in the policy for personal devices with a work profile?

New Contributor

@niklasf, I closed my ticket in February as it wasn't getting anywhere. I couldn't get the product team engaged to acknowledge these missing options, but I did send in a Business Impact Statement for this. If you ever need to reference it you can case#: 23255836.

New Contributor

Just paniced and jumped into my car to see whether this is working as we started to use it in production a couple days ago.


I can confirm that this thing works without an explicit policy setting!


My setup: COPE enrollment with Samsung A52 5G, Android 11. Outlook app with "contact sync enabled" so the native samsung contact app in work profile is showing my work contacts.

Verified that the phone app can resolve numbers to a work contact.


This is working fine with BT HF in my car HiFi.

New Contributor

@weberda , good to know that it is defaulting to enabled. We never got around to testing that. It just looks like they left out a number of GUI settings for corp-owned work profile. This would be an issue for people who want to *block* the functionality.

Senior Member

@weberda thank you for your test.

I was able to try it out on my own with a Samsung A41 (Android 10, COPE, Outlook App and Contact Sync on) and it is working.
So the default settings are fine for our purposes...

Senior Member

So, next question from my side...


Is it somehow possible to enroll a device for a user without knowing his password?
Via the old device admin method or the BYOD Work Profile it is possible to choose the "Sign in from different device" option and then finish the setup.

The person preparing the device was able to contact the user, told him the code to sign in and then finish the setup.


Via this COPE enrollment you have to enter the PW twice.

The first Sign In is directly after the work profile is created.

Then you set up the device PIN(s) if required and download the Authenticator and Intune App.

When the two apps are installed you have to sign again to register the device in Intune.


On the first sign in it is possible to choose to sign in via a different device.

On the second sign in this is not possible, you have to enter the password. (Or I was not able to get it working...)

Does it even make sense to require a second sign in nearly instantly after the first one?

We are looking for a way to prepare devices for users without the requirement to get their passwords.

Not applicable

Is it GA now?

Doesent say Preview anymore in GUI

Hi @markdevr@Ben_Allgood@weberda@Ash_Hoque745@eglockling, @Deleted - Thank you all for your patience. We're excited to announce the general availability of Android Enterprise corporate-owned devices with a work profile in Endpoint Manager! See our post: Announcing general availability of Android Enterprise corporate-owned devices with a work profile to learn more.

Version history
Last update:
‎Jun 29 2021 03:12 PM
Updated by: