Update: I’ve added a new blog about managing COPE on Android 11 with Intune
The Corporate-owned with work profile management scenario is the latest addition for Android enrollment options in Intune. Using this profile you can enable personal use on Corporate-owned Android devices. At this moment this management profile is feature complete, but it still is in public preview. The available preview features are fully supported through the Intune support channels. In this Blogpost I will show which steps to perform to configure an Android device as Corporate-owned with work profile (COPE) with Intune.
What is a Corporate-owned device with work profile
This management profile is also known as Company-Owned Personally Enabled (COPE) or as fully managed with a Work profile. It’s simular to the personal device with a work profile. Just like the personal device the company data and applications are installed in a seperate profile. The user will have it’s own personal and a seperate work profile which is company managed. A significant difference with the personal device with work profile is the ownership. When using this profile, the device is company owned.
Features:
- Required apps can be installed without interaction of the end-user in the work profile.
- All company contacts, data and apps are stored in the work profile.
- App protection policies are not required but can be added for additional protection.
- Outlook Company contacts are searchable and incoming numbers are recognized.
- The entire device can be wiped.
Changes in Android 11
In Android 11 there will be some changes regarding the privacy. The privacy of the personal profile will be enhanced which will limit the visibility of data and apps for the organization. For more information check this excellent blogpost by Jason Bayton who is an authority on MDM and Android Enterprise. I have not yet tested this profile with Android 11, due to the lack of an Android 11 device.
Setup the profile
Prerequisites:
- The intune tenant needs to be connected to your Google Enterprise account.
- Android OS version 8.0 and above.
- Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices must have GMS available and must be able to connect to GMS.
- Intune and Azure AD Premium P1 licence
The setup of a Corporate-owned with work profile enrollment in Intune consists out of a few steps:
- Create a Corporate-owned with work enrollment profile
- Create an User Group
- Configure Device Compliance policy
- Configure Device Configuration profile
- Assign additional Apps
- Manually Enroll and Test Configuration
These are the minimal settings I would like to suggest to use. For a better user experience you could add configuration policies. In addition, it is wise to implement protection policies to keep data within your work profile.
1. Create a Corporate-owned with work enrollment profile
The first step is to create a Corporate-owned with work enrollment profile to enable your end users to enroll corporate-owned devices or setup Automatic Enrollment.
1. Login to the Microsoft Endpoint Manager admin center and browse to “Devices -> Android -> Android Enrollment” and select “Corporate-owned devices with work profile (Preview)” or press here
2. Unlike the fully managed enrollment profile you can create multiple profiles. Take this into account when naming your profiles. Select “Create profile” to create a new profile.
3. Give your profile a recognizable and unique name. Fill in a description (optional) and press “Next”.
4. When applicable add a scope tage and press “Next”.
5. Review your settings and press “Create” to create the enrollment profile.
6. In the profile overview (see step 2) select the newly create enrollment profile and select “Token”. The displayed token and/or QR code can be used to enroll devices with a Corporate-owned work profile. The Token can also be used in Samsung Knox for an Automatic enrollment profile. At the moment it’s not (yet) possible to replace a Token, you
Important: At the time of writing this blog it is not (yet) possible to replace a token. It is only possible to revoke a token, but be careful if you do this the enrollment profile will be removed.
2. Create an User Group
In this step we will create an user group which we will use to assign configuration profiles and compliance policies.
7. Select “Groups” and press “+ New group” to create a new user group.
8. Enter a recognizable and unique group name. Fill in a Group description (optional) and select Membership type “Assigned”. Press “Create” to create the user group.
9. I will add my testuser “Cynthia Carey” to this testgroup. This user I will use to test the new profile.
3. Configure Device Compliance policy
With a device compliance policy you define the minimum requirements for devices, devices must meet these rules to be considered compliant. Examples of these rules are minimum version of operating systems or the use of disk encryption. The compliance state can be used with app protection policies and conditional access rules for additional security.
10. Select “Endpoint security” -> “Device compliancy” or click here and press “+ Create Policy”
11. Select Platform “Android Enterprise” and Policy type “Fully managed, dedicated, and corporate-owned work profile”. Press “Create” to continue.
