Set up Android Enterprise work profile for corporate owned devices - Microsoft Intune (2024)

Table of Contents
In this article Device requirements Set up Android Enterprise corporate-owned work profile device management Create an enrollment profile Access enrollment token Revoke or Export tokens Create a device group Enroll the corporate-owned work profile devices Managing apps on Android Enterprise corporate-owned work profile devices Next steps FAQs
  • Article

Android Enterprise corporate-owned devices with a work profile are single user devices intended for corporate and personal use.

End users can keep their work and personal data separate and are guaranteed that personal data and applications will remain private. Admins can control some settings and features for the entire device, including:

  • Setting requirements for the device password
  • Controlling Bluetooth and data roaming
  • Configuring factory reset protection

Intune helps you deploy apps and settings to Android Enterprise corporate-owned devices with work profile. For specific details about Android Enterprise, see Android enterprise requirements.

See Also
Android Device Admin and Device Owner ExplainedHow do I enable Device Owner mode? - Hexnode BlogsCreate device platform restrictions - Microsoft IntuneAndroid device enrollment guide for Microsoft Intune

Device requirements

Devices must meet these requirements to be managed as Android Enterprise corporate-owned work profile devices:

  • Android OS version 8.0 and above.
  • Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices must have GMS available and must be able to connect to GMS.

Set up Android Enterprise corporate-owned work profile device management

To set up Android Enterprise corporate-owned work profile device management, follow these steps:

  1. To prepare to manage mobile devices, you must set the mobile device management (MDM) authority to Microsoft Intune for instructions. You set this item only once, when you're first setting up Intune for mobile device management.
  2. Connect your Intune tenant account to your Managed Google Play account.
  3. Create an enrollment profile.
  4. Create a device group.
  5. Enroll the corporate-owned work profile devices.

Create an enrollment profile

Note

  • Tokens for corporate-owned devices with a work profile will not expire automatically. If an admin decides to revoke a token , the profile associated with it will not be displayed in Devices > Android > Android enrollment > Corporate-owned devices with work profile. To see all profiles associated with both active and inactive tokens, click on Filter and check the boxes for both "Active" and "Inactive" policy states.
  • For corporate-owned work profile (COPE) devices, the afw#setup enrollment method and the Near Field Communication (NFC) enrollment method are only supported on devices running Android 8-10. They are not available on Android 11. For more information, see the Google developer docs here.

You must create an enrollment profile so that users can enroll corporate-owned work profile devices. When the profile is created, it provides you with an enrollment token (random string) and a QR code. Depending on the Android OS and version of the device, you can use either the token or QR code to enroll the dedicated device.

See Also
Bring Your Own Device (BYOD) VS. Corporate-Owned: Which Policy Is Better for Your Needs? - ModeOne

  1. Sign in to the Microsoft Intune admin center.
  2. Go to Devices > Enrollment.
  3. Select the Android tab.
  4. Go to Android Enterprise > Enrollment Profiles, and choose Corporate-owned devices with work profile.
  5. Select Create profile.
  6. On the Basics page, enter a name and description for the profile so that you can distinguish it from other profiles in the admin center. Device users don't see these details.
  7. Select Next to continue to Scope tags.
  8. Optionally, apply one or more scope tags to limit restriction visibility and management to certain admin users in Intune. For more information about how to use scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.
  9. Choose Next to continue to Create + review.
  10. Review your choices, and then select Create to finish creating the profile.

Access enrollment token

After you create a profile, Intune generates a token that's needed for enrollment.

  1. Return to Devices > Enrollment, and select the Android tab.
  2. In the Enrollment Profiles section, choose Corporate-owned devices with work profile.
  3. From the list, select your enrollment profile.
  4. Select Token.

Another way to find the token is:

  1. Locate your profile in the list, and then select the More (...) menu that's next to it.
  2. Select View enrollment token.

The token appears as an eight-digit string and a QR code. Use this token to enroll based on the enrollment mechanisms described in the Android Enterprise corporate-owned device enrollment document.

Revoke or Export tokens

  • Revoke token: You can immediately expire the token/QR code. From this point on, the token/QR code is no longer usable. You might use this option if you:
    • accidentally share the token/QR code with an unauthorized party
    • complete all enrollments and no longer need the token/QR code
  • Export token: You can export the JSON content of the token/QR code. You might use this option to easily paste JSON content to enroll with Zero Touch Enrollment (ZTE) or Knox Mobile Enrollment (KME).

Revoking or exporting a token/QR code doesn't have any effect on devices that are already enrolled.

  1. In the admin center, go to Devices > Enrollment.
  2. Select the Android tab.
  3. Under Android Enterprise > Enrollment Profiles, choose Corporate-owned devices with work profile.
  4. Choose the profile that you want to work with.
  5. Choose Token.
  6. To revoke the token, choose Revoke token > Yes.
  7. To export the token, choose Export token.

Create a device group

You can target apps and policies to either assigned or dynamic device groups. You can configure dynamic Microsoft Entra device groups to automatically populate devices that are enrolled with a particular enrollment profile by following these steps:

  1. Sign in to the Microsoft Intune admin center.
  2. Go to Groups > All groups > New group.
  3. Fill out the required fields as follows:
    • Group type: Security
    • Group name: Type an intuitive name, like Factory 1 devices
    • Membership type: Dynamic device
  4. Select Add dynamic query.
  5. For Dynamic membership rules, fill out the fields as follows:
    • Add dynamic membership rule: Simple rule
    • Add devices where: enrollmentProfileName
    • In the middle box, choose Equals.
    • In the last field, enter the enrollment profile name that you created earlier.For more information about dynamic membership rules, see Dynamic membership rules for groups in Microsoft Entra ID.
  6. Choose Add query > Create.

Enroll the corporate-owned work profile devices

Users can now enroll their corporate-owned work profile devices.

Note

The Microsoft Intune app is automatically installed during enrollment. This app is required for enrollment and can't be uninstalled. If you deploy the Intune Company Portal app to a device and the user attempts to launch the app, they will be redirected to the Microsoft Intune app, and the Company Portal app icon will be hidden.

Managing apps on Android Enterprise corporate-owned work profile devices

Apps are installed from the Managed Google Play store in the same manner as Android Enterprise personally owned work profile devices.

Apps are automatically updated on managed devices when the app developer publishes an update to Google Play.

To remove an app from Android Enterprise corporate-owned work profile devices, you can either:

  • Delete the Required app deployment.
  • Create an uninstall deployment for the app.

Next steps

  • Deploy Android apps
  • Add Android configuration policies
Set up Android Enterprise work profile for corporate owned devices - Microsoft Intune (2024)

FAQs

How do I enroll a company owned Android device in Intune? ›

Sign in to the Microsoft Intune admin center. Go to Devices > Enrollment. Select the Android tab. Go to Android Enterprise > Enrollment Profiles, and choose Corporate-owned devices with work profile.

View Details
How do I create a work profile on Android Intune? ›

Open the Intune Company Portal app and sign in with your work or school account. On the Company Access Setup screen, review the tasks required to enroll your device. Then tap BEGIN. On the privacy information screen, review the list of items that your organization can and can't see on your device.

See Details
How to setup Microsoft Intune for Android? ›

Create an enrollment profile
  1. Sign in to the Microsoft Intune admin center.
  2. Go to Devices > Enrollment.
  3. Select the Android tab.
  4. In the Enrollment Profiles section, choose Corporate-owned dedicated devices.
  5. Select Create profile.
  6. Enter the basics for your profile: ...
  7. Select Next to continue to Scope tags.
Jan 23, 2024

Discover More Details
Can I create my own work profile on Android? ›

To create a work profile:
  1. At the prompt, tap Accept & continue.
  2. Tap Next and follow the prompts to set up your work profile.
  3. If prompted to set a screen lock for your device, tap Start and follow the steps.
  4. Tap Install Next to install work apps.
  5. Tap Done.

Find Out More
What is corporate owned personally enabled Android? ›

Android Corporate Owned Personally-Enabled(COPE) mode gives Workspace ONE UEM control of the entire device while still deploying a Work profile for the user to use the device as a personal device. COPE is a hybrid between Work Profile and Work Managed Device modes.

Discover More Details
How do I allow users to enroll corporate owned user devices? ›

In the admin center, go to Devices > Android. Select Android enrollment. Under Enrollment profiles, choose Corporate-owned, fully managed user devices. Verify that the setting for Allow users to enroll corporate-owned user devices, is set to Yes.

Find Out More
What is work profile setup on Android? ›

A work profile is a self contained profile on an Android device for storing work apps and data. Work profile allows separation of work apps and data, giving organizations full control of the data, apps, and security policies within a work profile.

Find Out More
How do I set up an Android profile? ›

To set up multiple users and Guest mode on an Android phone, you first need to enable these features:
  1. From Settings, pick System > Multiple users.
  2. Turn on the Allow multiple users toggle switch. You'll then see the options to add secondary users and to switch to Guest mode.
Aug 29, 2023

Get More Info
Does Intune create a work profile? ›

We begin by integrating Android Enterprise with Intune, turning on Android Enterprise in Intune, and setting up an Android Enterprise Work Profile. After completing these procedures, we provide select Android apps permission to be deployed to the Work profile from the Managed Google Play store.

Find Out More
What is the difference between Android device administrator and Android enterprise? ›

Android device administrator (sometimes referred to legacy Android management and released with Android 2.2) is a way to manage Android devices. However, improved management functionality is available with Android Enterprise in countries where Android Enterprise is available.

Tell Me More

How do I set up a work profile? ›

How to configure MDM for work profile
  1. Navigate to Groups & Settings.
  2. Then, select All Settings.
  3. Next select Android.
  4. Select Android EMM Registration (Figure 1)
  5. Follow the prompts to complete the registration.
Feb 8, 2023

Continue Reading
How does Android Enterprise work? ›

Android Enterprise is a Google-led initiative to enable the use of Android devices and apps in the workplace. The program offers APIs and other tools for developers to integrate support for Android into their enterprise mobility management (EMM) solutions.

Learn More
Can I have 2 work profiles on my Android phone? ›

A user can have multiple profiles. Profiles are created through a Device Administration application. A profile always has an immutable association to a parent user, defined by the user that created the profile.

See More
How do I unlock my work profile on Android? ›

The work profile can be locked if the device does not meet the Compliance Control security requirements. To unlock the work profile, the user of the mobile device must enter a one-time work profile passcode on the locked screen.

View More
Can Android have multiple work profiles? ›

You can only have 1 work profile per Android personal user account, but you can have multiple user accounts so you should be able to have multiple work profiles, but the notifications across the accounts may be limited as the "active" account gets the vast majority of the system processing rights, and the permissions ...

Keep Reading
How do I enroll an existing device to Intune? ›

The user can download and install the Intune Company Portal app from the Microsoft Store and walk through the process within the app to enroll the device into Microsoft Intune. Once this process is complete, the device is enrolled as a personal device with only a few management options and insights for IT to work with.

Read On
How do I enroll a shared device in Intune? ›

Create the profile
  1. Sign in to the Microsoft Intune admin center.
  2. Select Devices > Configuration > Create > New policy.
  3. Enter the following properties: ...
  4. Select Create.
  5. In Basics, enter the following properties: ...
  6. Select Next.
6 days ago

Get More Info Here
How do I add a Company Portal to Intune apps? ›

Create and Assign the Company Portal app
  1. Sign in to the Microsoft Intune admin center with your admin account.
  2. Select Apps > All apps > Add.
  3. In Select app type pane, select Microsoft Store app (new) under the Store app section.
  4. Choose Select at the bottom of the page to begin creating an app from the Microsoft Store.
Feb 27, 2024

Get More Info
Top Articles
120 Cheap and Healthy Dinner Recipes
We are sorry, the page you requested cannot be found
What does a decrease in cash flow indicate?
Why does cash flow decrease when assets increase?
Latest Posts
Instant Pot Mushroom Barley Vegetable Soup (Vegan, Pressure Cooker Recipe)
Skillet Chicken With Black Beans, Rice and Chiles Recipe
Article information

Author: Ouida Strosin DO

Last Updated:

Views: 5840

Rating: 4.6 / 5 (76 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Ouida Strosin DO

Birthday: 1995-04-27

Address: Suite 927 930 Kilback Radial, Candidaville, TN 87795

Phone: +8561498978366

Job: Legacy Manufacturing Specialist

Hobby: Singing, Mountain biking, Water sports, Water sports, Taxidermy, Polo, Pet

Introduction: My name is Ouida Strosin DO, I am a precious, combative, spotless, modern, spotless, beautiful, precious person who loves writing and wants to share my knowledge and understanding with you.