Work Profile for Employee-Owned Devices

Work profile for employee-owned devices, also known as a Bring Your Own Device (BYOD), provides complete segmentation of work and personal data and apps on the device. As the device is employee owned, policy can only be applied to the Work profile/partition and cannot be applied to the personal profile/partition nor device wide.

The privacy and security model of Work Profile for Employee Devices is conceptually identical to Apple's BYOD User Enrollment deployment model. The notable difference is in the user interace design: Apple "blends" work and personal apps visually, whereas Android provides an explict visual distinction between the two types. In both cases, data storage is logically separate and data transfer (DLP) controls are provided to IT teams to manage.

Deploying Work Profile for Employee Owned Device

While documentation for deployed Android Work Profile for Employee Owned Devices is out of the scope of this document, you can refer to documentation for Microsoft Endpoint Manager as a starting point:

• End-to-End Android Enterprise Setup Guide
• Work Profile for Employee Devices Enrollments
• Notify users to create a Work Profile on their device.

Once a Work Profile is configured, IT administrators can deploy Managed Google Play apps

Deploying Jamf Trust

The Jamf Trust app is required to enable various security services on Android devices, including Jamf Private Access.

Private Access is used in the Jamf Trusted Access solution to enable access to company resources for the Work Profile partition on a properly enrolled BYO device. Active threat defense is also enabled for apps and network traffic within the organization managed Work Profile.

The following steps outline the high-level steps required to streamline deployment of the Jamf Trust app via your Android Enterprise-compatible MDM:

1. Follow the steps in Enabling Access for Trusted Devices to configure Private Access in RADAR.
2. Configure the Jamf Trust app via Managed Google Play.
   • When configuring the app's Configuration Settings, use the values presented in the Managed Configuration section of the Activation Profile created in the previous step.
   • The Jamf Trust app will be installed in the Work Profile parition on the device, not Personal Profile.

3. Define a new Android configuration profile in your MDM that Enables Zero Touch Activation of Jamf Trust and assign this profile to your target devices.
   • Only threat defense capabilities with be enabled via zero touch. The user will need to open the Jamf Trust app and authenticate with their identity provider credentials to activate Private Access.
4. Automatically deploy the Jamf Trust app and created configuration profile to devices that enroll via Work Profile to ensure secure networking is available to their applications within the Work Profile.

Work Profile Tips

• The work profile was introduced in Android 11.
  • If you are deploying to an older Android OS version, it is worth checking what options may be available.
• There is generally significant differences in Android Enterprise behavior and compatability across Android OS versions and device manufacturer OEMs. Test throughly!
• Devices will be able to freely add and remove the Work Profile without having to conduct a device factory reset.
• The Work Profile can be paused by users, which disables the profile and all apps within it. When in this state, Work apps will be suspended or terminated and their notifications disabled as well.
• Apps within the Work Profile will be marked differently than Personal apps.
• Please bear in mind that are restrictions on what settings can be applied whether the device is personal or corporate owned.