12. Enter a recognizable and unique name. Fill in a Group description (optional) and select “Next”.
13. Set the Compliance settings you want to require. In this example I will require a password to unlock and Encryption of data storage on device. Press “Next” to continue.
14. Configure the actions that will be performed if the device does not comply with the compliance rules. I will only use the default “Mark device noncompliant” action, but you can add also other actions like emails or push notifications. Press “Next” to continue.
15. When applicable add a scope tage and press “Next”.
16. Assign the compliance policy to the user group and press “Next” to continue.
17. Review the configuration and press “Create” to create the compliance policy.
4. Configure Device Configuration profile
Devices configuration profiles can be used to configure settings for example to lock down devices or to configure configuration settings like password rules, access public Google Store, block factory reset, etc.
18. Select “Devices” -> “Android” -> “Configuration profiles” or click here and press “+ Create Profile”
19. Select Platform “Android Enterprise” and select a profile from the list under “Fully managed, dedicated, and corporate-owned work profile”. I will use “Device restrictions”. Press “Create” to continue.
20. Enter a recognizable and unique name. Fill in a Group description (optional) and select “Next”.
21. When configuring the configuration profiles you have to consider that the settings you use are also compatible with corporate-owned work profile devices. This is indicated above the settings. In addition, certain settings are only applied to the work profile level, this is indicated in the setting.
I will only add the password requirements which I set in the compliance policy. Press “Next” to continue.
22. When applicable add a scope tage and press “Next”.
23. Assign the compliance policy to the user group and press “Next” to continue.
24. Review the configuration and press “Create” to create the configuration profile.
5. Assign additional Apps
At the time of writing this blog, the following applications were displayed in the work profile by default.
- Authenticator (Microsoft)
- Chrome
- Contacts (Work profile contacts)
- Files / My files (Work profile files)
- Intune
- Play Store (Managed)
After the device is enrolled, the Company Portal is briefly displayed. After some time it will disappear. When you open the Company Portal in the Work profile you will be redirected to the Intune app.
By default the Chrome browser is shown in the work profile. If you only want to use Edge in the work profile you can do the following steps. These settings only apply to the work profile.
25. Uninstall the Chrome browser using the managed Google Play store Chrome app.
This will remove the Chrome app from the work profile.
26. Assign the Edge from the managed Google Play store as required. If other applications are needed, they can be added to the work profile in the same way as Edge.
This will install the Microsoft Edge browser in the Work profile.
6. Manually Enroll and Test Configuration
Now the configuration is ready to test. I will use the enrollment with QR code to prepare the device. But you can also use Samsung Knox or Google Zero Touch. For the sceenshots I’ve used a Samsung SM-A530F with Android 9. The order and layout of the screens may vary when using other brands or versions of Android.
27. Scan the QR Code or enter the Token at step 6.
28. A Login screen will be displayed to start the setup for your work profile. The wizard is simular to the setup of the fully managed (COBO) device.
29. The next step is to configure a PIN, pattern or password. Press “Start” to continue.
30. Select a lock type you want to configure and press “done” to continue.
31. Next step is to encrypt the device. Press “Start” to continue.
32. On my Samsung device I need to enable “Secure Startup” to encrypt my device. This step my be different on other Samsung or Android devices.
33. Press “Install” to proceed with the installation of your work apps.
34. Wait for the apps to be installed and press “Next
35. Press “Start” to register your device.
36. Press “Sign In” to sign in with your credentials.
37. Enter your password and press “Sign in”
38. Press “Register” to start the registration of your device.
39. Press “Next” to register your device and “Done” to continue.
40. The setup of the work profile has finished. Press “Done” to continue with the setup of your personal profile.
41. You will now be directed to the start screen. After some time the wizard for adding your personal account will be launched. Press “Next” to continue.
42. You can now add your personal account or press skip. This account will only be used in your personal profile.
43. After you setup your personal account or skipped setup the device is ready for use. It has the same look and feel as the Personal device with Work profile.
