Personal-owned work profile (BYOD) with Intune

With Intune, there are several ways to deliver enterprise applications and information to users. One of these options is Personal-owned work profile. In one of my previous blogs I showed how to manage applications on unmanaged devices (MAM-WE), in this blog we will take it a step further we will work with a work profile that we will manage.

 

What is a Personal-owned device with work profile

With this management profile, a separate bubble called Work Profile is created on the personal device for all business information. Only the work profile is managed by Intune. Within the work profile, all business information is stored. Anything outside the work profile is not visible to Intune. The scope of interaction possible between the personal profile and work profile is configurable to a certain level. In addition, it is possible to set certain requirements for the entire device (personal profile) with regard to security.

Advantages:

  • Required apps can be installed without interaction of the end-user.
  • All company contacts, data and apps are stored in the work profile.
  • App protection policies are not required but can be added for additional protection.
  • Outlook Company contacts are searchable and incoming numbers are recognized.
  • Only the work profile can be wiped using Intune. Personal data is not removed.

Disadvantages:

  • Only one work profile can be created per device.
  • Outlook Contacts cannot be synced with Personal contacts outside work profile. (Needed for WhatsApp)

 

Setup the profile

The setup of a Personal-owned with work profile enrollment in Intune consists out of a few steps:

  1. Allow enrollment for Android Enterprise work profile
  2. Create an User Group
  3. Create a Device Compliance policy
  4. Create a Device Configuration profile
  5. Assign Applications
  6. Enroll a test device.

These are the minimal settings I would like to suggest to use. For a better user experience you could add configuration policies. In addition, it is wise to implement protection policies to keep data within your work profile.

 

1. Allow Enrollment

The first step in configuration is to allow enrolling personal Android Enterprise devices. In addition, I block the enrolling of Android device administrator because it is no longer supported in the latest Android versions.

 

1. Go to “Devices” -> “Enrollment restrictions” or click here and select your device type restrictions policy. In my tenant it’s the default policy

 

2. Select “Properties” and press “Edit”

 

3. Select “Android Enterprise (work profile)” -> “Allow/Allow” and “Block” Android device administrator. Press “Review + save” and “Save” to continue.

 

It is now allowed to configure Android devices as “Personal-owned Work Profile” devices. Let’s move on to the next step.

 

2. Create an User group

In this step, we create a user group. We will then use this group to assign applications and policies. You can also use an existing group for this.

 

4. Go to “Groups” -> “All groups” or click here and press “New group” to create a new group.

 

5. Create a new security group and give it a recognizable name. I will use an assigned group here, but you can also use a dynamic user group. Press “Create” to create the user group.

 

Now that the user group has been created we can proceed to create a device compliance policy.

 

3. Create a Device Compliance policy

With a device compliance policy you define the minimum requirements for devices, devices must meet these rules to be considered compliant. Examples of these rules are minimum version of operating systems or the use of disk encryption. The compliance state can be used with app protection policies and conditional access rules for additional security.

 

6. Go to “Devices” -> “Android” -> “Compliance policies” or click here. Press “+Create Policy” to create a new “Device Compliance policy”

 

7. Select “Platform” -> “Android Enterprise” and “Profile type” -> Personally-owned work profile”. Press “Create” to continue.

 

8. Give the policy a recognizable name and press “Next”.

 

9. Set the Compliance settings you want to require. In this example I will require a numeric complexe password to unlock of a minimum 4 digits to unlock the device and Encryption of data storage on device. Press “Next” to continue.

 

10. Configure the actions that will be performed if the device does not comply with the compliance rules. I will only use the default “Mark device noncompliant” action, but you can add also other actions like emails or push notifications. Press “Next” to continue.

 

11. When applicable add a scope tage and press “Next”.

 

12. Assign the compliance policy to the user group created in step 5 and press “Next” to continue.

 

13. Review the configuration and press “Create” to create the compliance policy.

 

4. Create a device configuration policy

Devices configuration profiles can be used to configure settings for example to lock down devices or to configure configuration settings like password rules, block screen capture, allow widgets, default app permissions, etc. In this demo I will block copy and paste between work and personal profiles, but I will also block screen capture.

 

14. Select “Devices” -> “Android” -> “Configuration profiles” or click here and press “+ Create Profile”

 

15. Select Platform “Android Enterprise” and select a profile from the list under “Personally-owned work profile”. I will use “Device restrictions”. Press “Create” to continue.

 

16. Enter a recognizable and unique name. Fill in a Group description (optional) and select  “Next”.

 

17. The device restriction policy for personal-owned work profile devices is currently divided into 4 groups.

Work profile settingsWork profile related settings like data sharing, password and more.
PasswordRequirements for the Device password (Personal profile)
System securitySettings related to system security (Personal and work profile)
ConnectivityVPN settings (Work profile)

 

18. By default, the setting “block copy and paste between work and personal profiles” is already set to “Block”. Only the “Screen capture” setting needs to be modified to “Block”. Press “Next” to continue.

