Personal-owned work profile (BYOD) with Intune

With Intune, there are several ways to deliver enterprise applications and information to users. One of these options is Personal-owned work profile. In one of my previous blogs I showed how to manage applications on unmanaged devices (MAM-WE), in this blog we will take it a step further we will work with a work profile that we will manage.

 

What is a Personal-owned device with work profile

With this management profile, a separate bubble called Work Profile is created on the personal device for all business information. Only the work profile is managed by Intune. Within the work profile, all business information is stored. Anything outside the work profile is not visible to Intune. The scope of interaction possible between the personal profile and work profile is configurable to a certain level. In addition, it is possible to set certain requirements for the entire device (personal profile) with regard to security.

Advantages:

  • Required apps can be installed without interaction of the end-user.
  • All company contacts, data and apps are stored in the work profile.
  • App protection policies are not required but can be added for additional protection.
  • Outlook Company contacts are searchable and incoming numbers are recognized.
  • Only the work profile can be wiped using Intune. Personal data is not removed.

Disadvantages:

  • Only one work profile can be created per device.
  • Outlook Contacts cannot be synced with Personal contacts outside work profile. (Needed for WhatsApp)

 

Setup the profile

The setup of a Personal-owned with work profile enrollment in Intune consists out of a few steps:

  1. Allow enrollment for Android Enterprise work profile
  2. Create an User Group
  3. Create a Device Compliance policy
  4. Create a Device Configuration profile
  5. Assign Applications
  6. Enroll a test device.

These are the minimal settings I would like to suggest to use. For a better user experience you could add configuration policies. In addition, it is wise to implement protection policies to keep data within your work profile.

 

1. Allow Enrollment

The first step in configuration is to allow enrolling personal Android Enterprise devices. In addition, I block the enrolling of Android device administrator because it is no longer supported in the latest Android versions.

 

1. Go to “Devices” -> “Enrollment restrictions” or click here and select your device type restrictions policy. In my tenant it’s the default policy

 

2. Select “Properties” and press “Edit”

 

3. Select “Android Enterprise (work profile)” -> “Allow/Allow” and “Block” Android device administrator. Press “Review + save” and “Save” to continue.

 

It is now allowed to configure Android devices as “Personal-owned Work Profile” devices. Let’s move on to the next step.

 

2. Create an User group

In this step, we create a user group. We will then use this group to assign applications and policies. You can also use an existing group for this.

 

4. Go to “Groups” -> “All groups” or click here and press “New group” to create a new group.

 

5. Create a new security group and give it a recognizable name. I will use an assigned group here, but you can also use a dynamic user group. Press “Create” to create the user group.

 

Now that the user group has been created we can proceed to create a device compliance policy.

 

3. Create a Device Compliance policy

With a device compliance policy you define the minimum requirements for devices, devices must meet these rules to be considered compliant. Examples of these rules are minimum version of operating systems or the use of disk encryption. The compliance state can be used with app protection policies and conditional access rules for additional security.

 

6. Go to “Devices” -> “Android” -> “Compliance policies” or click here. Press “+Create Policy” to create a new “Device Compliance policy”

 

7. Select “Platform” -> “Android Enterprise” and “Profile type” -> Personally-owned work profile”. Press “Create” to continue.

 

8. Give the policy a recognizable name and press “Next”.

 

9. Set the Compliance settings you want to require. In this example I will require a numeric complexe password to unlock of a minimum 4 digits to unlock the device and Encryption of data storage on device. Press “Next” to continue.

 

10. Configure the actions that will be performed if the device does not comply with the compliance rules. I will only use the default “Mark device noncompliant” action, but you can add also other actions like emails or push notifications. Press “Next” to continue.

 

11. When applicable add a scope tage and press “Next”.

 

12. Assign the compliance policy to the user group created in step 5 and press “Next” to continue.

 

13. Review the configuration and press “Create” to create the compliance policy.

 

4. Create a device configuration policy

Devices configuration profiles can be used to configure settings for example to lock down devices or to configure configuration settings like password rules, block screen capture, allow widgets, default app permissions, etc. In this demo I will block copy and paste between work and personal profiles, but I will also block screen capture.

 

14. Select “Devices” -> “Android” -> “Configuration profiles” or click here and press “+ Create Profile”

 

15. Select Platform “Android Enterprise” and select a profile from the list under “Personally-owned work profile”. I will use “Device restrictions”. Press “Create” to continue.

 

16. Enter a recognizable and unique name. Fill in a Group description (optional) and select  “Next”.

 

17. The device restriction policy for personal-owned work profile devices is currently divided into 4 groups.

Work profile settings Work profile related settings like data sharing, password and more.
Password Requirements for the Device password (Personal profile)
System security Settings related to system security (Personal and work profile)
Connectivity VPN settings (Work profile)

 

18. By default, the setting “block copy and paste between work and personal profiles” is already set to “Block”. Only the “Screen capture” setting needs to be modified to “Block”. Press “Next” to continue.

 

19. When applicable add a scope tage and press “Next”.

 

20. Assign the configuration policy to the user group created in step 5 and press “Next” to continue.

 

21. Review the configuration policy and press “Create” to create the configuration profile.

 

5. Assign additional Apps

In this step we are going to add the applications that will be shown in the work profile. For this demo we are going to add the applications Edge and Office.

 

22. First the applications need to be added to Intune. I will be using the managed Google Play apps. Go to “Apps” -> “Android” or press here. Press “+Add”. In the “select app type” blade select “Managed Google Play app” and press “Select”

 

23. Enter “edge”  in the search bar and press the magnifying glass. Select “Microsoft Edge” in the search results.

 

24. Press “Approve” to start the approval process.

 

25. Perform the same steps for Office and press “Sync” to sync the Managed Google Play store with Intune.

 

26. After some time press the “refresh” button and the added apps will appear.

 

27. Now the apps need to be assigned. Select the App and select “Properties” in the navigation bar. Press “Edit” next to “Assignments”

 

28. Add the group created in step 5 as required group. By doing this the app will be installed by default in the Work profile.

 

29. Press “Save” to finish the assignment of the Edge application.

 

30. Perform steps 27 to 29 again for the Office app. Add the Office app as available instead of required. This way the app is not installed automatically. The user can install the application himself in the work profile.

 

Now that both applications are installed, all steps are complete to start testing with the new profile.

 

6. Enroll and Test Configuration

To enrol a device, the user must install Microsoft’s Company Portal app and log in. A work profile is then created and the work applications are installed within the profile. Let’s see how that works on a test device. For testing, I am using a Nokia 8 with Android 9. User experience may vary by model and Android version.

 

31. Install the Company Portal on the device using the Android Play Store.

 

32. Sign in to the company portal with your Azure AD credentials.

 

33. Press on “Begin” to begin the setup of the work profile.

 

34. On the privacy page, the end user can see what data is visible by the administrator. Press “Continue” to continue.

 

35. press Accept & continue to setup the work profile on your device.

 

36. Press “continue” to activate the work profile.

 

37. press “continue” to update device settings

 

38. The settings are now correct. press “done” to finish setup.

 

39. The phone will now have a Personal and Work profile. The work profile contains the work apps. The required “Edge” browser is installed.

 

40. Optional Work apps can be installed using the Play store in the work profile. For example you can install the “Office” app.

 

41. When you try to take a screenshot in a work app you get the message, “Couldn’t save screenshot: Taking screenshots isn’t allowed by the app or your organization”. The device restriction applies to all work apps. If you want to control the security per app you better use an app protection policy.

 

I hope you liked this blog about the personal-owned work profile deployment using Intune. Just leave a reply if you have questions or remarks about this post.

45 thoughts on “Personal-owned work profile (BYOD) with Intune

  1. Georgios Hadjimavros

    Hello . I am using also Android Enterprise personally-owned work profile and i do not have the option to wipe the device or reset the device password .

    Do you know how we can wipe at least the work profile on a personally-owned work profile and reset the device passcode ?

