What is android work profile
Get an insight on how the android work profile works and the benefits it offers to organisations in terms of security and productivity.
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
May 10, 2020
15 min read
At present, IT admins in enterprises are responsible for managing a whole fleet of devices from different management classes such as BYOD (Bring Your Own Device), COPE (Company Owned/Personally Enabled), COBO (Company Owned/Business Only). With these different levels of ownership, organizations must ensure that its business applications and sensitive data stays protected on the device regardless of who owns it. With Android Enterprise, admins can configure the device in two ways – device owner mode and profile owner mode.
For corporate owned devices, provisioning the devices through Android device owner mode will give the organization full control over the device. The functions that a device owner can perform includes:
In company owned deployment scenarios, the enterprise will own and have full control over the device it uses. The management application used is known as the Device Policy Controller (DPC). The DPC is responsible for enforcing policies on to the Android devices. When the DPC acts a device owner it will look after the entire management of the device. It can also perform a wide range of device-oriented actions such as configuring the connectivity, setting up global settings and do factory reset.
Different provisioning methods such as DPC Identifier, NFC, QR Code, Zero touch enrollment, Samsung KME, G Suite and Android Debug Bridge are available to enroll your devices. Let’s have look at what each means:
Android device owner mode should be provisioned during the initial setup of the new device or in the case of devices running in an older Android version, after factory reset. Depending on the use case, the devices can be provisioned in two ways:
Apart from Android device owner mode, there are other solution sets such as the profile owner mode, also known as work profile mode or managed profile mode, where by the means of DPC, the organization can enable the personal devices of employees for work use by adding a work profile to the primary user account on the device. The work profile will be associated with the primary user but as a separate profile. Container level security policies will be set up to prevent users from accidentally pasting sensitive corporate information into unauthorized apps.
There also exists a dedicated Android device owner mode which comes as a subset of the device owner solution set. The dedicated device solution set are designed for company owned devices that are used for a single purpose such as kiosks and digital signages. This provides admins with the convenience to restrict the usage of the device to a single app or a set of whitelisted applications. It also prevents users from accessing other apps or enforce other actions onto the device.
As mentioned before, a device owner can only be assigned during the initial setup process of the devices. It would always be best to enroll corporate owned devices with a device owner solution set and employee devices with a profile owner solution set. In this way the privacy of the user will not get compromised. In order to activate Android device owner mode, you must first ensure that your organization is enrolled in the Android Enterprise program. Devices running on older Android versions should undergo a factory reset prior to its enrollment. For devices running on Android 7 and above, a QR code can be used to enroll the devices.
Hexnode MDM policies can be used to allow or restrict access on the devices enrolled via Android Enterprise. In order to configure restrictions on an Android Enterprise enabled device, you would have to go to policies to select a new one or edit an existing one and choose Restrictions from Android to setup the basic device restrictions.
In addition to restricting basic device functionalities, admins can also:
App configurations allow admins to remotely configure features for the Managed Google Play apps. Once the apps get installed, all the settings will be supplied automatically. Since not all apps support configurations, it would be better to consult with an App developer first to see whether the app you wish to use is designed to support configuration settings. In the case of supported apps, the developer will specify the options that can be configured. The IT can then use the options displayed in the Hexnode console to define the custom configurations. This not only saves IT a lot of time but it also provides them with the benefit to pre-configure and distribute the apps to multiple users in a single go.
Introduced at the Android Enterprise Summit 2018, OEMConfig is an Android standard defined by Google that brought in changes in Android device management. With the help of OEMConfig Hexnode can offer its customers a wide range of hardware and security features for Android Enterprise devices without having to build every individual OEM specific setting into the product.
Device manufacturers that support OEMConfig build their own OEMConfig apps and host them on the Google Play platform. The organization then approves and adds the OEMConfig app to the UEM console. Hexnode allows administrators to customize the settings by the means of managed apps configurations. The apps can also be pushed silently to the Android Enterprise enabled devices via the Hexnode console. The customized OEMConfig app will get installed onto the device and will use the configured settings to manage the devices. Once a new feature has been added the OEM will update the app and Hexnode will automatically add support to the new feature.
Devices that cater to customer specific needs include kiosks and digital signages. In order to ensure a complete lockdown, additional user restrictions such as disabling SAFE boot, factory reset and prevent the adding of a new user can be applied.
Android includes a set of APIs that are built to lock down the fully managed devices to a kiosk mode. Some of the key highlights of these Android Enterprise dedicated devices includes running the system in a kiosk mode by the means of a lock task mode, sharing the device between multiple users, cache the APKs required for multi-user sessions and suspend system updates.
Though Android developers can create dedicated applications that can easily set up a kiosk mode on Android devices, it would be more convenient to rely on the services of a powerful MDM solution like Hexnode to take care of your kiosk configurations. Hexnode MDM comes with a set of tools that help various organizations to set up the right kiosk that would neatly adhere to their business requirements.
Hexnode by pairing up with no-touch enrollment programs such as Android Zero Touch Enrollment and Samsung Knox Mobile Enrollment offers a quick deployment and provisioning of Android devices. Having a centralized platform to manage the kiosk systems is important as it can hinder security issues that can arise when a non-technical user base improperly use the kiosk devices.
School owned devices enrolled through Android device owner mode allow admins to block certain functionalities like factory reset and Wi-Fi modifications. By whitelisting the necessary applications, admins can ensure that the students who use these fully managed devices are free from distractions and remain concentrated on their studies.
Organization usually deploy corporate owned devices when they require a tight control over the management of the devices used by their employees. When these devices are operated in Android device owner mode, IT admins can make sure that the sensitive corporate data present within the device stays protected at all times. Unlike the profile owner mode, the fully managed device come with a set of additional functionalities to enhance the security of the enterprise such as remotely rebooting the device and locking it down in an immersive kiosk mode. Organizations managing a large number of devices would do better in enrolling their devices in Android device owner mode as it would provide them with quick enrollment options and flexibility in configuring more network restrictions.
Hospitals and healthcare clinics that use Android Enterprise enabled devices can harness additional security capabilities in a way that is easier for both the IT department and end users. Admins can ensure that the essential policies are being universally applied onto the targeted devices without asking the medical personnel to update their device manually each time a policy gets pushed, thus giving them ample time to interact with their patients.
Android has a set of APIs to help people who use dedicated devices to get their tasks done. With the help of the lock task mode, employees can run the device in a kiosk like mode and stay productive by having access to just the whitelisted applications. Businesses can also save costs as a single device can be easily shared between multiple shift workers.