“New configurations are now available for Android BYOD management”

Google have deprecated their ‘Device Administrator APIs’ which means even though devices are enrolled into an MDM, they will no longer respond to commands being sent from the MDM server with the old APIs.  

This old mechanism for enrolling and managing Android Devices is being fully deprecated by all MDM vendors for devices running Android 10 and Android 11 by the end of 2020. 

Going forward, Android Enterprise must be used to manage Android devices. 

 

What is Android Enterprise?

Android Enterprise is a modern set of management controls that  

  • Enforce encryption for company data 

  • Enable centralised, seamless app deployment  

  • Provide a unified set of controls across all makes of Android devices  

Android Enterprise offers two options for device deployment – 1) Work Only, and 2) Personally Enabled. For BYOD devices, Android Enterprise Work Profile is the best solution. 

BYOD – How to configure Android Enterprise Work Profile .png

 

 

 

Android Enterprise Work Profile

Android Enterprise Work Profile is designed to keep work and personal data separate.  

Rather than the whole device being enrolled and managed, a separate partition or container on the device is provisioned. Then company apps and data are deployed to the container and kept separate from personal apps and data.  

Work Profile is the best option for BYOD. But it can be useful to provide access to devices that don’t support the other Android Enterprise management options. This can be due to operating system version limitations or where factory reset / device wipe is not desired when migrating to Android Enterprise.  

Also, we see Android Enterprise Work Profiles being rolled out on Contractor devices where a private enterprise app is required to be pushed to a device, but management of the device is not needed.  

Employees need a personal Gmail account to enable the Work Profile. MDM administrators can set policies and controls on the managed container but not the device itself. 

Here is a video showing the user experience of a Personally Enabled Android Enterprise device  

Work Profile Policies

There are limited MDM policies and controls for the Work Profile container. 

Policies that can be applied to the managed container include 

  • Block adding personal accounts into the Work Profile 

  • Apply pin code for the Work Profile 

  • Blocking screen capture in the Work Profile  

  • Blocking sharing of documents between the managed and personal apps 

An administrator can perform the following actions  

  • Reset the pin code on the container 

  • Push and remove apps 

  • Push and remove limited settings  

 

Google Account

To register your MDM to leverage Android Enterprise you will need to create a Managed Google Play Account. 

We recommend that you use a company service account for this account creation. If you use a personal account and that person leaves you will not be able to manage this account.  

 This account will be used to: 

  • Bind your EMM console to Google for Android Enterprise integration  

  • Approve applications for deployment  

You can access detailed steps on how to set up this account via this link

 

Enable Work Profile in Microsoft Intune

Google Integration 

To enable Work Profile enrolments in Intune, you need to integrate your Managed Google Play account  

  1. Go to Microsoft Endpoint Manager > Devices > Enroll devices 

  2. Go to Android Enrollment 

  3. Select Managed Google Play 

    BYOD – How to configure Android Enterprise Work Profile 1.png

 

 

 

Allow Work Profile Enrolment  

You also need to ensure your Restriction policy allows enrolment of Android Enterprise devices.  

In the Endpoint Manager console  

  1. Go to Devices > Policy > Enrollment Restrictions 

  2. Select Allow for Android Enterprise (work profile)  

  3. Select Allow for Personally owned

    BYOD – How to configure Android Enterprise Work Profile 2.png

 

 

 

Configure Work Profile policies  

Configure Android Enterprise Work Profile policies in Intune 

  1. Go to Microsoft Endpoint Manager > Devices > Android 

  2. Select Configuration profiles > Create profile 

  3. Select Android Enterprise > then select the profiles Work Profile and configure as required. 

    BYOD – How to configure Android Enterprise Work Profile 3.png

 

 

 

Enable Work Profile in VMware Workspace ONE UEM

Google Integration 

To enable Work Profile enrolments in VMware Workspace ONE UEM you need to integrate your Managed Google Play account first 

  1. Go to Groups & Settings > Settings > System > Devices & Users > Android > Android EMM Registration > Configuration  

  2. Integrate your Managed Google account 

    BYOD – How to configure Android Enterprise Work Profile 4.png

 

 

 

Configure Work Profile policies 

To configure your policies for the Work Profile container 

  1. Go to Profiles & Resources > Profiles > Add > Android > Restrictions  

  2. Select policies you want to assign for the Work Profile on BYOD devices 

  3. Save and assign 

    BYOD – How to configure Android Enterprise Work Profile 5.png

Enable Work Profile in MobileIron

Google Integration 

To enable Work Profile enrolments in MobileIron Cloud you need to integrate your Managed Google Play account first 

  1. Go to the Admin tab > Google > Android Enterprise 

  2. Integrate your Managed Google account 

    BYOD – How to configure Android Enterprise Work Profile 6.png

 

 

Enable Work Profile 

To enable Work Profile in MobileIron Cloud 

  1. Go to Configurations tab > Android Enterprise: Work Profile (Android for Work) 

  2. Edit and assign 

    BYOD – How to configure Android Enterprise Work Profile 7.png

 

 

 

Configure Work Profile policies 

To configure your policies for the Work Profile container 

  1. Go to Configurations tab > add 

  2. Create lockdown and Kiosk: Android enterprise Configuration 

  3. Select Work Profile 

    BYOD – How to configure Android Enterprise Work Profile 8.png

 

 

 

Then configure your required policies for the Work Profile container.

BYOD – How to configure Android Enterprise Work Profile 9.png

 

 

 

Conclusion

If you’re interested in learning how Android Work Profile and BYOD could work in your business, check our BYOD service, or contact us.