Today’s blog post focuses on Android Enterprise Work Profile management with Intune a.k.a Microsoft Endpoint Manager (MEM).
The previous articles of the MEM Android series with Joy are listed below for your quick reference.
- Post #1 – Evolution of Android management for Enterprise use
- Post #2 – 9 myths regarding the use of Android in Enterprise
- Post #3 – Android Enterprise: An ultimate use-case guide for the different management modes available with Intune
The above posts reside at anoopcnair.com, the home to my existing 36 blog posts before I started with my own site here. Do give them a read!
Table of Contents
Use-case: Android Enterprise Personally-Owned Work Profile management
Though Post #3 as listed above already covered the use-case of each Android Enterprise management mode, for those who are yet to give it a read, let’s start with a short use-case discussion of the Android Enterprise Personally-Owned Work Profile management mode.
The current decade saw work becoming more mobile than ever, with the workplaces witnessing the influx of more and more mobile devices and work being done more remotely.
Employees, in their want of flexibility, started using their personal devices to access corporate data for work purposes, giving rise to the BYOD concepts in the workplaces and organizations.
Organizations also followed the trend and started adopting digital workplace strategies, procuring more and more mobile devices to enable employees to work from anywhere.
Pre Android Lollipop, enterprise management of Android relied only on the Device Admin APIs, which being seriously deprived of features and capabilities, proved itself to be highly ineffective rendering the low adoption of Androids for enterprise use.
Google being aware of the Device Admin [DA] management mode shortcomings, acted to make things better.
Release of Android Lollipop saw the debut of Android Enterprise, Google's new modern device management framework for Androids.
Android For Work, as it was known upon debut, introduced two new management modes
- Profile Owner – Containerized solution which provisions a work profile to facilitate BYOD.
- Device Owner – Full device management to facilitate COD.
Since then, with each subsequent release of Android, Google made further improvements to Android Enterprise, adding new capabilities and management modes, which resulted in the emergence of other AE management solutions under the Device owner management mode, like Dedicated device [COSU] and Corporate-owned Personally enabled [COPE].
However, as I already stated, our focus today is on the Android Enterprise Work Profile management which is essentially the Profile Owner management mode.
Android Enterprise Work Profile management is a containerized solution which creates a separate container on the device to keep work apps and work data secure and separate from the user personal profile on the device.
Policies and restrictions as enforced by the organization apply only to the work container and not to the user’s personal profile, thereby leaving it unmanaged.
Company IT has full control over the Work Profile created on the device, but not on the entire device.
This made the Android Enterprise Work Profile management solution a perfect fit for the BYOD scenario, where the devices are owned by the end-users (not company provided) and as such, they are reluctant to enroll their devices into full device management letting IT Admin have full control over the entire device.
With 2011 service release of Intune, Android Enterprise Work Profile management in MEM Admin center got rebranded to Personally-Owned Work Profile management to avoid confusions and differentiate it from another Android Enterprise management solution which also involves Work Profile – Corporate-owned devices with work profile.
AE Work Profile management vs the other AE Device Owner modes
I have tried presenting the difference in how Intune manages a work profile on a personally-owned device vs full device management as in corporate-owned scenarios in a simplified view as below.
Now let’s break that down to understand in details.
For Personally-Owned Work Profile (Profile owner) management mode, Intune uses its own Device Policy Controller (DPC) in the form of Company Portal app, to provision and manage the work-profile on the end device using the Play EMM APIs.
The Company Portal app utilizes the DPC Support library for EMMs which allows important features like
- Managed Google Play Accounts provisioning support
- Managed Configurations support
On a Personally-Owned Work Profile (Profile Owner) managed device, the Company Portal app (DPC) acts as the bridge between Intune (the MDM service) and the device.
As of now, Android Enterprise no longer accepts new registrations for custom device policy controllers (DPC) using the Google Play EMM API. All new EMM solutions should now use Android Management API, which comes with its own DPC provided by Google. Read more here.
What about the rest of the Android Enterprise Device Owner management solutions?
- Corporate-owned Fully Managed [COBO]
- Corporate-owned Personally Enabled with Work Profile [COPE]
- Corporate-owned Dedicated Device [COSU]
For all the above listed Android Enterprise management solutions, Intune uses the Android Management (AM) API.
This eliminates the need for EMM developers to create, update, and maintain their own custom DPC since it is accompanied by its own companion DPC on the device, Android Device Policy, which is provided and maintained by Google.
Whatever be the management mode, Profile Owner or Device Owner,
Intune utilizes the Managed Google Play binding (using Play EMM API) to create obfuscated managed Google Play accounts with which the device, in case of device owner (managed device) mode, or the work profile in case of profile owner mode gets provisioned with.