    Reply
    1. Aad Lutgert Post author

      Hi Georgios,

      Because the Android Enterprise personally-owned work profile is a personal owned device the options are limited. Because of this device ownership you are only allowed to manage the Work-profile with Intune. Therefore you are unable to wipe the device or reset the device passcode. These options are only available on Corporate-owned Android Enterprise devices. To answer your questions: If you remove the device from intune by pressing the “delete” button, the work profile will be removed from the device. Unfortunately it’s not possible to reset the device passcode as this is managed by the owner of the device which is in case of a personally owned device the end user.

      best regards

      Reply
  2. Alex

    Hi Aad,
    I appplied the personally owned workprofile regarding this manual, but all apps in the workprofile are not restricted to managed google play account. I can see and isnatll all kind of apps like facebook , Instagram and sooon which are not the part of managed google play. Any ideays why?

    Reply
    1. Aad Lutgert Post author

      Hi Alex,

      Did you look in the playstore in the personal or in the work profile? In the personal profile you should be able to see all apps and also install from the public store. In the work profile you should only see the applications published with Intune. When you look in the MEM admin center and browse toe android devices do you see the device you are testing on registered with the OS: Android (personally-owned work profile)?

      regards, Aad

      Reply
  3. Access

    Hi Aad,

    I’m looking for a method to block access to Microsoft 365 from Android personal profile, and to allow access to corporate data only from Android Work profile.

    I have tried Conditional Access controls “require compliant device”, “require approved client app” and requiring both of these, but still e.g. Outlook can read and access the corporate data on the personal profile too (not showing all emails though). Earlier I believed that the device compliancy rule would automatically block the personal profile from accessing M365, because Intune shows only the Android work profile and its compliancy status under devices with reduced functionalities, if compared to other enrollment methods.

    Do you have a solution how to resolve this issue? I’m thinking options such as Intune device config, Intune compliancy policies, AAD Conditional Access and App protection policies.

    Reply
    1. Kreyain

      I am looking for a solution to this as well and all routes still allows the device to access company email on the personal profile outlook.

      Reply
    2. Luis

      Hello,

      I’m on a similar situation, I want to:
      1. Allow only work profile to access apps like outlook. I don’t want to allow personal profile to be able to add corporate outlook.
      2. Do not allow any non corporate account to be added to the work profile (so in outlook you can’t add your personal email account and then pass data from corporate to personal email within the same profile…

      Trying to achieve this with conditional access policies but for example if I block access for all apps, then I can’t allow only “Microsoft intune company portal” in order to allow device registration and work profile to be created. Sign in wouldn’t work.

      Ideal scenario:
      – Allow on personal profile only company portal sign in + work profile creation. Everything else blocked.
      – Allow on work profile only the pushed apps and corporate account to be added. Everything else blocked.
      – Achieve these with conditional access policies / compliance policies.

      Anyone knows how to achieve this? Otherwise I might look into other policies like outlook mobile only app (without work profile).

      Reply
      1. Aad Lutgert Post author

        Hi all,

        I will try to answer all questions in one answer. Please let me know if you need additional information.

        1. Allow only work profile to access apps like outlook. I don’t want to allow personal profile to be able to add corporate outlook.

        This can be done by configuring a conditional access policy and App protection policy. Let me explain:

        Using the conditional access policy you can either create a Block policy (exclude compliant devices) or a Grant policy (Grant: Require device to be marked as compliant).
        Block policy the user will see a message it’s not permitted to add the account (Preview setting).
        Grant policy the user will something similar but will see an option to register the device.

        Important:
        If the user has already authenticated before the conditional access policy was activated, then the user will still have access to Exchange Online because of the session token. (See ). You can revoke the sessiontoken manually by using Powershell (Revoke-AzureADUserAllRefreshToken or by using the revoke sessions button in Azure AD. Once the session is revoked the user will still have access to the mails in the Outlook app. This can be solved by applying an app protection policy.

        2. Do not allow any non corporate account to be added to the work profile (so in outlook you can’t add your personal email account and then pass data from corporate to personal email within the same profile…

        This can be configured using an App configuration policy for Outlook. You need to set “Allow only work or school accounts” to “Enabled”. You will also need to configure a configuration profile for the work profile or app protection policy to prevent data to be copied to the personal profile.

        The settings I’ve described above vary by Exchange configuration (Exchange Online/On-prem/Hybrid). In the above example, I have assumed Exchange Online configuration. In addition, you will need the proper licenses to make it work.

