Corporate-owned with work profile (COPE) with Intune

Update: I’ve added a new blog about managing COPE on Android 11 with Intune

The Corporate-owned with work profile management scenario is the latest addition for Android enrollment options in Intune. Using this profile you can enable personal use on Corporate-owned Android devices. At this moment this management profile is feature complete, but it still is in public preview. The available preview features are fully supported through the  Intune support channels. In this Blogpost I will show which steps to perform to configure an Android device as Corporate-owned with work profile (COPE)  with Intune.

 

What is a Corporate-owned device with work profile

This management profile is also known as Company-Owned Personally Enabled (COPE) or as fully managed with a Work profile. It’s simular to the personal device with a work profile. Just like the personal device the company data and applications are installed in a seperate profile. The user will have it’s own personal and a seperate work profile which is company managed. A significant difference with the personal device with work profile is the ownership. When using this profile, the device is company owned.

Features:

  • Required apps can be installed without interaction of the end-user in the work profile.
  • All company contacts, data and apps are stored in the work profile.
  • App protection policies are not required but can be added for additional protection.
  • Outlook Company contacts are searchable and incoming numbers are recognized.
  • The entire device can be wiped.

 

Changes in Android 11 

In Android 11 there will be some changes regarding the privacy. The privacy of the personal profile will be enhanced which will limit the visibility of data and apps for the organization. For more information check this excellent blogpost by Jason Bayton who is an authority on MDM and Android Enterprise. I have not yet tested this profile with Android 11, due to the lack of an Android 11 device.

 

Setup the profile

Prerequisites:

  • The intune tenant needs to be connected to your Google Enterprise account.
  • Android OS version 8.0 and above.
  • Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices must have GMS available and must be able to connect to GMS.
  • Intune and Azure AD Premium P1 licence

The setup of a Corporate-owned with work profile enrollment in Intune consists out of a few steps:

  1. Create a Corporate-owned with work enrollment profile
  2. Create an User Group
  3. Configure Device Compliance policy
  4. Configure Device Configuration profile
  5. Assign additional Apps
  6. Manually Enroll and Test Configuration

These are the minimal settings I would like to suggest to use. For a better user experience you could add configuration policies. In addition, it is wise to implement protection policies to keep data within your work profile.

 

1. Create a Corporate-owned with work enrollment profile

The first step is to create a Corporate-owned with work enrollment profile to enable your end users to enroll corporate-owned devices or setup Automatic Enrollment.

 

1. Login to the Microsoft Endpoint Manager admin center and browse to “Devices -> Android -> Android Enrollment” and select “Corporate-owned devices with work profile (Preview)” or press here

 

2.  Unlike the fully managed enrollment profile you can create multiple profiles. Take this into account when naming your profiles. Select “Create profile” to create a new profile.

 

3. Give your profile a recognizable and unique name. Fill in a description (optional) and press “Next”.

 

4. When applicable add a scope tage and press “Next”.

 

5. Review your settings and press “Create” to create the enrollment profile.

 

6. In the profile overview (see step 2) select the newly create enrollment profile and select “Token”. The displayed token and/or QR code can be used to enroll devices with a Corporate-owned work profile. The Token can also be used in Samsung Knox for an Automatic enrollment profile. At the moment it’s not (yet) possible to replace a Token, you

Important: At the time of writing this blog it is not (yet) possible to replace a token. It is only possible to revoke a token, but be careful if you do this the enrollment profile will be removed.

 

2. Create an User Group

In this step we will create an user group which we will use to assign configuration profiles and compliance policies.

 

7. Select “Groups” and press “+ New group” to create a new user group.

 

8. Enter a recognizable and unique group name. Fill in a Group description (optional) and select Membership type “Assigned”. Press “Create” to create the user group.

 

9. I will add my testuser “Cynthia Carey” to this testgroup. This user I will use to test the new profile.

 

3. Configure Device Compliance policy

With a device compliance policy you define the minimum requirements for devices, devices must meet these rules to be considered compliant. Examples of these rules are minimum version of operating systems or the use of disk encryption. The compliance state can be used with app protection policies and conditional access rules for additional security.

 

10. Select “Endpoint security” -> “Device compliancy” or click here and press “+ Create Policy”

 

11. Select Platform “Android Enterprise” and Policy type “Fully managed, dedicated, and corporate-owned work profile”. Press “Create” to continue.

 

12. Enter a recognizable and unique name. Fill in a Group description (optional) and select  “Next”.

 

13. Set the Compliance settings you want to require. In this example I will require a password to unlock and Encryption of data storage on device. Press “Next” to continue.

 

14. Configure the actions that will be performed if the device does not comply with the compliance rules. I will only use the default “Mark device noncompliant” action, but you can add also other actions like emails or push notifications. Press “Next” to continue.

 

15. When applicable add a scope tage and press “Next”.

 

16. Assign the compliance policy to the user group and press “Next” to continue.

 

17. Review the configuration and press “Create” to create the compliance policy.

 

4. Configure Device Configuration profile

Devices configuration profiles can be used to configure settings for example to lock down devices or to configure configuration settings like password rules, access public Google Store, block factory reset, etc.

 

18. Select “Devices” -> “Android” -> “Configuration profiles” or click here and press “+ Create Profile”

 

19. Select Platform “Android Enterprise” and select a profile from the list under “Fully managed, dedicated, and corporate-owned work profile”. I will use “Device restrictions”. Press “Create” to continue.

