Android work profile is a secure space on the user’s smartphone where the administrator can manage applications and user accounts without restricting the user’s usage of their own data. Android work profile is also known as profile owner mode or Android for Work.
Android, with the help of Android Enterprise, supports various deployment models.
- BYOD — A separate container or profile is formed within a personal device owned by the user.
- Work only device– A device that is issued and controlled fully by the corporate.
- Personally Enabled Work device (COPE)– Similar to work the only device but the users can do personal tasks too on this device.
- Dedicated Device– Corporate issued device which fulfills a particular task. Like digital signage, ticket printing, etc.
To help deployment models where work and personal applications reside together on the same device, Android places them in separate containers or work profiles, where the operating system enforces a firewall between them. All apps which correlate to work are placed in the work profile and personal apps are left in the primary profile. This is the case for BYO devices and COPE devices. In dedicated device deployment and work, only device deployment the work profile is not enabled.
The work profile functions as a separate Android user segregated from the primary profile but shares common UI. Work profile apps, alerts, and notifications are shown next to the primary profile counterparts, and they are badged with Android for Work briefcase icon, in order for users to understand what kind of app it is.
Android Work Profile features
The Android work profile solution package is for BYOD users, allowing admins to maintain a self-contained work profile on a personal android device for a user. Corporate programs, documents, and management policies are limited to the work profile, keeping them protected and distinct from personal data while preserving user privacy. These are the Android Enterprise features that help the Admin achieve this.
Device Provisioning
Work profile can be provisioned on devices enrolled with Android Enterprise in two ways.
- DPC-first works profile provisioning — Enrollment by downloading the OEMs DPC (Device Policy Controller). The user has to download the app provided by the UEM on the target device from the Google Playstore. The app will do the rest.
- Google account work profile provisioning — Enrollment using G Suite credentials. The users can enroll their device using their Google account details.
Security
Enterprise data doesn’t intertwine with personal application data with the work profile. The work profile has its own apps, its own download directory, and its own settings. The following are the critical security elements that can be applied to any Android work profile.
- Screen Lock: The admin can dictate a minimum criterion for the lock screen regarding its complexity and can also set a lock screen just for the work profile.
- Encryption: The admin can check the device’s compliance with encryption policies that have been put in place.
- Copy/Paste: This feature can be applied to prevent work data from being copied from work apps and being pasted in personal apps.
- Inter-app sharing: Admin can specify which work apps, if any, can share data with personal apps. The admin also can block the kind of sharing, entirely.
- VPN: The apps in the work profile can be secured on the network by placing a VPN restriction while the user is using the Android work profile. The VPN can be set to be active on a per-app basis or it can be set as always on.
- Wipe and Lock: The admin can remotely wipe the data within the work profile, in case the user decides to leave the organization or just buys a new device. The admin can also lock down the data if the device is lost or stolen somehow.
- Compliance enforcement: Work apps or data which are not deemed compliant to the facets of the security policy can be restricted access in the work profile.
Wading into more advanced and granular security restrictions, your UEM provider can utilize Google’s SafetyNet Attestation API to ensure that all the devices that are being enrolled in the organization’s network are actually genuine Android devices. SafetyNet is a set of Google Play Protect APIs which protect apps from threats to security. This series of APIs can mitigate device tampering, bad URLs, PHAs, and fake users.
Account and App management
Using Managed Google Play, Google Play enterprise edition, the UEM console may distribute apps to managed devices. You can access managed Google Play directly from the UEM console. Users can only install what they have been whitelisted for.
- Managed Google play accounts enrollment and provisioning: IT admins can create and provision managed Google play accounts. These accounts help distribute apps to the work profiles in managed devices.
- Silent App Distribution: Admins can initiate silent app distribution I.e.; admins can push apps into the work profile of devices without user intervention. This is especially useful for pushing mandatory apps.
- Managed Configuration management: For apps that support managed configuration, the IT admin can remotely apply configurations through the UEM console.
- Store layout Management: The admin can create a custom play store and provide access to the managed apps for users so that they can download essential apps and update the apps already in the work profile.
- Private App management: IT admins can update Google-hosted private apps through the UEM console instead of through the Google Play console. IT admins can also configure and publish self-hosted private apps.
Device Management and Usability
Android Enterprise does provide several granular device management capabilities with regard to the Android Work Profile. IT can enforce custom policies to make the management of work profile enabled devices much easier. Features that can be included in such custom policies are as follows.
- Runtime permissions management: Each app installed in a device requires the user to accept certain permissions so that the app can use various facets of the device. The permissions for the work apps installed in the Android work profile can be pre-set by the IT admin, silently. This helps in avoiding user intervention and hence the confusion.
- Wi-Fi Configuration: IT admins can silently provision enterprise Wi-Fi configurations on managed devices.
- Screen Capture management: IT admins can block users from taking screenshots while they are using work apps or are in the work profile.
- Certificate Management: Allows IT admins to deploy identity certificates and certificate authorities to devices in order to enable access to corporate resources. Also, admins can silently select the certificates that should be used by specific work apps. Through delegated certificate management admins can distribute a third-party certificate management app to devices and grant that app privileged access to install certificates into the managed play store.
- Accessibility Management: IT administrators can control which accessibility services on user’s devices can be enabled. These services include gestures, voice commands, etc.
- Location Sharing Management: Some apps may demand the location information of the user, if the admin is not comfortable with divulging that information, they can use this feature to prevent users from sharing location data with apps in the work profile.
- Cross-profile contact Management: IT admins can restrict and control what contact data leaves and comes into the work profile.
Establishing Android work profiles with Hexnode MDM
The IT admin can create Android Work Profiles in user devices with the help of a UEM solution like Hexnode. This can be done by enrolling the device in the profile owner mode. Devices can be enrolled with Android Enterprise either as a device owner or as a profile owner mode. As a device owner, the admin can control the whole device and it is used for work only device deployment and dedicated device deployment. Unlike in the device owner mode, you do not have to reset the device to its factory settings to enroll as a profile owner.
Hexnode for Work
As we said earlier, installing UEM’s Android for Work app or DPC from the Playstore, is a method of initiating the creation of a work profile in the user’s device.
Hexnode for Work is such an application available in the Playstore. The user has to download the app and make it the profile owner. After installing the app, the user will be guided through the entire process by the app itself so as to avoid any sort of confusion.
OEMConfig
OEMConfig is a standard for configuring OEM-specific settings on devices that are part of the Android Enterprise program. It is an OEM-built application that is published on the Google Play Store. With the help of the Managed Configuration Management feature, these OEM-built apps can be used to push OEM specific configurations onto devices.
The customized OEM app once whitelisted in the work profile, can be used to set-up specific configurations for each OEM.
Use cases
Since more and more emphasis is being placed on BYO devices and Remote Working is becoming the new norm, Android Work Profile is relevant now, more than ever. These are some industry-specific use cases mentioned below.
Corporate
Employees working in a fixed location can now work remotely using their own personal devices. By deploying a work profile in their Android device, they can work on the go and remotely if a situation calls for that.
Goods Delivery
A work profile can be deployed in the devices that are personally used by delivery agents. This would give the agents a higher degree of freedom and the organization can save the cost of buying new devices for every new agent that joins their ranks.
Hospitals
Hospitals have lots of staff members ranging from doctors to attenders. It is close to impossible to deploy that many institution-issued devices to all the staff. Deploying a work profile on the personal devices owned by at least a fraction of the staff members can save the healthcare institution a lot of funds.
Android Work profile is a very useful and versatile offering by Android Enterprise. Especially for organizations looking to utilize the BYOD space. Thanks to technologies such as the Android work profile, corporations’ needs are being met in a sustainable manner that enables the right amount of control for end-users.