Android’s built-in management features enable IT admins to fully manage devices used exclusively for work.
Android offers several modes depending on the ownership of the device being used within your organization:
- Work Profile: Creates a dedicated space on the device for only work applications and data. This is the ideal deployment for Bring Your Own Device (BYOD) applications.
- Work Managed Device: Allows Workspace ONE UEM and IT admin to control the entire device and enforce an extended range of policy controls unavailable to work profiles, but restricts the device to only corporate use
- Corporate Owned Personally Enabled: Refers to company-owned devices, similar to Work Managed Device, but is provisioned with a Work Profile which uses both personal and corporate use.
- Work Managed Device Without Google Play Services: If you are using Workspace ONE UEM on Android Open Source Project (AOSP) devices, non- GMS devices, or using closed networks within your organization, you can enroll your Android devices using the Work Managed Device enrollment flow without Google Play Services
Work Profile Mode Functionality
Applications in the Work Profile are differentiated by a red briefcase icon, called badged applications, and are shown in a unified launcher with the user's personal applications. For example, your device shows both a personal icon for Google Chrome and a separate icon for Work Chrome denoted by the badge. From an end-user perspective, it looks like two different applications, but the application is only installed once with business data stored separately from personal data.
The Workspace ONE Intelligent Hub is badged and exists only within the Work Profile data space. There is no control over personal applications and the Workspace ONE Intelligent Hub does not have access to personal information.
There are a handful of system applications that are included with the Work Profile by default such as Work Chrome, Google Play, Google settings, Contacts, and Camera – which can be hidden using a restrictions profile.
Certain settings show the separation between personal and work configurations. Users see separate configurations for the following settings:
- Credentials – View corporate certificates for user authentication to managed devices.
- Accounts – View the Managed Google Account tied to the Work Profile.
- Applications – Lists all applications installed on the device.
- Security – Shows device encryption status.
Work Managed Device Mode Functionality
When devices are enrolled in Work Managed Device mode, a true corporate ownership mode is created. Workspace ONE UEM controls the entire device and there is no separation of work and personal data.
Important things to note for the Work Managed mode are:
- The homescreen does not show badged applications like Work Profile mode.
- Users have access to various pre-loaded applications upon activation of the device. Additional applications can only be approved and added through the Workspace ONE UEM console.
- The Workspace ONE Intelligent Hub is set as the device administrator in the security settings and cannot be disabled.
- Unenrolling the device from Work Managed mode prompts device factory reset.
Work Managed Device Without Google Play Services
If you are using Workspace ONE UEM on Android Open Source Project (AOSP) devices, non- GMS devices, or using closed networks within your organization, you can enroll your Android devices using the Work Managed Device enrollment flow without Google Play Services. You can host apps on your organization's intranet and use OEM specific enrollment methods for deployment.
You will need to specify in the UEM console that you are using AOSP/Closed Network during Android EMM Registration. For more information, see Register Android EMM with Managed Google Play Account.
- If you have already setup Android at a top Organization Group and want to deploy AOSP/ Closed network at a specific child Organization Group only, the UEM console admin has an option to specify that out of box enrollments at the child Organization Group will not have a managed Google account. For more information, see Enrollment Settings in the Android EMM Registration.
- If you are deploying devices using Workspace ONE UEM 1907 and below, there is no UEM console configuration required.
- If you are deploying devices using Workspace ONE UEM 1908 and higher, you must configure the settings in the Android EMM Registration page.
- The supported enrollment methods are:
- QR Code
- StageNow for Zebra devices
- Honeywell Enterprise Provisioner for Honeywell devices
- Enrollment through Workspace ONE Intelligent Hub identifier is not supportet on AOSP devices.
- Public Auto Update profile is not supported. This profile is specifically for public apps and will not function on devices on AOSP or closed networks
- Factory Reset Protection profile is not supported.
- Internal apps (hosted in the Workspace ONE UEM console) will deploy silently to the AOSP/ Closed network devices.
- Work Managed devices enrolled without a managed Google account should not be assigned any public apps and should not be considered in public app assignment device counts.
- OS Version & OEM requirements for Work Managed Device without Google Play Services:
- AOSP (non-GMS)
- Zebra and Honeywell - Must be on an OS version that supports StageNow or Honeywell Enterprise Provisioner enrollment.
- Other OEMs - Not supported unless OEM develops support for it via a client like StageNow or by allowing users to access QR Code enrollment.
- Closed Network
- Zebra and Honeywell - Android 7.0 and higher or must be on an OS version that supports StageNow (also 7.0 or higher) or Honeywell Enterprise Provisioner enrollment.
- Other OEMs - Android 7.0 or higher since QR Code enrollment is the only supported method.
- AOSP (non-GMS)
Corporate Owned Personally Enabled (COPE) Mode
When devices are enrolled using COPE mode, you still control the entire device. The unique capability with COPE mode is that it allows you to enforce two separate sets of policies, such as restrictions, for the device and inside a Work profile.
COPE mode is only available on Android 8.0+ devices. If you enroll Android devices below Android 8.0, the device automatically enrolls as Fully Managed Device.
There are some caveats to consider when enrolling devices into COPE mode:
- Pin Based encryption and Workspace ONE UEM Single Sign On by using SDK is not supported for Corporate Owned Personally Enabled devices. A work passcode can be enforced to ensure that the use of work applications requires the use of a passcode.
- Single user staging and Multi-user staging are not supported for COPE enrollments.
- Internal applications (hosted in Workspace ONE UEM) and public applications deployed to COPE devices are shown in the application Catalog within the Work Profile.
- Similar to Work Profile only enrollments, Corporate Owned Personally Enabled devices provide users the option to disable the Work Profile (for example, if the user is on vacation). When the Work Profile is disabled, the work applications no longer present notifications and cannot be launched. The status (Enabled or Disabled) of the Work Profile is presented to the admin on the Device Details page. When the Work Profile is disabled, the latest application and profile information cannot be retrieved from the Work Profile.
- The Workspace ONE Intelligent Hub exists in the Fully Managed and the Work Profile sections of the Corporate Owned Personally Enabled device. By existing both inside and outside the Work Profile, management policies can be applied within the Work Profile and the entire device. However, the Workspace ONE Intelligent Hub is only visible within the Work Profile.
- When push notifications are sent to the device, the Workspace ONE Intelligent Hub outside the Work Profile is temporarily available for the user to view messages, ensuring that critical messages reach the user even if the Work Profile is temporarily disabled.
- Assigned profiles can be viewed through the Workspace ONE Intelligent Hub in the Work Profile.
- Compliance policies for application management (such as block/ remove applications) are only supported for applications within the Work Profile. Applications can be blacklisted on the device (outside the Work Profile) by using Application Control profiles.
- An enterprise wipe will factory reset Corporate Owned Personally Enabled devices.
- Product Provisioning is not supported on COPE enrollments.