Work Profile for Employee-Owned Devices

Updated
  • 5 minute(s) read
Prev Next

Work profile for employee-owned devices, also known as a Bring Your Own Device (BYOD), provides complete segmentation of work and personal data and apps on the device. As the device is employee owned, policy can only be applied to the Work profile/partition and cannot be applied to the personal profile/partition nor device wide.

Android Enterprise Work Profile for Employee Devices

The privacy and security model of Work Profile for Employee Devices is conceptually identical to Apple's BYOD User Enrollment deployment model. The notable difference is in the user interace design: Apple "blends" work and personal apps visually, whereas Android provides an explict visual distinction between the two types. In both cases, data storage is logically separate and data transfer (DLP) controls are provided to IT teams to manage.

Is the device corporate owned?

If so, you may prefer to use the Work Profile for Mixed Use Company Owned Devices enrollment method instead. This method preserves the same strong work and personal data separation and privacy controls of Work Profiles for Employee Owned Devices, but provides IT with a few more device-wide controls.

If complete device management is required without this logicial data separation, you should consider using Android Fully Managed Devices instead.

It is not recommended to try to fully manage a personally owned device: such a enrollment strategy is not supported by Android, significantly compromises user privacy, and is usually poorly adopted by end users.

Deploying Work Profile for Employee Owned Device

Configuring a Work Profile on an Employee Owned Device requires a service that provides Android Enterprise-compatible mobile device management.

Jamf provides Manager for Android as part of its Jamf for Mobile commerical offering, though realizing Trusted Access outcomes is possible using any compatible third-party UEM vendor.

Using Jamf Manager for Android

Jamf offers Manager for Android, a lightweight Android management tool, that is included with Jamf for Mobile. Manager for Android is designed to quickly and easily enroll Android devices into management so that Jamf Trust may be reliably deployed to unlock Trusted Access outcomes.

Security and access policies for Apple and Android devices alike are then managed in the Jamf Security Cloud console.

Manager for Android is accessed via the Jamf Security Cloud console and is available for all customers that have purchased Jamf for Mobile licensing.

Steps

  1. Verify pre-requisites for your environment are met.
  2. Set up Manager for Android in your Jamf environment.
  3. Configure apps, policies, and configurations based upon your device management strategy, security, and privacy requirements.
  4. Configure Jamf Security Cloud with an activation profile to enable Trusted Access outcomes, and enroll devices.
  5. Configure extended integration settings between Jamf Security Cloud and Manager for Android as required.

Using a Third Party Android UEM

While documentation for deployeing Android Work Profile for Employee Owned Devices using a third party UEMs is out of the scope of this document, you can refer to documentation from your UEM or from Microsoft Endpoint Manager as a starting point:

Once a Work Profile is configured, IT administrators can deploy Managed Google Play apps

Deploying Jamf Trust

The Jamf Trust app is required to enable various security services on Android devices, including Jamf Private Access.

Note for Android for Manager Deployments

Most of these steps are automatically completed when following the steps above in Deploying Using Manager for Android.

However, it is useful to review the concepts below as they apply to Manager for Android deployments as well.

Private Access is used in the Jamf Trusted Access solution to enable access to company resources for the Work Profile partition on a properly enrolled BYO device. Active threat defense is also enabled for apps and network traffic within the organization managed Work Profile.

Privacy Limitation

When deploying Jamf Trust to a Work Profile on a BYO device, the service is only able to "see" and "protect" within the Work Profile partition. This is an intentional private-by-design attribute of this deployment model.

We discourage trying to deploy threat defense to the "personal" partition of the device. Without automated deployment and due to the end user privacy implications, activation rates will be poor.

Instead, the goal of Trusted Access is to fortify your network access model such that company data is only reachable via the Work Profile, and cannot be accessed via the Personal Profile (even though it is the same device and user!).

The following steps outline the high-level steps required to streamline deployment of the Jamf Trust app via your Android Enterprise-compatible MDM:

  1. Follow the steps in Enabling Access for Trusted Devices to configure Private Access in RADAR.
  2. Configure the Jamf Trust app via Managed Google Play.
    • When configuring the app's Configuration Settings, use the values presented in the Managed Configuration section of the Activation Profile created in the previous step.
    • The Jamf Trust app will be installed in the Work Profile parition on the device, not Personal Profile.
Per-App VPN on Work Profile for Employee Owned Devices

While you may use Per-App VPN for apps within the Work Profile, we recommend using the default configuration to make Private Access and Threat Defense available to all apps and network traffic within the Work Profile.

  1. Define a new Android configuration profile in your MDM that Enables Zero Touch Activation of Jamf Trust and assign this profile to your target devices.
    • Only threat defense capabilities with be enabled via zero touch. The user will need to open the Jamf Trust app and authenticate with their identity provider credentials to activate Private Access.
  2. Automatically deploy the Jamf Trust app and created configuration profile to devices that enroll via Work Profile to ensure secure networking is available to their applications within the Work Profile.

Work Profile Tips

  • The work profile was introduced in Android 11.
    • If you are deploying to an older Android OS version, it is worth checking what options may be available.
  • There is generally significant differences in Android Enterprise behavior and compatability across Android OS versions and device manufacturer OEMs. Test throughly!
  • Devices will be able to freely add and remove the Work Profile without having to conduct a device factory reset.
  • The Work Profile can be paused by users, which disables the profile and all apps within it. When in this state, Work apps will be suspended or terminated and their notifications disabled as well.
  • Apps within the Work Profile will be marked differently than Personal apps.
  • Please bear in mind that are restrictions on what settings can be applied whether the device is personal or corporate owned.