With Intune, there are several ways to deliver enterprise applications and information to users. One of these options is Personal-owned work profile. In one of my previous blogs I showed how to manage applications on unmanaged devices (MAM-WE), in this blog we will take it a step further we will work with a work profile that we will manage.
What is a Personal-owned device with work profile
With this management profile, a separate bubble called Work Profile is created on the personal device for all business information. Only the work profile is managed by Intune. Within the work profile, all business information is stored. Anything outside the work profile is not visible to Intune. The scope of interaction possible between the personal profile and work profile is configurable to a certain level. In addition, it is possible to set certain requirements for the entire device (personal profile) with regard to security.
- Required apps can be installed without interaction of the end-user.
- All company contacts, data and apps are stored in the work profile.
- App protection policies are not required but can be added for additional protection.
- Outlook Company contacts are searchable and incoming numbers are recognized.
- Only the work profile can be wiped using Intune. Personal data is not removed.
- Only one work profile can be created per device.
- Outlook Contacts cannot be synced with Personal contacts outside work profile. (Needed for WhatsApp)
Setup the profile
The setup of a Personal-owned with work profile enrollment in Intune consists out of a few steps:
- Allow enrollment for Android Enterprise work profile
- Create an User Group
- Create a Device Compliance policy
- Create a Device Configuration profile
- Assign Applications
- Enroll a test device.
These are the minimal settings I would like to suggest to use. For a better user experience you could add configuration policies. In addition, it is wise to implement protection policies to keep data within your work profile.
1. Allow Enrollment
The first step in configuration is to allow enrolling personal Android Enterprise devices. In addition, I block the enrolling of Android device administrator because it is no longer supported in the latest Android versions.
1. Go to “Devices” -> “Enrollment restrictions” or click here and select your device type restrictions policy. In my tenant it’s the default policy
2. Select “Properties” and press “Edit”
3. Select “Android Enterprise (work profile)” -> “Allow/Allow” and “Block” Android device administrator. Press “Review + save” and “Save” to continue.
It is now allowed to configure Android devices as “Personal-owned Work Profile” devices. Let’s move on to the next step.
2. Create an User group
In this step, we create a user group. We will then use this group to assign applications and policies. You can also use an existing group for this.
4. Go to “Groups” -> “All groups” or click here and press “New group” to create a new group.
5. Create a new security group and give it a recognizable name. I will use an assigned group here, but you can also use a dynamic user group. Press “Create” to create the user group.
Now that the user group has been created we can proceed to create a device compliance policy.
3. Create a Device Compliance policy
With a device compliance policy you define the minimum requirements for devices, devices must meet these rules to be considered compliant. Examples of these rules are minimum version of operating systems or the use of disk encryption. The compliance state can be used with app protection policies and conditional access rules for additional security.
6. Go to “Devices” -> “Android” -> “Compliance policies” or click here. Press “+Create Policy” to create a new “Device Compliance policy”
7. Select “Platform” -> “Android Enterprise” and “Profile type” -> Personally-owned work profile”. Press “Create” to continue.
8. Give the policy a recognizable name and press “Next”.
9. Set the Compliance settings you want to require. In this example I will require a numeric complexe password to unlock of a minimum 4 digits to unlock the device and Encryption of data storage on device. Press “Next” to continue.
10. Configure the actions that will be performed if the device does not comply with the compliance rules. I will only use the default “Mark device noncompliant” action, but you can add also other actions like emails or push notifications. Press “Next” to continue.
11. When applicable add a scope tage and press “Next”.
12. Assign the compliance policy to the user group created in step 5 and press “Next” to continue.
13. Review the configuration and press “Create” to create the compliance policy.
4. Create a device configuration policy
Devices configuration profiles can be used to configure settings for example to lock down devices or to configure configuration settings like password rules, block screen capture, allow widgets, default app permissions, etc. In this demo I will block copy and paste between work and personal profiles, but I will also block screen capture.
14. Select “Devices” -> “Android” -> “Configuration profiles” or click here and press “+ Create Profile”
15. Select Platform “Android Enterprise” and select a profile from the list under “Personally-owned work profile”. I will use “Device restrictions”. Press “Create” to continue.
16. Enter a recognizable and unique name. Fill in a Group description (optional) and select “Next”.
17. The device restriction policy for personal-owned work profile devices is currently divided into 4 groups.
|Work profile settings||Work profile related settings like data sharing, password and more.|
|Password||Requirements for the Device password (Personal profile)|
|System security||Settings related to system security (Personal and work profile)|
|Connectivity||VPN settings (Work profile)|
18. By default, the setting “block copy and paste between work and personal profiles” is already set to “Block”. Only the “Screen capture” setting needs to be modified to “Block”. Press “Next” to continue.
19. When applicable add a scope tage and press “Next”.
20. Assign the configuration policy to the user group created in step 5 and press “Next” to continue.
21. Review the configuration policy and press “Create” to create the configuration profile.
5. Assign additional Apps
In this step we are going to add the applications that will be shown in the work profile. For this demo we are going to add the applications Edge and Office.
22. First the applications need to be added to Intune. I will be using the managed Google Play apps. Go to “Apps” -> “Android” or press here. Press “+Add”. In the “select app type” blade select “Managed Google Play app” and press “Select”
23. Enter “edge” in the search bar and press the magnifying glass. Select “Microsoft Edge” in the search results.
24. Press “Approve” to start the approval process.
25. Perform the same steps for Office and press “Sync” to sync the Managed Google Play store with Intune.
26. After some time press the “refresh” button and the added apps will appear.
27. Now the apps need to be assigned. Select the App and select “Properties” in the navigation bar. Press “Edit” next to “Assignments”
28. Add the group created in step 5 as required group. By doing this the app will be installed by default in the Work profile.
29. Press “Save” to finish the assignment of the Edge application.
30. Perform steps 27 to 29 again for the Office app. Add the Office app as available instead of required. This way the app is not installed automatically. The user can install the application himself in the work profile.
Now that both applications are installed, all steps are complete to start testing with the new profile.
6. Enroll and Test Configuration
To enrol a device, the user must install Microsoft’s Company Portal app and log in. A work profile is then created and the work applications are installed within the profile. Let’s see how that works on a test device. For testing, I am using a Nokia 8 with Android 9. User experience may vary by model and Android version.
31. Install the Company Portal on the device using the Android Play Store.
32. Sign in to the company portal with your Azure AD credentials.
33. Press on “Begin” to begin the setup of the work profile.
34. On the privacy page, the end user can see what data is visible by the administrator. Press “Continue” to continue.
35. press Accept & continue to setup the work profile on your device.
36. Press “continue” to activate the work profile.
37. press “continue” to update device settings
38. The settings are now correct. press “done” to finish setup.
39. The phone will now have a Personal and Work profile. The work profile contains the work apps. The required “Edge” browser is installed.
40. Optional Work apps can be installed using the Play store in the work profile. For example you can install the “Office” app.
41. When you try to take a screenshot in a work app you get the message, “Couldn’t save screenshot: Taking screenshots isn’t allowed by the app or your organization”. The device restriction applies to all work apps. If you want to control the security per app you better use an app protection policy.
I hope you liked this blog about the personal-owned work profile deployment using Intune. Just leave a reply if you have questions or remarks about this post.