        I hope this answers the questions for everybody in this Thread.

        regards, Aad

        Reply
        1. Luis

          Hi,

          The first step that user has to do to register the device is to sign in from the personal profile to Company Portal in order to create the work profile. My issue is that I do not know how to allow sign in company portal because the app is not listed for allowing it on conditional access policies.
          Do you know how to fix this issue?

          Thanks

          Reply
          1. Aad Lutgert Post author

            Hi Luis,

            The user downloads the Company Portal from the public Android Play Store on their device. To be able to enroll you need to check the following

            – The user needs an Intune license to be able to enroll a device
            – In the Device type restrictions (MEM admin center) you should allow the user to enroll a personal owned Android Enterprise (work profile) device (Personally owned -> Allow)

            If it still doesn’t work check this page https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune#android-issues and the logging in Azure AD and Intune for more information.

            regards, Aad

          1. Aad Lutgert Post author

            Hi Krishna,

            By using the “Block Policy” the user will only be unable to connect to the Exchange service using a device which isn’t compliant. This doesn’t block every cloud app. Only the cloud apps which you include in your conditional access policy, which in this case will be the “Office 365 Exchange Online” Cloud app to block outlook outside of the work profile.

            regards, Aad

    3. Intune BOYD

      Hi,

      Do someone know where the datas in the professional workspace are save in the mobile phone ?

      Reply
  4. Toms

    So in my case, my work apps installed on main profile and personal apps on Android work profile. But too bad that some applications are blocked Android Work Profile by the application developers. I submitted queries and proofs to them, and they said that they detected that my handheld as rooted or modified. They also refuse to fix this false positive.. Sigh..

    Reply
  5. Jacky

    Hello everyone,

    I am configuring the deployment of TeamViewer Host + TeamViewer Universal Add-On with Intune.
    The problem concerns the activation of the Universal Add-On in access services.
    When I click on “Enable”, I arrive in the accessibility menu with the following message.
    In the access settings, the category “Downloaded apps” does not appear.

    And if this service is not enabled, the personn connecting to this device will only be able to see its screen, but will not be able to control it remotely.

    Thanks for your help !

    Reply
  6. Renato Reynoso

    I have one Android device added as a Device administrator, but I have now block that option and I am trying to add a Samsung Galaxy S8 as a Personally-owned work profile and it only wants to add it as a device administrator. I have set up the managed google play, create a compliance policy and a configuration profile which are all assigned to a group that the testuser is a member.

    Reply
    1. Aad Lutgert Post author

      Hi Renato,

      Did you block device administrator and allowed both Android Enterprise Platform and Personally owned? Sometimes the changes take some time so you might try again at a later time.

      regards, Aad

      Reply
  7. Nico Post

    This article is super great.

    I only have 1 question, I made a ”work profile”. With CA and “app protection policys” i can only login within the “work profile” in the “personal profile” I cant login, and that is great to.

    I have setup that apps are installed immediately, Word OneDrive Excel etc, but I have to enter my username once in every app, is this also possible to do this with SSO?

    Scenario: clean resetten phone, install the company portal app, login the app.
    After it is al done with download and sync the policy’s, every app I open I need to enter my user name.

    Reply
  8. Eflin Charles

    Hi Aad

    Indeed a great article.
    I have a problem with the Play Store. Its there under my WORK profile, but I cannot see apps listed?

    Just get “No Results Found” despite apps being published in o365?

    Any ideas?

    Reply
    1. Aad Lutgert Post author

      Hi Eflin,

      Did you publish them as required apps? These will not show up in the play store, you only see available apps. Did you check the managed apps in devices -> android -> . There may be an error or a clue for the issue.

      I noticed something simular last year in Android 11. See bug play strore https://vmlabblog.com/2021/03/corporate-owned-with-work-profile-cope-on-android-11/. Do you see the managed google play acount in the play store?

      regards Aad

      Reply
  9. Eflin Charles

    Hi Aad

    Thanks for getting back to me.
    I will start to look at this issue again shortly, and will get back to you. Really good advice, and its appreciated.
    Great site!!

    Regards

    Reply
    1. Dan Powell

      Hey There,

      I’ve experinced the same thing.

      Apps set to available for enrolled devices or available with or without enrollment dont appear in the work profile managed google play store. I just get a No Results Found message.

