Setting up a work profile on Android devices
This article shows how you can set up Android Work Profile on your Android devices.
- Managed Google Play Enterprise has been configured for your site
- Devices are running Android 6.0 or above
- Devices are connected to the Internet via Wifi or mobile data
Please note that certain older Android devices don't support the managed profiles. If you run into errors and are not sure whether your device supports managed profiles, download Google's TestDPC from Google Play and try creating a managed profile using the app.
New to GoTo Resolve MDM? Discover how GoTo Resolve MDM can help you manage your Android devices with ease. Learn more about Android MDM at https://www.miradore.com/platforms/android-management/
Why set up Android Enterprise Work Profile?
Once the requirements are met, administrators can create a work profile on the managed devices. The purpose of the work profile is to create a secure container for your work data and separate the private applications from the work applications. Administrators can then remotely manage the work container and deploy applications silently to any device running Android 5.1 or above.
This is a particularly important solution for the companies that support personal devices deployment scenarios, allowing the employees to bring personally-owned devices to work and to use those devices to access privileged company information and applications securely, making sure that e.g. work contacts won't get leaked via private instant messaging apps.
When a work profile is created on the device, the GoTo Resolve MDM Client operates as the profile owner of the work data and has only limited control outside of the work profile. This means that our client is no longer the device administrator of the device and can't, for example, install Samsung KNOX/SAFE configuration profiles or wipe the device. It can, however, lock the device, install Wi-Fi networks, collect device location and enforce passcode policies like it normally would. The work profile can also be at any time removed from the device both by an administrator as well as the user.
How to enable Work Profile for legacy enrolled Android devices?
If you already managing an Android device in the device administrator mode, you can enable the work profile from the page using the action button.
Figure 1. The layout of the screen may look different in the product.
How to set up the Work Profile on Android devices?
- If the device is not yet managed with GoTo Resolve MDM, go to page on your GoTo Resolve MDM site and choose the platform Android.
- 2. Select Light to enroll a device using the Work Profile mode.
Figure 2. The layout of the screen may look different in the product.
- Add a device user: enter the user's email address and choose Work profile. You can also choose to send the enrollment invitation via email and/or SMS to the user if needed.
Figure 3. The layout of the screen may look different in the product.
The system generates credentials for enrollment. Read the QR code with the device or follow the steps to enroll in the Work profile. If you have chosen to send the invitation to the device user, the system sends the credentials to the device user.
Figure 4. The layout of the screen may look different in the product.
The next pictures show how the enrollment process continues at the device end. First, the user must click the Enroll now button from the email. This will take him/her to the Google Play store. Next he/she clicks Install now and Install which starts the installation of the GoTo Resolve MDM Client application.
Figure 5. The layout of the screen may look different in the product.
Wait until the GoTo Resolve MDM Online Client installation completes and click Open to open up the app. The app show will show a privacy closure explaining what data the app collects and what is it used for. The user must read the provided information carefully and give their consent for the data collection before continuing.
Figure 6. The layout of the screen may look different in the product.
The next step is the device user needs to allow all permission requests from the GoTo Resolve MDM app.
Please note that GoTo Resolve MDM respects users' privacy and security. It is not possible for anyone to access the user's personal contacts, phone calls, text messages, instant messages, files, or photos through GoTo Resolve MDM.
Figure 7. The layout of the screen may look different in the product.
The actual creation of the Work Profile begins immediately after the GoTo Resolve MDM client installation has been completed and the Client has successfully connected to your GoTo Resolve MDM site for the first time.
The device user can see a round GoTo Resolve MDM icon on the notification area when the client asks the user to approve the creation of the Work Profile.
Please note, that the device must be encrypted before proceeding. The encryption process may require that the device battery is charged up to 80% and the device is plugged in. When the encryption is complete, the managed profile creation continues.
Figure 8. The layout of the screen may look different in the product.
Setting up Android Enterprise Work Profile takes a few minutes. GoTo Resolve MDM app will show the Managed profile created screen to the device user when after the profile creation has been completed successfully.
Figure 9. The layout of the screen may look different in the product.
After a successful Work profile setup, the GoTo Resolve MDM client can be removed from the primary user profile running on the device. The uninstallation will be requested from the user automatically. After the client uninstallation, the setup is ready at the device end. The device user can recognize the Work Profile apps by the orange briefcase icon.
Figure 10. The layout of the screen may look different in the product.
The Show device button becomes active in GoTo Resolve MDM after the enrollment has been completed. You can open up the device form to see details about the device. You can follow the enrollment on the Device's Action log, and also on the Enrollment log page.
Figure 11. The layout of the screen may look different in the product.
The default tag Profile owner is added for each device where the work profile has been successfully enabled. This helps to identify work profile devices in your GoTo Resolve MDM site and can be used, for example, to create a separate business policy for work profile-enabled devices.
A Work profile can also be automatically enabled to the devices during the device administrator enrollment process. Just add a tag afw to the enrollment or user and the work profile is automatically installed to the Android device that is enrolled with the created credentials.
Figure 12. The layout of the screen may look different in the product.
Please note that after a successful Work Profile enrollment, the "Profile owner" tag (not "afw") will be added to the device in GoTo Resolve MDM.
If the device's Google Play store is older than the required version, it must be updated to ensure that managed Google play account can be created in the work profile. Play store should be updated automatically in the background, as long as the user has signed in to Google Play.
We have noted that sometimes on Android 6 devices the work profile creation fails because the Play Store version on those devices is out-of-date and the automatic updates are not working. You can try to resolve this issue by manually initiating the installation of Play Store updates. You can manually start the installation by tapping the Build number option in the Play Store's Settings.