44. The device is added in Intune as a Corporate device with OS “Android (corporate-owned work profile).
Conclusion
This management scenario fills the cap between fully managed and personal enrolled with work profile. It enables automatic enrollment for devices with a work profile allowing separation between company and personal data. Although this profile is not yet General Available in Intune, this profile is already supported for some years by Google. According to the blog post of Microsoft:
“We will declare this scenario Generally Available once we sufficiently document and address the Wi-Fi issues customers have been seeing on Android 10 COPE devices due to an Android platform bug. For more information see the Known Issues section below.”
The fix for the WIFI issue is included in a maintenance release to Android 10 from December 2019. Contact your device manufacturer for more information. If your not affected by this issue and are willing to be an early adopter you can start using this management scenario. As mentioned before the available preview features are fully supported through our Intune support channels. Because of the privacy changes announced with Android 11, you should be aware of possible differences in functionality between Android 11 and pre-Android 11 devices.
Hi,
nice manual.
we are using such a szenario but we are experiencing severe changes with android 11, that prevent the device to get the two profiles installed (work and personal).
Did you already hat the chance to test with an Android 11 device ?
Regards
Abi
See answer below.
Hi,
we have the same problems with Android 11. There is just one profile…
Cheers
Thomas
Hi Abi and Thomas,
For Android 11 the afw#setup enrollment method and the Near Field Communication (NFC) enrollment method are not supported. To enroll these device you should use the QR code method described here, Google Zero Touch or Samsung Knox. I’ve tested the QR code and Samsung Knox Method and can confirm both methods work. When you use Samsung Knox you need to select the option “Let MDM choose to enroll as a Device Owner or Profile Owner”. If you choose “Force Device Owner enrollment” the device will be enrolled as a “Corporate-owned, fully managed user device” just as when you are using “AFW#setup” method.
best regards, Aad
If we do that the device setup stuck on “updating device sertings”
Hi,
Have the problems with the private play store is empty, works fine with QR-code but with Samsung Knox the playstore is empty. Looks like its using the work-profile if you look at the settings (Mine worksapp, and not mine applications and games).
Hi,
I’m stuck on step “Register your device”. I press Next, it tries to register, and then just says “Register is taking longer than usual. Try to register again in a few minutes” and nothing happens. I tried many times but the answer is the same. May it somehow connect to user rights? Or it is something else?
Hello!
The same thing is happening to me with two android devices “Oppo” and “Xiaomi”
Me too, the same problem.stuck on step “Register your device”.
Guys, I fixed this problem. But it is required to make a factory reset of the device. You’re making all before step 27, then make a factory reset on the device. When it starts, tap on the screen 6-7 times(depending on model) to the same point, next choose language, and then you will see the Scanning QR code window. After scan QR and making all settings your device will be successfully registered in Intune
How can you use the COPE method without factory resetting the phone.? We have a lot of phones that are corporately owned but used for personal use as well. MS said we have to factory reset to enroll as COPE but doing that to over 80 phones is not feasible. Is there any way we could do this?
Hi Dan,
Unfortunately, there is no other option. You need to perform a factory reset to change device management profile. It does not matter if your devices are fully managed, dedicated or COPE. Only from unmanaged to MAM or work profile and back can be done without factory reset.
regards, Aad
Hi Aad,
thanks for the very good manual.
After the work profile is created there are no apps for phone or SMS int the work profile.
We would like to use the Samsung Phone and Message App but they are not available in the managed play store.
So we assigned the Google Messages App. It was installed and and a few seconds later uninstalled automatically.
Any idea or recommendation which apps are suitable ?
Thanks in advance
Kind regards
Ralf
Hi Ralf,
Instead of assigning others you can also enable system apps using Intune. Have a look at this microsoft docs article https://docs.microsoft.com/en-us/mem/intune/apps/apps-ae-system
regards, Aad
Hi Aad,
thank you, this will help. Is it correct that the system apps for phone and messaging in the private profile have generally to be used even if there is a work profile.
What we see is when installing for e.g. the phone system app in the work profile we can not use it. It just shows the message to choose the standard app for phone. But the app itself will not function.
Regards
Ralf
Hi Ralf,
That’s correct. The phone and messaging are shared by the private an work profile.
regards, Aad
Hi,
At the register step, my device stuck as “registration is taking long time as usual” and i can’t enroll any device.
I use the https://enterprise.google.com/android/enroll?et=XXXXXX method to do this.
Did you ever had the problem?
Thanks