 

19. When applicable add a scope tage and press “Next”.

 

20. Assign the configuration policy to the user group created in step 5 and press “Next” to continue.

 

21. Review the configuration policy and press “Create” to create the configuration profile.

 

5. Assign additional Apps

In this step we are going to add the applications that will be shown in the work profile. For this demo we are going to add the applications Edge and Office.

 

22. First the applications need to be added to Intune. I will be using the managed Google Play apps. Go to “Apps” -> “Android” or press here. Press “+Add”. In the “select app type” blade select “Managed Google Play app” and press “Select”

 

23. Enter “edge”  in the search bar and press the magnifying glass. Select “Microsoft Edge” in the search results.

 

24. Press “Approve” to start the approval process.

 

25. Perform the same steps for Office and press “Sync” to sync the Managed Google Play store with Intune.

 

26. After some time press the “refresh” button and the added apps will appear.

 

27. Now the apps need to be assigned. Select the App and select “Properties” in the navigation bar. Press “Edit” next to “Assignments”

 

28. Add the group created in step 5 as required group. By doing this the app will be installed by default in the Work profile.

 

29. Press “Save” to finish the assignment of the Edge application.

 

30. Perform steps 27 to 29 again for the Office app. Add the Office app as available instead of required. This way the app is not installed automatically. The user can install the application himself in the work profile.

 

Now that both applications are installed, all steps are complete to start testing with the new profile.

 

6. Enroll and Test Configuration

To enrol a device, the user must install Microsoft’s Company Portal app and log in. A work profile is then created and the work applications are installed within the profile. Let’s see how that works on a test device. For testing, I am using a Nokia 8 with Android 9. User experience may vary by model and Android version.

 

31. Install the Company Portal on the device using the Android Play Store.

 

32. Sign in to the company portal with your Azure AD credentials.

 

33. Press on “Begin” to begin the setup of the work profile.

 

34. On the privacy page, the end user can see what data is visible by the administrator. Press “Continue” to continue.

 

35. press Accept & continue to setup the work profile on your device.

 

36. Press “continue” to activate the work profile.

 

37. press “continue” to update device settings

 

38. The settings are now correct. press “done” to finish setup.

 

39. The phone will now have a Personal and Work profile. The work profile contains the work apps. The required “Edge” browser is installed.

 

40. Optional Work apps can be installed using the Play store in the work profile. For example you can install the “Office” app.

 

41. When you try to take a screenshot in a work app you get the message, “Couldn’t save screenshot: Taking screenshots isn’t allowed by the app or your organization”. The device restriction applies to all work apps. If you want to control the security per app you better use an app protection policy.

 

I hope you liked this blog about the personal-owned work profile deployment using Intune. Just leave a reply if you have questions or remarks about this post.

5 thoughts on “Personal-owned work profile (BYOD) with Intune

  1. Georgios Hadjimavros

    Hello . I am using also Android Enterprise personally-owned work profile and i do not have the option to wipe the device or reset the device password .

    Do you know how we can wipe at least the work profile on a personally-owned work profile and reset the device passcode ?

    Reply
    1. Aad Lutgert Post author

      Hi Georgios,

      Because the Android Enterprise personally-owned work profile is a personal owned device the options are limited. Because of this device ownership you are only allowed to manage the Work-profile with Intune. Therefore you are unable to wipe the device or reset the device passcode. These options are only available on Corporate-owned Android Enterprise devices. To answer your questions: If you remove the device from intune by pressing the “delete” button, the work profile will be removed from the device. Unfortunately it’s not possible to reset the device passcode as this is managed by the owner of the device which is in case of a personally owned device the end user.

      best regards

      Reply
  2. Alex

    Hi Aad,
    I appplied the personally owned workprofile regarding this manual, but all apps in the workprofile are not restricted to managed google play account. I can see and isnatll all kind of apps like facebook , Instagram and sooon which are not the part of managed google play. Any ideays why?

    Reply
    1. Aad Lutgert Post author

      Hi Alex,

      Did you look in the playstore in the personal or in the work profile? In the personal profile you should be able to see all apps and also install from the public store. In the work profile you should only see the applications published with Intune. When you look in the MEM admin center and browse toe android devices do you see the device you are testing on registered with the OS: Android (personally-owned work profile)?

      regards, Aad

      Reply
  3. Access

    Hi Aad,

    I’m looking for a method to block access to Microsoft 365 from Android personal profile, and to allow access to corporate data only from Android Work profile.

    I have tried Conditional Access controls “require compliant device”, “require approved client app” and requiring both of these, but still e.g. Outlook can read and access the corporate data on the personal profile too (not showing all emails though). Earlier I believed that the device compliancy rule would automatically block the personal profile from accessing M365, because Intune shows only the Android work profile and its compliancy status under devices with reduced functionalities, if compared to other enrollment methods.

    Do you have a solution how to resolve this issue? I’m thinking options such as Intune device config, Intune compliancy policies, AAD Conditional Access and App protection policies.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *