In this post I will discuss some of the new features when using a Corporate-owned with work profile (COPE) on Android 11 device. Google has made several adjustments in Android 11 as compared to previous versions when using a Work profile on a company owned device. These include changes to enrollment, backup, privacy, management and more.
For this blogpost I’ve used the following devices:
Changes in Android 11 for COPE profile
As I mentioned in my earlier post about COPE, a lot has changed in Android 11 regarding privacy. In Android 11 the “fully managed device with a work profile” is deprecated. It is now officially called “Work profile on company-owned device”. The privacy of the personal profile will be enhanced which will limit the visibility of data and apps for the organization. Also user are notified when an admin enabled location services.
COPE Enrollment in Android 11
Let’s start at the beginning with enrolling Android 11 devices. For Android 11 the biggest changes are that the “afw#setup“ enrollment method and the Near Field Communication (NFC) enrollment method are no longer supported. There are now three ways available to enroll a device.
This method is especially suitable for testing new profiles. Because of the manual action, I would not recommend it for enrolling large numbers of devices. This can be activated on the first screen you see after turning on a device for the first time or after a factory reset. Tap the screen several times to activate the QR scanner. Scan the QR code in the MEM admin center.
This method is suitable for enrolling and automating large numbers of Samsung devices. Samsung Knox enrollment is not suitable for other brands. If you are already using this method you need to check your enrollment profiel and select the option “Let MDM choose to enroll as a Device Owner or Profile Owner”. If you choose “Force Device Owner enrollment” the device will be enrolled as a “Corporate-owned, fully managed user device”
Google Zero Touch
This method is also suitable for enrolling and automating large numbers of devices. Unlike Samsung Knox Enrollment, there is no brand dependancy, but the device needs to support it and be added to the service by a supplier.
A major drawback of the COPE profile in pre Android 11 versions was that it did not allow you to use Android’s backup capabilities in the personal profile. You were presented with a warning that it was “not available”, “prevented by security policy”, “disabled by Admin” or a similar message as you can see in the examples below.
Because this happened in the personal profile, it was not possible to adjust this through Intune. Intune only manages the work profile. Due to the improved privacy layer in Android 11, it is now possible to use the backup facilities in the personal profile. Enrolling the COPE profile no longer results in the backup being turned off in the personal profile.
it’s now possible to backup using Google and Samsung backup. The recovery option I could only find for Samsung, but you can restore a Google Backup during enrollment.
When you remove an Android 9 or 10 device from Intune, only the Work profile is deleted. In When I removed my Samsung S10 from Intune, the device was reset to factory settings.
Bug Play Store
When I add my personal account during the cope setup, I did not see any applications in the personal Play store. After I add a second account, I do see applications with my second account. I was able to solve this problem by updating the Google play store (Settings -> About phone -> Software information and press “Google Play system update”).
What is your experience?
These are my first experiences with COPE and Android 11. I will continue to update this document in the near future. I would love to hear experiences from other users. What do you guys stumble upon and how do you solve problems? Leave a reply if you have any questions.
I can also see the Play Store bugs on many devices, sometimes the Play store working, another times not.
Aad Lutgert, i love you! Thanks for the tip with “afw#setup”. I am wondering why my device is seutp as fully managed since Android 11…
Yes, I have that issue as well! My android 8 test machine is enrolled with the correct QR token and shows up as corporate owned with work profile (and actually is exactly that) but my android 11 device is showing no work profile and is listed as fully managed. No option to add a personal profile or personal account as well.
You need to use the “tap home screen method” the AFW#setup is not supported. When you use this method the device is setup as a fully managed device instead of a COPE enrolled device.
best regards, Aad
Thank you! That indeed does the trick. Works on Android 8 devices as well fortunately.
I am just wondering why my older Samsung devices enroll via Intune (Azure login) using Knox work like a charm and now a new samsung phone will ask for QR code? No Azure login or anything, it just ask for QR code?
I don’t get it, why?
This is one of the changes made by Google in Android 11. There are now only 3 ways supported to enroll devices with COPE:
Samsung Knox Mobile Enrollment
Google Zero Touch
I have a issue with App protection policy’s in the work profile. The company portal app is removed/hidden and i think that prevents the policy to apply… Any thoughts on this issue?