Update: I’ve added a new blog about managing COPE on Android 11 with Intune
The Corporate-owned with work profile management scenario is the latest addition for Android enrollment options in Intune. Using this profile you can enable personal use on Corporate-owned Android devices. At this moment this management profile is feature complete, but it still is in public preview. The available preview features are fully supported through the Intune support channels. In this Blogpost I will show which steps to perform to configure an Android device as Corporate-owned with work profile (COPE) with Intune.
What is a Corporate-owned device with work profile
This management profile is also known as Company-Owned Personally Enabled (COPE) or as fully managed with a Work profile. It’s simular to the personal device with a work profile. Just like the personal device the company data and applications are installed in a seperate profile. The user will have it’s own personal and a seperate work profile which is company managed. A significant difference with the personal device with work profile is the ownership. When using this profile, the device is company owned.
- Required apps can be installed without interaction of the end-user in the work profile.
- All company contacts, data and apps are stored in the work profile.
- App protection policies are not required but can be added for additional protection.
- Outlook Company contacts are searchable and incoming numbers are recognized.
- The entire device can be wiped.
Changes in Android 11
In Android 11 there will be some changes regarding the privacy. The privacy of the personal profile will be enhanced which will limit the visibility of data and apps for the organization. For more information check this excellent blogpost by Jason Bayton who is an authority on MDM and Android Enterprise. I have not yet tested this profile with Android 11, due to the lack of an Android 11 device.
Setup the profile
- The intune tenant needs to be connected to your Google Enterprise account.
- Android OS version 8.0 and above.
- Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices must have GMS available and must be able to connect to GMS.
- Intune and Azure AD Premium P1 licence
The setup of a Corporate-owned with work profile enrollment in Intune consists out of a few steps:
- Create a Corporate-owned with work enrollment profile
- Create an User Group
- Configure Device Compliance policy
- Configure Device Configuration profile
- Assign additional Apps
- Manually Enroll and Test Configuration
These are the minimal settings I would like to suggest to use. For a better user experience you could add configuration policies. In addition, it is wise to implement protection policies to keep data within your work profile.
1. Create a Corporate-owned with work enrollment profile
The first step is to create a Corporate-owned with work enrollment profile to enable your end users to enroll corporate-owned devices or setup Automatic Enrollment.
2. Unlike the fully managed enrollment profile you can create multiple profiles. Take this into account when naming your profiles. Select “Create profile” to create a new profile.
3. Give your profile a recognizable and unique name. Fill in a description (optional) and press “Next”.
4. When applicable add a scope tage and press “Next”.
5. Review your settings and press “Create” to create the enrollment profile.
6. In the profile overview (see step 2) select the newly create enrollment profile and select “Token”. The displayed token and/or QR code can be used to enroll devices with a Corporate-owned work profile. The Token can also be used in Samsung Knox for an Automatic enrollment profile. At the moment it’s not (yet) possible to replace a Token, you
Important: At the time of writing this blog it is not (yet) possible to replace a token. It is only possible to revoke a token, but be careful if you do this the enrollment profile will be removed.
2. Create an User Group
In this step we will create an user group which we will use to assign configuration profiles and compliance policies.
7. Select “Groups” and press “+ New group” to create a new user group.
8. Enter a recognizable and unique group name. Fill in a Group description (optional) and select Membership type “Assigned”. Press “Create” to create the user group.
9. I will add my testuser “Cynthia Carey” to this testgroup. This user I will use to test the new profile.
3. Configure Device Compliance policy
With a device compliance policy you define the minimum requirements for devices, devices must meet these rules to be considered compliant. Examples of these rules are minimum version of operating systems or the use of disk encryption. The compliance state can be used with app protection policies and conditional access rules for additional security.
10. Select “Endpoint security” -> “Device compliancy” or click here and press “+ Create Policy”
11. Select Platform “Android Enterprise” and Policy type “Fully managed, dedicated, and corporate-owned work profile”. Press “Create” to continue.
12. Enter a recognizable and unique name. Fill in a Group description (optional) and select “Next”.
13. Set the Compliance settings you want to require. In this example I will require a password to unlock and Encryption of data storage on device. Press “Next” to continue.
14. Configure the actions that will be performed if the device does not comply with the compliance rules. I will only use the default “Mark device noncompliant” action, but you can add also other actions like emails or push notifications. Press “Next” to continue.
15. When applicable add a scope tage and press “Next”.
16. Assign the compliance policy to the user group and press “Next” to continue.
17. Review the configuration and press “Create” to create the compliance policy.
4. Configure Device Configuration profile
Devices configuration profiles can be used to configure settings for example to lock down devices or to configure configuration settings like password rules, access public Google Store, block factory reset, etc.
18. Select “Devices” -> “Android” -> “Configuration profiles” or click here and press “+ Create Profile”
19. Select Platform “Android Enterprise” and select a profile from the list under “Fully managed, dedicated, and corporate-owned work profile”. I will use “Device restrictions”. Press “Create” to continue.
20. Enter a recognizable and unique name. Fill in a Group description (optional) and select “Next”.
21. When configuring the configuration profiles you have to consider that the settings you use are also compatible with corporate-owned work profile devices. This is indicated above the settings. In addition, certain settings are only applied to the work profile level, this is indicated in the setting.
I will only add the password requirements which I set in the compliance policy. Press “Next” to continue.
22. When applicable add a scope tage and press “Next”.
23. Assign the compliance policy to the user group and press “Next” to continue.
24. Review the configuration and press “Create” to create the configuration profile.
5. Assign additional Apps
At the time of writing this blog, the following applications were displayed in the work profile by default.
- Authenticator (Microsoft)
- Contacts (Work profile contacts)
- Files / My files (Work profile files)
- Play Store (Managed)
After the device is enrolled, the Company Portal is briefly displayed. After some time it will disappear. When you open the Company Portal in the Work profile you will be redirected to the Intune app.
By default the Chrome browser is shown in the work profile. If you only want to use Edge in the work profile you can do the following steps. These settings only apply to the work profile.
25. Uninstall the Chrome browser using the managed Google Play store Chrome app.
This will remove the Chrome app from the work profile.
26. Assign the Edge from the managed Google Play store as required. If other applications are needed, they can be added to the work profile in the same way as Edge.
This will install the Microsoft Edge browser in the Work profile.
6. Manually Enroll and Test Configuration
Now the configuration is ready to test. I will use the enrollment with QR code to prepare the device. But you can also use Samsung Knox or Google Zero Touch. For the sceenshots I’ve used a Samsung SM-A530F with Android 9. The order and layout of the screens may vary when using other brands or versions of Android.
27. Scan the QR Code or enter the Token at step 6.
28. A Login screen will be displayed to start the setup for your work profile. The wizard is simular to the setup of the fully managed (COBO) device.
29. The next step is to configure a PIN, pattern or password. Press “Start” to continue.
30. Select a lock type you want to configure and press “done” to continue.
31. Next step is to encrypt the device. Press “Start” to continue.
32. On my Samsung device I need to enable “Secure Startup” to encrypt my device. This step my be different on other Samsung or Android devices.
33. Press “Install” to proceed with the installation of your work apps.
34. Wait for the apps to be installed and press “Next
35. Press “Start” to register your device.
36. Press “Sign In” to sign in with your credentials.
37. Enter your password and press “Sign in”
38. Press “Register” to start the registration of your device.
39. Press “Next” to register your device and “Done” to continue.
40. The setup of the work profile has finished. Press “Done” to continue with the setup of your personal profile.
41. You will now be directed to the start screen. After some time the wizard for adding your personal account will be launched. Press “Next” to continue.
42. You can now add your personal account or press skip. This account will only be used in your personal profile.
43. After you setup your personal account or skipped setup the device is ready for use. It has the same look and feel as the Personal device with Work profile.
44. The device is added in Intune as a Corporate device with OS “Android (corporate-owned work profile).
This management scenario fills the cap between fully managed and personal enrolled with work profile. It enables automatic enrollment for devices with a work profile allowing separation between company and personal data. Although this profile is not yet General Available in Intune, this profile is already supported for some years by Google. According to the blog post of Microsoft:
“We will declare this scenario Generally Available once we sufficiently document and address the Wi-Fi issues customers have been seeing on Android 10 COPE devices due to an Android platform bug. For more information see the Known Issues section below.”
The fix for the WIFI issue is included in a maintenance release to Android 10 from December 2019. Contact your device manufacturer for more information. If your not affected by this issue and are willing to be an early adopter you can start using this management scenario. As mentioned before the available preview features are fully supported through our Intune support channels. Because of the privacy changes announced with Android 11, you should be aware of possible differences in functionality between Android 11 and pre-Android 11 devices.