How to create a work profile on Android devices

What is work profile?

Work profile is part of the Android Enterprise platform, which is a Google-led initiative that helps businesses use Android devices and apps in the workplace. The program offers developers APIs and other tools to integrate Android support into MDM platforms.

Work profile provides a managed user profile that resides on the device in addition to the personal profile. This allows for both personal and work applications to be available on the same device. The managed user profile is encrypted and uses different encryption keys for work and personal data.

Due to the nature of the two profiles on a device, organizations won't need this program for single use kiosk devices or devices that are for work only. Work profile is most commonly associated with BYOD use cases, but it is possible to use in a corporate-owned personally enabled scenario.

How to create a work profile on an Android device

The separation of work and personal data allows for greater security and privacy for both individuals and businesses. An MDM or UEM platform is required to create work profiles on Android devices, but the rest of the article will refer to all management platforms as MDM. With one of these platforms, IT administrators can create and manage work profiles, apps and data on Android devices. With these platforms, IT can go further and control device management and security policies. Once users have enrolled their devices into their company's MDM, they will have access to their work profile and can easily switch it on and off for use cases such as vacation.

There are many different MDMs and UEMs to choose from; VMware Workspace One, Microsoft Intune, Maas360, Cisco Meraki Systems Manager, and even Google's own Android Enterprise Essentials are some of the most well-known options.

How to configure MDM for work profile

To begin the process of configuring an Android work profile, admins will need to register their MDM with Google. This process is called Android EMM Registration. This registration step creates a Managed Google Play Account on each device enrolled into the company's MDM. This account is hidden and is a special Google account used by applications and devices to access Google APIs.

Step 1: Configure EMM Registration within MDM

This example uses VMware Workspace One. Organizations should refer to their MDM's documentation for the corresponding setup process.

1. Navigate to Groups & Settings
2. Then, select All Settings
3. Next select Android
4. Select Android EMM Registration (Figure 1)
5. Follow the prompts to complete the registration

Registration will require the admin to have a Google account to associate with the chosen MDM. The best practice is to use a shared email alias that multiple admins can access.

Step 2: Configure work profile

With the completed EMM Registration in place, admins can start building the MDM configuration profiles. These profiles contain security and device settings, referred to as payloads, that IT manages. Because work profile is most associated with BYOD devices, it limits some of the features and capabilities of the device available for control to strengthen user privacy and security. However, Android Enterprise still gives IT complete control and visibility of their corporate information and data on the device via the encrypted work profile container.

To create a work profile:

1. At the top of the Workspace One Tenant, hover over the Add and select Profile.
2. Select Android.

There are many different payloads available to configure. IT could, for example, configure a passcode policy.

A work profile passcode policy allows admins to set a per-app passcode requirement for users to access any managed applications within the work profile. In this instance, after 15 minutes of inactivity, the user would need to input their passcode when accessing the managed application shown with the Work profile Lock Timeout Range (in Minutes) (Figure 2).

Additional payloads include restricting specific device functionality and mandating passcode length. Not all restrictions are available for work profile due to the privacy and security of the personally owned BYOD Android smartphone. The MDM console will guide admins through the configurations available for each MDM payload.

Step 3: Configure Android applications

With the registration complete and the work profile set up, admins can use the same account by navigating to the Google Work site and selecting the apps that need configuration and deployment. Here, the chosen apps are available for further configuration within the MDM.

Frequently asked questions about Android work profiles

While this process is straightforward, administrators might still have questions about work profiles and how they function.

How to deliver a work profile to users' devices?

Once IT configures the MDM, users can start enrolling their devices into MDM to receive the work profile, the device management and any configurations. The most common method to register a device into MDM is to instruct users to download the MDM application from the Google Play Store and sign in with their company credentials.

This will cue the user to follow the prompts for enrollment. The MDM app itself will guide them through each step. Once this process is complete, the work profile will be installed on the device, along with security configurations and managed applications.

How to determine if a device has an Android work profile

To check if an Android device is enrolled and has a work profile, go to Settings>Accounts on the device. If there is a profile specified in the Work section of the accounts, this means there is a work profile installed and active.

Is it possible to create a work profile without Android Enterprise?

It is not possible to deploy an official Android work profile without going through the Android Enterprise APIs. IT administrators can find alternative technologies to create work profiles, but the best practice is most often to use the first-party profile option.