Android’s built-in management features enable IT admins to fully manage devices used exclusively for work.
Android offers two modes depending on the ownership of the device being used within your organization. The Work Profile(also called the Profile Owner) creates a dedicated space on the device for only work applications and data. This is the ideal deployment for Bring Your Own Device (BYOD) applications. Work Managed Device mode allows Workspace ONE UEM and IT admin to control the entire device and enforce an extended range of policy controls unavailable to work profiles, but restricts the device to only corporate use. Corporate Owned Personally-Enabled(COPE) mode refers to company-owned devices, similar to Work Managed Device, but is provisioned with a Work Profile which uses both personal and corporate use.
Work Profile Mode Functionality
Applications in the Work Profile are differentiated by a red briefcase icon, called badged applications, and are shown in a unified launcher with the user's personal applications. For example, your device shows both a personal icon for Google Chrome and a separate icon for Work Chrome denoted by the badge. From an end-user perspective, it looks like two different applications, but the application is only installed once with business data stored separately from personal data.
The Workspace ONE Intelligent Hub is badged and exists only within the Work Profile data space. There is no control over personal applications and the Workspace ONE Intelligent Hub does not have access to personal information.
There are a handful of system applications that are included with the Work Profile by default such as Work Chrome, Google Play, Google settings, Contacts, and Camera – which can be hidden using a restrictions profile.
Certain settings show the separation between personal and work configurations. Users see separate configurations for the following settings:
Credentials – View corporate certificates for user authentication to managed devices.
Accounts – View the Managed Google Account tied to the Work Profile.
Applications – Lists all applications installed on the device.
Security – Shows device encryption status.
Work Managed Device Mode Functionality
When devices are enrolled in Work Managed Device mode, a true corporate ownership mode is created. Workspace ONE UEM controls the entire device and there is no separation of work and personal data.
Important things to note for the Work Managed mode are:
The homescreen does not show badged applications like Work Profile mode.
Users have access to various pre-loaded applications upon activation of the device. Additional applications can only be approved and added through the Workspace ONE UEM console.
The Workspace ONE Intelligent Hub is set as the device administrator in the security settings and cannot be disabled.
Unenrolling the device from with from Work Managed mode prompts device factory reset.
Corporate Owned Personally Enabled (COPE) Mode
When devices are enrolled using COPE mode, you still control the entire device. The unique capability with COPE mode is that it allows you to enforce two separate sets of policies, such as restrictions, for the device and inside a Work profile.
COPE mode is only available on Android 8.0+ devices. If you enroll Android devices below Android 8.0, the device automatically enrolls as Work Managed Device.
There are some caveats to consider when enrolling devices into COPE mode:
Pin Based encryption and AirWatch Single Sign On by using SDK is not supported for Corporate Owned Personally Enabled devices. A work passcode can be enforced to ensure that the use of work applications requires the use of a passcode.
Single user staging and Multi-user staging are not supported for COPE enrollments.
Internal applications (hosted in AirWatch) and public applications deployed to COPE devices are shown in the application Catalog within the Work Profile.
Similar to Work Profile only enrollments, Corporate Owned Personally Enabled devices provide users the option to disable the Work Profile (for example, if the user is on vacation). When the Work Profile is disabled, the work applications no longer present notifications and cannot be launched. The status (Enabled or Disabled) of the Work Profile is presented to the admin on the Device Details page. When the Work Profile is disabled, the latest application and profile information cannot be retrieved from the Work Profile.
The Workspace ONE Hub exists in the Work Managed and the Work Profile sections of the Corporate Owned Personally Enabled device. By existing both inside and outside the Work Profile, management policies can be applied within the Work Profile and the entire device. However, the Workspace ONE Hub is only visible within the Work Profile.
When push notifications are sent to the device, the Workspace ONE Hub outside the Work Profile is temporarily available for the user to view messages, ensuring that critical messages reach the user even if the Work Profile is temporarily disabled.
Assigned profiles can be viewed through the Workspace ONE Hub in the Work Profile.
Compliance policies for application management (such as block/ remove applications) are only supported for applications within the Work Profile. Applications can be blacklisted on the device (outside the Work Profile) by using Application Control profiles.
An enterprise wipe will factory reset Corporate Owned Personally Enabled devices.