This article shows how you can set up Android Work Profile on your Android devices.
Before starting, you might find it useful to watch this short video about the different Android enrollment and management methods.
- Your Miradore site must have either the Enterprise Plan or the free trial activated
- Managed Google Play Enterprise has been configured for your site
- Devices are running Android 5.0 or newer
- Devices are connected to Internet via Wifi or mobile data
- Devices are not work managed devices
While most do, some Android 5 devices don’t support the managed profiles. If you run into errors and are not sure whether your device supports managed profiles, download Google’s TestDPC from Google Play and try creating a managed profile using the app.
Why set up Android Enterprise Work Profile?
Once the requirements are met, administrators can create a work profile on the managed devices. The purpose of the work profile is to create a secure container for your work data and separate the private applications from the work applications. Administrators can then remotely manage the work container and deploy application silently to any device running Android 5.1 or above.
This is a particularly important solution for the companies that support personal devices deployment scenario, allowing the employees to bring personally-owned devices to work, and to use those devices to access privileged company information and applications securely, making sure that e.g. work contacts won’t get leaked via private instant messaging apps.
When a work profile is created on the device, the Miradore Client operates as the profile owner of the work data, and has only limited control outside of the work profile. This means that our client is no longer the device administrator of the device and can’t, for example, install Samsung KNOX/SAFE configuration profiles or wipe the device. It can, however, lock the device, install Wi-Fi networks, collect device location and enforce passcode policies like it normally would. The work profile can also be at any time removed from the device both by an administrator as well as the user.
How to enable Work Profile for legacy enrolled Android devices
If you already managing managing an Android device in the device administrator mode, you can enable the work profile from the Management > Devices page using the Managed Google Play > Create account/Work profile action button.
How to set up the Work Profile on Android devices
If the device is not yet managed with Miradore, go to Enrollment > Enroll device page on your Miradore site and choose Android.
Choose Light to enroll a device using the Work Profile mode.
Enter the device user’s email address, choose Work profile and send the enrollment invitation.
The system generates credentials for the enrollment and emails them to the device user.
The next pictures show how the enrollment process continues at the device end. First, user must click the Enroll now button from the email. This will take him/her to Google Play store. Next he/she clicks Install now and Install which starts the installation of the Miradore Client application.
User waits until the Miradore Online Client installation completes and clicks Open to open up the app. Then user is asked grant the required permissions for the app.
The user needs to allow all permission requests from the Miradore app.
Notice note that Miradore respects user’s privacy and security. It is not possible for anyone to access user’s personal contacts, phone calls, text messages, instant messages, files, or photos through Miradore.
The actual creation of the Work Profile begins immediately after the Miradore Online Client installation has completed and the Client has successfully connected to your Miradore site for the first time.
Device user can see a round Miradore icon on the notification area when the Client asks the user to approve the creation of the Work Profile.
Please note, that the device must be encrypted before proceeding. The encryption process may require that the device battery is charged up to 80% and the device is plugged in. When the encryption is complete, the managed profile creation continues.
Setting up Android Enterprise Work Profile takes a few minutes. Miradore app will show the Managed profile created screen to the device user when after the profile creation has completed successfully.
After a successful Work profile setup, the Miradore Online Client can be removed from the primary user profile running on the device. The uninstallation will be requested from the user automatically. After the Client uninstallation, the setup is ready at the device end. Device user can recognize the Work Profile apps by the orange briefcase icon.
The Show device button becomes active in Miradore after the enrollment has completed. You can open up the device form to see details about the device. You can follow the enrollment on the Device’s Action log, and also on the Enrollment log page.
The default tag Profile owner is added for each device where work profile has been successfully enabled. This helps to identify work profile devices in your Miradore site and can be used, for example, to create a separate business policy for work profile enabled devices.
A Work profile can also be automatically enabled to the devices during the device administrator enrollment process. Just add a tag afw to the enrollment or user and the work profile is automatically installed to the Android device that is enrolled with the created credentials.
If device’s Google Play store is older than the required version, it must be updated to ensure that managed Google play account can be created in the work profile. Play store should be updated automatically in the background, as long as the user has signed in to Google Play.