Resources

One Android device, two modes: managed device with work profile

Categories:
Android

Enterprise IT administrators manage a wide range of mobile devices, including corporate-owned, employee-owned, and a mix of corporate-owned, personally enabled (COPE) devices. With all of these varying levels of device ownership, organizations need a way to ensure business apps and data are secure on any device used for work — regardless of who owns the device.

Thanks to new capabilities introduced in Android 8.0 and supported by MobileIron, administrators can now separate business and personal apps and data on corporate-owned devices. This means Mobileiron customers can now support employee privacy and personal apps even on fully managed corporate devices.

In 2014, Google introduced Android enterprise to help IT organizations meet these security and management needs across a broad range of devices. With Android enterprise, admins can configure a device in one of two ways, both of which are deployed through a unified endpoint management (UEM) platform like MobileIron:

  • Managed device: A managed device (also known as device owner mode) is ideal for corporate-owned devices, such as a retail kiosk, where the company maintains complete control over which apps and data are allowed on the device. Device-wide controls, such as a complete device wipe and reset to factory default settings are available on managed devices.
  • Work profile: A work profile is ideal for managing employee-owned devices because it allows IT to keep business apps and data separate from the employee’s personal accounts, apps, and data. Business apps managed by the work profile have a clear icon that distinguishes them from personal apps. Employees can safely use their personal devices for work without being restricted from accessing their personal apps and data. IT also has limited control over the device itself, and cannot view, access, or delete any personal apps or data.

Now, starting with version 8.0, Android is enabling IT to administer both the work profile and the managed device through a UEM platform. This means admins can configure the entire device as a managed device and deploy enterprise apps to a work profile that remains separate from a personal profile on the device.

For MobileIron customers, this is especially great news because MobileIron is currently one of the only UEM providers that enables customers to deploy managed devices with a work profile on Android 8 devices. As a result, organizations can enhance control over business apps and data while giving employees more flexibility to access personal apps and data on Android devices — even if the device is owned by the company.

MobileIron customers can start using this capability today with MobileIron Core 9.7 and Mobile@Work 9.7. By deploying managed devices with work profiles, IT can now provide these capabilities on a single device:

  • Managed device: Device configurations, such as unlocking the device, hardware controls, and performing factory resets, can be applied to managed devices.
  • Work profile: Organizations will continue to deploy enterprise apps to the work profile through a managed Google Play app store. The work profile also remains protected by container-level security policies, such as preventing users from pasting enterprise data into unauthorized apps such as a personal Google Drive account.
  • Unmanaged profile: The device hosts a personal profile that allows users to access personal apps that remain outside of the work profile, so they can’t be viewed, accessed, or deleted by IT.

This diagram illustrates how these capabilities work on Android 8 devices.

For a hands-on technical review of this feature from a third-party expert, see Jason Bayton’s article: https://bayton.org/2018/03/mobileiron-launch-android-enterprise-work-profiles-on-fully-managed-devices

For more details on MobileIron and Android enterprise, read our whitepaper, “Android is ready for the enterprise.”