This allows Intune to do silent app push to the managed device (or work profile) via Managed Google Play without requiring end-user to actually sign-in to Play services using personal Gmail account, thus averting factory reset protection.
I hope the above information will help you better understand how Intune as an EMM solution works and manages an Android Enterprise Personally-Owned Work Profile device.
Let’s now see all the key configuration points required to enable onboarding of personally-owned work-profile managed devices into MEM Intune.
Prepare Intune to support Android Enterprise Personally-Owned Work Profile management
There are two main activity that an Intune Admin needs to perform on the MEM Admin center to support the onboarding and management of Android Enterprise devices.
Managed Google Play binding with MEM Intune
Confirm that your MEM Intune tenant linking with Managed Google Play is in active state.
If not, you can setup the binding in a few easy steps. Follow this article.
Managed Google Play binding with MEM Intune is the primary pre-requisite to onboard Android Enterprise devices.
This is because Managed Google Play binding enables MEM Intune to create and use Managed Google Play accounts (obfuscated accounts) which are used to provision the work profile on the end device (or the device in case of fully managed, fully managed personally enabled with work profile or dedicated enrollment).
Read my previous article to know the significance of Managed Google Play binding with MEM Intune in more detail.
Enrollment restriction to allow Android Enterprise Personally-owned Work Profile enrollment
Whether you are creating custom Enrollment Restrictions or using the default Enrollment Restriction, make sure that Android Enterprise (work profile) is set to Allowed as platform.
You can choose to add other restrictions as per your requirements, like requiring minimum OS version to enroll, or disabling enrollment of personally owned devices, or allowing devices from select OEMs to enroll to your tenant only.
If you keep both Android Enterprise (work profile) and Android device administrator enabled within the effective Enrollment restriction profile, devices capable of Android Enterprise will enroll with Work Profile management mode and not DA management mode, due to Android Enterprise taking precedence over Device Admin.
Intune has separate category of configuration items for Android Enterprise Personally-owned Work Profile management
To create device configurations profiles that targets your Android Enterprise Personally-owned Work Profile devices, ensure that you create the required profile type from under the Personally-owned Work Profile category.
Similarly to create Compliance policy, choose Android Enterprise as Platform with Policy Type set to Personally-owned with work profile.
Similarly, if you are creating an App Configuration Profile for Managed device, select Platform as Android Enterprise.
For Profile Type, you get three options to choose from
- All Profile Types
- Fully Managed, Dedicated, and Corporate-Owned Work Profile Only
- Personally-Owned Work Profile Only
Pretty self-explanatory that the 1st option is the best if you have Android devices enrolled with different AE management modes and you want this profile to work on all. However, if you want the app config policy to apply on devices managed with a specific management mode, then you can create using the either of the other two options which fits the device management mode.
It is really important to create profiles/policies which correspond to the respective Android Enterprise management solution that is being used for managing the devices.
If you create a policy that corresponds to the Device owner management scenarios and assign it to users (or devices) having devices managed with profile owner management mode, it won’t work, due to the same fundamental difference as in how Intune works with either management modes of Android Enterprise.
Should you use Personally-Owned Work Profile management as a COD solution?
I have seen organizations, where they want only devices provided by the organization to get enrolled and as such block personally owned devices to stop employees to enroll their own personal devices as Android Enterprise Work Profile devices.
However, many of such organizations actually don’t always intend to manage the full device. Instead the end-user enrollment guide directs the end-users to set up the device as a BYOD work profile device, having a separate personal profile (unmanaged) and work profile (managed) on the device.
The only difference that really makes this enrollment technically fall under the category of Corporate is that they upload the device serials as Corporate Device Identifiers in Intune to allow the enrollment of organization owned devices only.
Organizations which do not allow BYOD and also does not wants a full device management, with the above approach, uses the Android Enterprise Work Profile mode effectively as a COD scenario.
Though this works, but eventually it is not the real use-case for Personally-owned Work Profile mode of management which was meant for BYOD.
If you ever land up in a scenario like this, I would instead suggest considering the Corporate Owned Personally Enabled management mode which was made for this exact use case.
The End
That was all for today. Hope you would find this post useful!
Do check my other blog posts on this site.
Joymalya Basu Roy is an Indian IT professional with around 6.5 years of work experience in IT Software Support and Services. Having completed his B.Tech in Computer Science and Engineering back in 2015, he is 30 years old as of 2022, ethnolinguistically a Bengali, and hails from the Indian city of Kolkata, West Bengal. Presently associated with Atos as a Senior Consultant – Architect, he works in Digital Workplace T&T projects leading the build & deployment, adoption, and support of Microsoft Intune across greenfield/brownfield environments for Android/iOS/Windows. He is also honored to be recognized as a Microsoft MVP for Enterprise Mobility – 2021 and 2022-23.