Announcing general availability of Android Enterprise corporate-owned devices with a work profile

Published Jun 23 2021 02:00 PM 8,917 Views

Today, Microsoft is announcing the general availability of Android Enterprise corporate-owned devices with a work profile in Endpoint Manager. With this release, Endpoint Manager now supports the complete set of Android Enterprise management scenarios, including dedicated devices, fully managed devices, and personally-owned devices with a work profile.

 

Nowadays, it is not uncommon for many of us to use our corporate-owned devices for personal use. Employees want to be sure that their personal data and information remains private, and organizations want to be confident that corporate devices are secure and compliant with company policies. Corporate-owned devices with a work profile is the best of both worlds: the work profile provides the same data separation capabilities available on personally-owned work profile, with added device management capabilities designed for a corporate device. Once enrolled, this will automatically keep corporate applications, data, and contacts in the work container (work profile) and personal applications, data, and contacts in the personal container (personal profile). This corporate-owned personally-enabled (COPE) scenario offers end users confidence that their company administrators will not have visibility into the data and applications in the personal profile. 

 

As more and more employees work from home or in hybrid office environments, corporate-owned devices with a work profile can help enable people to stay securely connected to their work and personal data from virtually anywhere. Employees can easily transition from checking company email to monitoring the status of personal deliveries and then back to their work apps, seamlessly and securely on the same device. During the preview over the past few months, we have seen incredible growth and satisfaction in customer adoption of these capabilities. Let’s dive into the details of enabling Android Enterprise corporate-owned devices with a work profile in Endpoint Manager:

 

Device Enrollment

Corporate-owned devices with a work profile is available for Android 8+ (Oreo and higher). Endpoint Manager supports these popular provisioning methods:

  • Knox Mobile Enrollment
  • Zero Touch Enrollment
  • NFC – Near Field Communications (only supported on Android 8-10 for COPE devices)
  • Token Entry (only supported on Android 8-10 for COPE devices)
  • QR code

 

IT Administrators can enable enrollment for this scenario by selecting the “Corporate-owned devices with a work profile” enrollment tile (indicated with the red arrow below). They can create multiple enrollment profiles with unique tokens that do not expire.

 

Enrollment Profiles.png

End User Enrollment

The experience for end users to enroll corporate-owned devices with a work profile includes new screens that inform them about the functionality of the work and personal profiles on the device. For example:

 

enrollment workflow for Android Enterprise corporate-owned devices with a work profile.JPG

 

Additionally, the experience will guide end users through setting up administration requirements such as creating a device password, installing work applications, and registering the device. Once successfully set up, users will have two sections labeled work and personal in their full application list.

 

Application list.JPG

 

 

Device Configuration

A subset of the existing settings for fully managed and dedicated devices are available for corporate-owned devices with a work profile. Additionally, we’ve added new settings to configure the work profile password and capabilities in the personal profile (indicated with the red arrows below).

 

Device restrictions.png

 

You can create device configuration profiles under the “Fully Managed, Dedicated, and Corporate-Owned Work Profile” category and assign them to corporate-owned devices with a work profile to disable device features, assign certificates, or configure Wi-Fi or VPN. These device configuration profiles can be applied to fully managed, dedicated, and corporate-owned work profile devices.

 

Create a profile.png

 

 

 

 

 

 

 

 

 

Some of the settings in the Device Restrictions profile do not apply to corporate-owned devices with a work profile; however, there are headers under each setting category that indicate which device types a particular setting can be applied to. Below is an example of these headers used in the Users and Accounts category.

 

Users and Accounts.png

 

Some settings that apply device wide on fully managed and dedicated devices only apply at the work-profile level for corporate-owned devices with a work profile. These settings are marked with the “work profile-level” descriptor in the setting name, as shown in the example below.

 

Applications.png

 

Device Compliance

The compliance settings and Conditional Access capabilities that are available for fully managed and dedicated devices will also apply to corporate-owned devices with a work profile. IT administrators should select “Android Enterprise” as the platform and “Fully managed, dedicated, and corporate-owned work profile” as the policy type.

 

Create a policy.png

 

 

 

 

 

 

 

 

 

App Management

IT administrators can deploy apps and utilize app configuration and app protection policies for corporate-owned devices with a work profile. IT administrators should select “Android Enterprise” as the platform and “Fully Managed, Dedicated, and Corporate-Owned Work Profile” as the profile type.

 

App management.png

 

Device Actions

Wipe device (factory reset), lock device, and reset work profile passcode are available for corporate-owned devices with a work profile.

 

What new capabilities will be added?

We still plan to add a few new capabilities to the corporate-owned devices with a work profile management scenario in the coming months. This includes:

  • Single sign-on during end user enrollment flow
  • Separate device filtering for corporate-owned work profile, fully managed, and dedicated devices
  • Block and allow apps in the personal profile

 

Get Started

If you have IT administrator credentials for your org, you can start enrolling devices here in the Microsoft Endpoint Manager admin center. Review the Product Documentation for instructions. There are known issues around Wi-Fi reporting documented here: Troubleshoot and review Wi-Fi device profile logs - Intune | Microsoft Docs

 

Customer Support

The available features are fully supported through our Microsoft Endpoint Manager support channels.

 

How Can You Reach Us?

Keep us posted on your experience with Android Enterprise corporate-owned devices with a work profile through comments on this blog post, through Twitter (@IntuneSuppTeam), and request any new features on UserVoice.

 

Android Enterprises Resources

For information about the new privacy protections on company-owned Android devices, refer to Google’s blog post.

 

Previous Blogs Posts

 

Microsoft Documentation

5 Comments
Senior Member

Very informative information, thanks.

Regular Visitor

What licenses are required?

Hi @Jeff Hutto, each user will need to be assigned an Intune license before users can enroll their devices in Intune. For more information on licensing, have a look at our docs: Microsoft Intune licensing to learn more.

Frequent Visitor

This is a great feature we were waiting for. Thanks

Senior Member

Why is there still no "Search work contacts from personal profile" setting in the COPE profile like there is for personal devices with work profile? How can incoming numbers be resolved to contacts in the work profile??

Version history
Last update:
‎Jun 23 2021 02:26 PM
Updated by: