Today, Microsoft is announcing the general availability of Android Enterprise corporate-owned devices with a work profile in Endpoint Manager. With this release, Endpoint Manager now supports the complete set of Android Enterprise management scenarios, including dedicated devices, fully managed devices, and personally-owned devices with a work profile.
Nowadays, it is not uncommon for many of us to use our corporate-owned devices for personal use. Employees want to be sure that their personal data and information remains private, and organizations want to be confident that corporate devices are secure and compliant with company policies. Corporate-owned devices with a work profile is the best of both worlds: the work profile provides the same data separation capabilities available on personally-owned work profile, with added device management capabilities designed for a corporate device. Once enrolled, this will automatically keep corporate applications, data, and contacts in the work container (work profile) and personal applications, data, and contacts in the personal container (personal profile). This corporate-owned personally-enabled (COPE) scenario offers end users confidence that their company administrators will not have visibility into the data and applications in the personal profile.
As more and more employees work from home or in hybrid office environments, corporate-owned devices with a work profile can help enable people to stay securely connected to their work and personal data from virtually anywhere. Employees can easily transition from checking company email to monitoring the status of personal deliveries and then back to their work apps, seamlessly and securely on the same device. During the preview over the past few months, we have seen incredible growth and satisfaction in customer adoption of these capabilities. Let’s dive into the details of enabling Android Enterprise corporate-owned devices with a work profile in Endpoint Manager:
Corporate-owned devices with a work profile is available for Android 8+ (Oreo and higher). Endpoint Manager supports these popular provisioning methods:
Knox Mobile Enrollment
Zero Touch Enrollment
NFC – Near Field Communications (only supported on Android 8-10 for COPE devices)
Token Entry (only supported on Android 8-10 for COPE devices)
IT Administrators can enable enrollment for this scenario by selecting the “Corporate-owned devices with a work profile” enrollment tile (indicated with the red arrow below). They can create multiple enrollment profiles with unique tokens that do not expire.
End User Enrollment
The experience for end users to enroll corporate-owned devices with a work profile includes new screens that inform them about the functionality of the work and personal profiles on the device. For example:
Additionally, the experience will guide end users through setting up administration requirements such as creating a device password, installing work applications, and registering the device. Once successfully set up, users will have two sections labeled work and personal in their full application list.
A subset of the existing settings for fully managed and dedicated devices are available for corporate-owned devices with a work profile. Additionally, we’ve added new settings to configure the work profile password and capabilities in the personal profile (indicated with the red arrows below).
You can create device configuration profiles under the “Fully Managed, Dedicated, and Corporate-Owned Work Profile” category and assign them to corporate-owned devices with a work profile to disable device features, assign certificates, or configure Wi-Fi or VPN. These device configuration profiles can be applied to fully managed, dedicated, and corporate-owned work profile devices.
Some of the settings in the Device Restrictions profile do not apply to corporate-owned devices with a work profile; however, there are headers under each setting category that indicate which device types a particular setting can be applied to. Below is an example of these headers used in the Users and Accounts category.
Some settings that apply device wide on fully managed and dedicated devices only apply at the work-profile level for corporate-owned devices with a work profile. These settings are marked with the “work profile-level” descriptor in the setting name, as shown in the example below.
The compliance settings and Conditional Access capabilities that are available for fully managed and dedicated devices will also apply to corporate-owned devices with a work profile. IT administrators should select “Android Enterprise” as the platform and “Fully managed, dedicated, and corporate-owned work profile” as the policy type.
IT administrators can deploy apps and utilize app configuration and app protection policies for corporate-owned devices with a work profile. IT administrators should select “Android Enterprise” as the platform and “Fully Managed, Dedicated, and Corporate-Owned Work Profile” as the profile type.
Wipe device (factory reset), lock device, and reset work profile passcode are available for corporate-owned devices with a work profile.
What new capabilities will be added?
We still plan to add a few new capabilities to the corporate-owned devices with a work profile management scenario in the coming months. This includes:
Single sign-on during end user enrollment flow
Separate device filtering for corporate-owned work profile, fully managed, and dedicated devices
The available features are fully supported through our Microsoft Endpoint Manager support channels.
How Can You Reach Us?
Keep us posted on your experience with Android Enterprise corporate-owned devices with a work profile through comments on this blog post, through Twitter (@IntuneSuppTeam), and request any new features on UserVoice.
Android Enterprises Resources
For information about the new privacy protections on company-owned Android devices, refer to Google’s blog post.