 

20. Enter a recognizable and unique name. Fill in a Group description (optional) and select  “Next”.

 

21. When configuring the configuration profiles you have to consider that the settings you use are also compatible with corporate-owned work profile devices. This is indicated above the settings. In addition, certain settings are only applied to the work profile level, this is indicated in the setting.

 

I will only add the password requirements which I set in the compliance policy. Press “Next” to continue.

 

22. When applicable add a scope tage and press “Next”.

 

23. Assign the compliance policy to the user group and press “Next” to continue.

 

24. Review the configuration and press “Create” to create the configuration profile.

 

5. Assign additional Apps

At the time of writing this blog, the following applications were displayed in the work profile by default.

  • Authenticator (Microsoft)
  • Chrome
  • Contacts (Work profile contacts)
  • Files / My files (Work profile files)
  • Intune
  • Play Store (Managed)

After the device is enrolled, the Company Portal is briefly displayed. After some time it will disappear. When you open the Company Portal in the Work profile you will be redirected to the Intune app.

 

 

By default the Chrome browser is shown in the work profile. If you only want to use Edge in the work profile you can do the following steps. These settings only apply to the work profile.

25. Uninstall the Chrome browser using the managed Google Play store Chrome app.

This will remove the Chrome app from the work profile.

 

26. Assign the Edge from the managed Google Play store as required. If other applications are needed, they can be added to the work profile in the same way as Edge.

This will install the Microsoft Edge browser in the Work profile.

 

6. Manually Enroll and Test Configuration

Now the configuration is ready to test. I will use the enrollment with QR code to prepare the device. But you can also use Samsung Knox or Google Zero Touch. For the sceenshots I’ve used a Samsung SM-A530F with Android 9. The order and layout of the screens may vary when using other brands or versions of Android.

 

27. Scan the QR Code or enter the Token at step 6.

28. A Login screen will be displayed to start the setup for your work profile. The wizard is simular to the setup of the fully managed (COBO) device.

 

29. The next step is to configure a PIN, pattern or password. Press “Start” to continue.

 

30. Select a lock type you want to configure and press “done” to continue.

 

 

31. Next step is to encrypt the device. Press “Start” to continue.

 

32. On my Samsung device I need to enable “Secure Startup” to encrypt my device. This step my be different on other Samsung or Android devices.

 

33. Press “Install” to proceed with the installation of your work apps.

 

34. Wait for the apps to be installed and press “Next

 

35. Press “Start” to register your device.

 

36. Press “Sign In” to sign in with your credentials.

 

37. Enter your password and press “Sign in”

 

38. Press “Register” to start the registration of your device.

 

39. Press “Next” to register your device and “Done” to continue.

 

40. The setup of the work profile has finished. Press “Done” to continue with the setup of your personal profile.

 

41. You will now be directed to the start screen. After some time the wizard for adding your personal account will be launched. Press “Next” to continue.

 

42. You can now add your personal account or press skip. This account will only be used in your personal profile.

 

43. After you setup your personal account or skipped setup the device is ready for use. It has the same look and feel as the Personal device with Work profile.

 

44. The device is added in Intune as a Corporate device with OS “Android (corporate-owned work profile).

Conclusion

This management scenario fills the cap between fully managed and personal enrolled with work profile. It enables automatic enrollment for devices with a work profile allowing separation between company and personal data. Although this profile is not yet General Available in Intune, this profile is already supported for some years by Google. According to the blog post of Microsoft:

We will declare this scenario Generally Available once we sufficiently document and address the Wi-Fi issues customers have been seeing on Android 10 COPE devices due to an Android platform bug. For more information see the Known Issues section below.” 

The fix for the WIFI issue is included in a maintenance release to Android 10 from December 2019. Contact your device manufacturer for more information. If your not affected by this issue and are willing to be an early adopter you can start using this management scenario. As mentioned before the available preview features are fully supported through our Intune support channels. Because of the privacy changes announced with Android 11, you should be aware of possible differences in functionality between Android 11 and pre-Android 11 devices.

 

 

6 thoughts on “Corporate-owned with work profile (COPE) with Intune

  1. Abilant

    Hi,
    nice manual.
    we are using such a szenario but we are experiencing severe changes with android 11, that prevent the device to get the two profiles installed (work and personal).
    Did you already hat the chance to test with an Android 11 device ?
    Regards
    Abi

    Reply
    1. Aad Lutgert Post author

      Hi Abi and Thomas,

      For Android 11 the afw#setup enrollment method and the Near Field Communication (NFC) enrollment method are not supported. To enroll these device you should use the QR code method described here, Google Zero Touch or Samsung Knox. I’ve tested the QR code and Samsung Knox Method and can confirm both methods work. When you use Samsung Knox you need to select the option “Let MDM choose to enroll as a Device Owner or Profile Owner”. If you choose “Force Device Owner enrollment” the device will be enrolled as a “Corporate-owned, fully managed user device” just as when you are using “AFW#setup” method.

      best regards, Aad

      Reply
  2. Viggo Stomsvik

    Hi,

    Have the problems with the private play store is empty, works fine with QR-code but with Samsung Knox the playstore is empty. Looks like its using the work-profile if you look at the settings (Mine worksapp, and not mine applications and games).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *