- 24 Sep 2022
- 3 Minutes to read
- DarkLight
- PDF
Work Profile for Mixed Use Company Owned Devices
- Updated on 24 Sep 2022
- 3 Minutes to read
- DarkLight
- PDF
Jamf does not provide mobile device managment (MDM) capabilities for Android devices.
However, virtually any Android Enterprise-compatible MDM vendor may be used to manage Android devices in a way that is compatible with the Trusted Access solution.
Work Profile for mixed-used company-owned devices, previously known as Coporate-owned Personally Enabled (COPE), is an extension of Work Profiles for BYOD.
Like Work Profiles, there is a clear segmentation of work and personal data and apps on the device. The managing organization is unable to "see" data in motion or at rest in the personal container.
However, the major difference is that IT has the added ability to apply device-wide settings, such as WiFi configurations, preventing apps from installing on the work and personal partition, prevent USB file transfers, and more.
This management strategy is designed to preserve end user data privacy while enabling IT to better "lock down" the physical asset that they ultimately own.
Deploying Work Profile for Mixed Use Corporate Owned Device
Just like on iOS/iPadOS, Google provides a Zero-touch Enrollment capability to enroll a company-purchased Android device into MDM right out of the box.
While documentation for Work Profile for Mixed Use Company Owned Devices is out of the scope of this document, you can refer to documentation for Microsoft Endpoint Manager as a starting point:
- End-to-End Android Enterprise Setup Guide
- Work Profile for Mixed Use Company Owned Devices Enrollments
Deploying Jamf Trust
The Jamf Trust app is required to enable various security services on Android devices, including Jamf Private Access.
Private Access is used in the Jamf Trusted Access solution to enable access to company resources for the Work Profile partition on a properly enrolled Work Profile for Mixed Use Company Owned Device. Active threat defense is also enabled for apps and network traffic within the organization managed Work Profile.
When deploying Jamf Trust to a Work Profile for Mixed Use Company Owned Device, it is only able to "see" and "protect" within the Work Profile partition. This is an intentional private-by-design attribute of this deployment model.
We discourage trying to deploy threat defense to the "personal" partition of the device. Without automated deployment and due to the end user privacy implications, activation rates will be poor.
Instead, the goal of Trusted Access is to fortify your network access model such that company data is only reachable via the Work Profile, and cannot be accessed via the Personal Profile (even though it is the same device and user!).
If you require visibility and control of all the device's data and network connections, use Fully Managed enrollments instead.
The following steps outline the high-level steps required to streamline deployment of the Jamf Trust app via your Android Enterprise-compatible MDM:
- Follow the steps in Enabling Access for Trusted Devices to configure Private Access in RADAR.
- Configure the Jamf Trust app via Managed Google Play.
- When configuring the app's Configuration Settings, use the values presented in the Managed Configuration section of the Activation Profile created in the previous step.
- The Jamf Trust app will be installed in the Work Profile parition on the device, not Personal Profile.
While you may use Per-App VPN for apps within the Work Profile, we recommend using the default configuration to make Private Access and Threat Defense available to all apps and network traffic within the Work Profile.
- Define a new Android configuration profile in your MDM that Enables Zero Touch Activation of Jamf Trust and assign this profile to your target devices.
- Only threat defense capabilities with be enabled via zero touch. The user will need to open the Jamf Trust app and authenticate with their identity provider credentials to activate Private Access.
- Automatically deploy the Jamf Trust app and created configuration profile to devices that enroll via Work Profile to ensure secure networking is available to their applications within the Work Profile.
Deployment Tips
- The work profile was introduced in Android 11. Previously this would of been known as "Corporate-owned, personally enabled" which was changed due to stronger privacy requirements.
- If you are deploying to an older Android OS version, it is worth checking what options may be available.
- There is generally significant differences in Android Enterprise behavior and compatability across Android OS versions and device manufacturer OEMs. Test throughly!
- An existing device will need to be factory reset and re-enrolled to be entered into this enrollment mode.
- The Work Profile can be paused by users, which disables the profile and all apps within it. When in this state, Work apps will be suspended or terminated and their notifications disabled as well.
- Apps within the Work Profile will be marked differently than Personal apps.