Work Profile for Employee-Owned Devices
  • 24 Sep 2022
  • 4 Minutes to read
  • Dark
  • PDF

Work Profile for Employee-Owned Devices

  • Dark
  • PDF

Article summary

Third Party Device Management Required

Jamf does not provide mobile device managment (MDM) capabilities for Android devices.

However, virtually any Android Enterprise-compatible MDM vendor may be used to manage Android devices in a way that is compatible with the Trusted Access solution.

Work profile for employee-owned devices, also known as a Bring Your Own Device (BYOD), provides complete segmentation of work and personal data and apps on the device. As the device is employee owned, policy can only be applied to the Work profile/partition and cannot be applied to the personal profile/partition nor device wide.

Android Enterprise Work Profile for Employee Devices

The privacy and security model of Work Profile for Employee Devices is conceptually identical to Apple's BYOD User Enrollment deployment model. The notable difference is in the user interace design: Apple "blends" work and personal apps visually, whereas Android provides an explict visual distinction between the two types. In both cases, data storage is logically separate and data transfer (DLP) controls are provided to IT teams to manage.

Is the device corporate owned?

If so, you may prefer to use the Work Profile for Mixed Use Company Owned Devices enrollment method instead. This method preserves the same strong work and personal data separation and privacy controls of Work Profiles for Employee Owned Devices, but provides IT with a few more device-wide controls.

If complete device management is required without this logicial data separation, you should consider using Android Fully Managed Devices instead.

It is not recommended to try to fully manage a personally owned device: such a enrollment strategy is not supported by Android, significantly compromises user privacy, and is usually poorly adopted by end users.

Deploying Work Profile for Employee Owned Device

While documentation for deployed Android Work Profile for Employee Owned Devices is out of the scope of this document, you can refer to documentation for Microsoft Endpoint Manager as a starting point:

Once a Work Profile is configured, IT administrators can deploy Managed Google Play apps

Deploying Jamf Trust

The Jamf Trust app is required to enable various security services on Android devices, including Jamf Private Access.

Private Access is used in the Jamf Trusted Access solution to enable access to company resources for the Work Profile partition on a properly enrolled BYO device. Active threat defense is also enabled for apps and network traffic within the organization managed Work Profile.

Privacy Limitation

When deploying Jamf Trust to a Work Profile on a BYO device, the service is only able to "see" and "protect" within the Work Profile partition. This is an intentional private-by-design attribute of this deployment model.

We discourage trying to deploy threat defense to the "personal" partition of the device. Without automated deployment and due to the end user privacy implications, activation rates will be poor.

Instead, the goal of Trusted Access is to fortify your network access model such that company data is only reachable via the Work Profile, and cannot be accessed via the Personal Profile (even though it is the same device and user!).

The following steps outline the high-level steps required to streamline deployment of the Jamf Trust app via your Android Enterprise-compatible MDM:

  1. Follow the steps in Enabling Access for Trusted Devices to configure Private Access in RADAR.
  2. Configure the Jamf Trust app via Managed Google Play.
    • When configuring the app's Configuration Settings, use the values presented in the Managed Configuration section of the Activation Profile created in the previous step.
    • The Jamf Trust app will be installed in the Work Profile parition on the device, not Personal Profile.
Per-App VPN on Work Profile for Employee Owned Devices

While you may use Per-App VPN for apps within the Work Profile, we recommend using the default configuration to make Private Access and Threat Defense available to all apps and network traffic within the Work Profile.

  1. Define a new Android configuration profile in your MDM that Enables Zero Touch Activation of Jamf Trust and assign this profile to your target devices.
    • Only threat defense capabilities with be enabled via zero touch. The user will need to open the Jamf Trust app and authenticate with their identity provider credentials to activate Private Access.
  2. Automatically deploy the Jamf Trust app and created configuration profile to devices that enroll via Work Profile to ensure secure networking is available to their applications within the Work Profile.

Work Profile Tips

  • The work profile was introduced in Android 11.
    • If you are deploying to an older Android OS version, it is worth checking what options may be available.
  • There is generally significant differences in Android Enterprise behavior and compatability across Android OS versions and device manufacturer OEMs. Test throughly!
  • Devices will be able to freely add and remove the Work Profile without having to conduct a device factory reset.
  • The Work Profile can be paused by users, which disables the profile and all apps within it. When in this state, Work apps will be suspended or terminated and their notifications disabled as well.
  • Apps within the Work Profile will be marked differently than Personal apps.
  • Please bear in mind that are restrictions on what settings can be applied whether the device is personal or corporate owned.

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.