IT can enable devices for both work and personal use, but this raises questions about security and privacy. Learn how Android Enterprise work profiles help protect corporate data.
When organizations can't enable different devices for users to access personal and work data, it's possible to separate these resources at the software level instead.
As BYOD's popularity has grown in recent years, so has the number of users working from their personal Android devices. Typically, a user who chooses to work from a personal phone must complete an enrollment process to let their employer apply security settings and manage the device in other ways. This often leads to concerns about user privacy.
One way for users to keep their work and personal lives separate is to set up a work profile on their mobile device. Creating a work profile on an Android device keeps work apps, data and accounts separate from personal apps, data and accounts.
The work profile feature is part of the Android Enterprise platform, and it enables a managed user profile to reside alongside a user's personal profile on an Android device. This makes it possible to access both personal and work applications on the same endpoint. The managed user profile is encrypted and uses different encryption keys for corporate and personal data.
How to create a work profile on an Android device
To separate work and personal data on an Android device, organizations must have a mobile device management or unified endpoint management platform in place. MDM and UEM provide many of the same features, but the key capability in this context is IT management of mobile devices. For simplicity, the rest of the article refers to all management platforms as MDM.
The managed user profile is encrypted and uses different encryption keys for corporate and personal data.
With one of these platforms, IT administrators can create and manage work profiles, apps and data on end-user devices. If necessary, IT can go further and control device management and security policies. Once users have enrolled their devices into their organization's MDM, they can access their work profile and easily switch it on and off based on their needs.
There are many different MDM and UEM platforms to choose from. Microsoft Intune, IBM MaaS360, Cisco Meraki Systems Manager and even Google's own Android Enterprise are some of the most well-known options.
Step 1. Configure MDM to enable work profiles
To begin the process of configuring an Android work profile, admins must register their MDM with Google. This step creates a managed Google Play account on each device enrolled into the organization's MDM. The managed Google Play account is hidden, and applications and devices use it to access Google APIs.
The enrollment process varies between MDM providers, so organizations should refer to their MDM's documentation for detailed steps. The following example shows the process in Microsoft Intune.
First, open the Microsoft Intune admin center portal, and click on Devices, followed by Android. On the next screen, click Enrollment and Managed Google Play. When prompted, select the I agree checkbox, and then click Launch Google to connect now (Figure 1).
Figure 1. Intune admins can set up devices for Android Enterprise enrollment from the admin center portal.
Next, enter the organization's name and location, and click Continue. Subscription options appear on the screen. Select Android Enterprise and any other desired subscriptions, and then click Next. Select Agree and continue, followed by Allow and create account.
After this process, work profiles and personally owned devices are allowed by default, as shown in Figure 2.
Figure 2. Intune is configured by default to allow the use of personally owned Android devices.
Step 2. Set up work profiles on user devices
Once IT has configured the MDM software to enable the use of work profiles on personal devices, users can enroll their devices. In the case of Intune Android management, users can do this through the Intune Company Portal app. This enrollment process automatically results in a work profile being created.
Upon installing the app from the Google Play Store, the user receives a prompt to sign in with their work email address. At this point, they should see a summary screen explaining that enrollment consists of three steps:
Creating a work profile.
Activating the work profile.
Updating the device settings.
From there, the user can follow the onscreen prompts to initiate and complete the setup process. The device is then added to Company Portal.
Frequently asked questions about Android work profiles
While the setup process is straightforward, administrators might still have questions about work profiles and how they function.
How to pause a work profile
Users have the option to pause a work profile to temporarily deactivate it. For example, if a user doesn't want to receive work-related notifications while on vacation, they can pause their work profile. This process is easy, but it might vary from one Android device to the next. In general, users can pause a work profile by swiping down from the top of the screen and selecting the Work tab. On some devices, the tab is represented by a briefcase icon. Next, tap the Pause button, or toggle off the Work profile switch.
How to determine if a device has an Android work profile
The easiest way to check whether a device contains a work profile is to see if the list of applications is divided into tabs. If the device interface has a Personal tab and a Work tab, a work profile is installed and active. Another option is to look under Settings > Accounts and Backup. If the device has a work profile, a work-related account is likely visible within the Manage accounts list.
Is it possible to create a work profile without Android Enterprise?
It is not possible to deploy an official Android work profile without going through the Android Enterprise APIs. IT admins can find alternative technologies to create work profiles, but the best practice is most often to use the first-party profile option.
Editor's note:This article was originally written by Michael Goad in February 2023. Brien Posey wrote an updated version in April 2025 to reflect changes in the MDM market and improve the reader experience.
Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.
Michael Goad is a freelance writer and solutions architect with experience handling mobility in an enterprise setting.
Dig Deeper on Mobile operating systems and devices
