Work Profile for Mixed Use Company Owned Devices

  • 4 minute(s) read
Prev Next

Work Profile for mixed-used company-owned devices, previously known as Coporate-owned Personally Enabled (COPE), is an extension of Work Profiles for BYOD.

Like Work Profiles, there is a clear segmentation of work and personal data and apps on the device. The managing organization is unable to "see" data in motion or at rest in the personal container.

However, the major difference is that IT has the added ability to apply device-wide settings, such as WiFi configurations, preventing apps from installing on the work and personal partition, prevent USB file transfers, and more.

image.png

This management strategy is designed to preserve end user data privacy while enabling IT to better "lock down" the physical asset that they ultimately own.

Deploying Work Profile for Mixed Use Corporate Owned Device

Just like on iOS/iPadOS, Google provides a Zero-touch Enrollment capability to enroll a company-purchased Android device into MDM right out of the box.

Using Jamf Manager for Android

Jamf offers Manager for Android, a lightweight Android management tool, that is included with Jamf for Mobile. Manager for Android is designed to quickly and easily enroll Android devices into management so that Jamf Trust may be reliably deployed to unlock Trusted Access outcomes.

Security and access policies for Apple and Android devices alike are then managed in the Jamf Security Cloud console.

Manager for Android is accessed via the Jamf Security Cloud console and is available for all customers that have purchased Jamf for Mobile licensing.

Steps

  1. Verify pre-requisites for your environment are met.
  2. Set up Manager for Android in your Jamf environment.
  3. Configure apps, policies, and configurations based upon your device management strategy, security, and privacy requirements.
  4. Configure Jamf Security Cloud with an activation profile to enable Trusted Access outcomes, and enroll devices.
  5. Configure extended integration settings between Jamf Security Cloud and Manager for Android as required.

Using a Third Party Android UEM

While documentation for Work Profile for Mixed Use Company Owned Devices is out of the scope of this document for other UEMs, you can refer to documentation for Microsoft Endpoint Manager as a starting point:

Deploying Jamf Trust

The Jamf Trust app is required to enable various security services on Android devices, including Jamf ZTNA.

Note for Android for Manager Deployments

Most of these steps are automatically completed when following the steps above in Deploying Using Manager for Android.

However, it is useful to review the concepts below as they apply to Manager for Android deployments as well.

ZTNA is used in the Jamf Trusted Access solution to enable access to company resources for the Work Profile partition on a properly enrolled Work Profile for Mixed Use Company Owned Device. Active threat defense is also enabled for apps and network traffic within the organization managed Work Profile.

Privacy Limitations

When deploying Jamf Trust to a Work Profile for Mixed Use Company Owned Device, it is only able to "see" and "protect" within the Work Profile partition. This is an intentional private-by-design attribute of this deployment model.

We discourage trying to deploy threat defense to the "personal" partition of the device. Without automated deployment and due to the end user privacy implications, activation rates will be poor.

Instead, the goal of Trusted Access is to fortify your network access model such that company data is only reachable via the Work Profile, and cannot be accessed via the Personal Profile (even though it is the same device and user!).

If you require visibility and control of all the device's data and network connections, use Fully Managed enrollments instead.

The following steps outline the high-level steps required to streamline deployment of the Jamf Trust app via your Android Enterprise-compatible MDM:

  1. Follow the steps in Enabling Access for Trusted Devices to configure Private Access in RADAR.
  2. Configure the Jamf Trust app via Managed Google Play.
    • When configuring the app's Configuration Settings, use the values presented in the Managed Configuration section of the Activation Profile created in the previous step.
    • The Jamf Trust app will be installed in the Work Profile parition on the device, not Personal Profile.
Per-App VPN on Work Profile for Mixed Use Corporate Devices

While you may use Per-App VPN for apps within the Work Profile, we recommend using the default configuration to make Private Access and Threat Defense available to all apps and network traffic within the Work Profile.

  1. Define a new Android configuration profile in your MDM that Enables Zero Touch Activation of Jamf Trust and assign this profile to your target devices.
    • Only threat defense capabilities with be enabled via zero touch. The user will need to open the Jamf Trust app and authenticate with their identity provider credentials to activate Private Access.
  2. Automatically deploy the Jamf Trust app and created configuration profile to devices that enroll via Work Profile to ensure secure networking is available to their applications within the Work Profile.

Deployment Tips

  • The work profile was introduced in Android 11. Previously this would of been known as "Corporate-owned, personally enabled" which was changed due to stronger privacy requirements.
    • If you are deploying to an older Android OS version, it is worth checking what options may be available.
  • There is generally significant differences in Android Enterprise behavior and compatability across Android OS versions and device manufacturer OEMs. Test throughly!
  • An existing device will need to be factory reset and re-enrolled to be entered into this enrollment mode.
  • The Work Profile can be paused by users, which disables the profile and all apps within it. When in this state, Work apps will be suspended or terminated and their notifications disabled as well.
  • Apps within the Work Profile will be marked differently than Personal apps.