      If I set an App to Required, it will install almost instantly.

      Did you manage to find out what was causing the problem?

      Reply
  10. Avadhoot Dalavi

    I have tried with multiple combinations to block the access to Outlook or Teams via conditional access policies. This simple doesn’t work. Could you please guide me around it.

    Reply
  11. Jay Allen

    I’m not able to install applications that I download from my Onedrive that I have on the personal work profile. I get the “Action Not Allowed” error. I checked my policies and I allow install from unknown sources but it doesn’t work on my personal work profile, however it works on the corporate work profile. Any suggestions?

    Reply
  12. LL van Hoorne

    Can i do this manual also by apple devices? I saw this is Android.

    I hope for an answer soon.

    L van Hoorne

    Reply
  13. Emmanuel

    Hello,

    Do you know if it’s possible to limit the storage size which is being used by the work profile for personally-owned devices ?

    Thank you.

    Reply
    1. Aad Lutgert Post author

      Hi Emmanuel,

      As far as I know there is no setting in Intune to limit the storage size for the work profile. But you could check the OEMconfig settings for the device brand you’re using. It may be possible to configure in OEMconfig.

      regards, Aad

      Reply
  14. SaKiss

    Dear Aad,

    is there a possibility to enroll into intune through an existing Android Work Profile? I have a work profile on my Samsung BYOD device, which I had created with Insular app. When I download the Company Portal and try to enroll, I get a message like “Work profile cannot be added. If you need support, contact your IT-administrator”

    Thanks in advance.

    Reply
    1. Aad Lutgert Post author

      Hello,

      No, this is not possible. You need to create a new work profile. The profile is created and managed by the MDM tool, there is as far as I know no option to transfer the ownership of the work profile to another management solution.

      regards, Aad

      Reply
  15. Jon

    Hello,
    I have a user that is wanting a unique configuration. He likes all of his emails to be nested in one Application. So with the work managed Outlook app, he has added his personal account which we allow. However, the question is, might there be a way to separate the applied policy restrictions from his personal account inside the managed app or is this just a restriction altogether?

    Reply
    1. Aad Lutgert Post author

      Hi Jon,

      Not completely sure what you mean, but mam policies are applied on the whole application and the device restriction on the work profile. It is not possible to exclude other accounts from policies applied to an application.

      regard, Aad

      Reply
  16. David I

    Dear Aad,

    When I try to create a compliance policy for Personal Devices, it does not show me the Personally-Owned Work Profile option, personal device only.

    I tested COBO and COPE, and they work correctly, but when I add the personal device through the portal, the job profile doesn´t apply to me.

    I don’t see what that can be, I appreciate your help.

    Reply
    1. Aad Lutgert Post author

      Hi David,

      I’m not sure if I understand you. Are you not seeing the option to create a “Personally-owned work profile” compliance policy or are you having a different issue?

      regards, Aad

      Reply
  17. Ben

    Hi. Thank you for the writeup. It’s excellent – well done.

    I would like have BYOD Android devices, but approve them before they access Teams/Sharepoint. This is easy with iOS/Android 12 because you can use the serial or IMEI number. This isn’t possible with Android 13. Can you provide any advice how this can be done?

    Thanks again.

    Reply
  18. Tony

    Hi, Thanks a lot for this topic!

    It seems like the configuration policy is not applied on my device. If I go the device in Intune and click on Device Configuration you see nothing.

    Thanks,

    Reply
    1. Aad Lutgert Post author

      Hi Tony,

      How did you assign the configuration policy on the device? Did you assign in to an user group and check if the user is in the group? Using dynamic groups can take a long time to update.

      regards, Aad

      Reply
  19. Robert

    I followed the steps but steps 33-40 never happened for me. I signed into the company portal and I could see my other work device that was it. The device was never enrolled in Intune or azure ad. There were no errors or anything. What would cause it to just let the user sign in and not install any profiles??

    Thanks

    Reply
    1. Aad Lutgert Post author

      It seems that you are only logged into the company portal and have not enrolled the device. Do the device restrictions allow personal enrollment of Android devices?

      Reply
  20. David Green

    Hi Aad, the guide mentioned that dynamic groups were an option. What rules would be used pre and post migration?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *