This article shows how to enable work profile to Android devices.
- Enterprise Plan subscription or trial.
- Managed Google Play Enterprise has been configured.
- Miradore Online client 2.4.0 installed to the devices.
- Devices are running Android 5.0 or newer.
- Devices are not work managed devices
While most do, some Android 5 devices don't support the managed profiles. If you run into errors and are not sure whether your device supports managed profiles, download Google's TestDPC from Google Play and try creating a managed profile using the app.
Once the requirements are met, administrators can create a work profile on the managed devices. The purpose of the work profile is to create a secure container for your work data and separate the private applications from the work applications. Administrators can then remotely manage the work container and deploy application silently to any device running Android 5.1 or above.
This is a particularly important solution for the companies that support personal devices deployment scenario, allowing the employees to bring personally-owned devices to work, and to use those devices to access privileged company information and applications securely, making sure that e.g. work contacts won't get leaked via private instant messaging apps.
When a work profile is created on the device, the Miradore Online client operates as the profile owner of the work data, and has only limited control outside of the work profile. This means that our client is no longer the device administrator of the device and can't, for example, install Samsung KNOX/SAFE configuration profiles or wipe the device. It can, however, lock the device, install Wi-Fi networks, collect device location and enforce passcode policies like it normally would. The work profile can also be at any time removed from the device both by an administrator as well as the user.
To enable the work profile on enrolled devices, navigate to to Mobile management > Devices. Then, search and select the desired devices and start Create managed Google account/work profile action from the page action menu. Click on the Create button to confirm the work profile installation.
This queues work profile installation command for the selected devices. The device end-users will see a notification that work profile creation has been requested by the administrator.
Once notification is selected, the following dialog is shown to the user. Choose OK to proceed with work profile installation.
If Google Play store is older than the required version, it must be updated to ensure that managed Google play account can be created in the work profile. Play store should be updated automatically in the background, as long as the user has signed in to Google Play. To open the Play store and sign in, a button is shown to the user in this case (left picture below).
When the dialog has been accepted, Google's work profile set up wizard is launched. The user must give permissions to create the work profile and allow the Miradore Online client to become owner of the profile.
Please note, that the device must be encrypted before proceeding. The encryption process may require that the device battery is charged up to 80% and the device is plugged in. When the encryption is complete, the managed profile creation continues.
Once approved, the work profile is created and the Miradore Online client is launched in the work profile. It then finalizes the work profile installation. This can take up to several minutes since the process removes most of the system applications from the work profile and may update Google Play Services. When the environment has been prepared, it creates managed Google Play account with one-time authentication tokens received from Miradore Online.
Once the work profile installation and managed Google Play Account creation are finished, applications in the work profile are displayed with a briefcase badge icon to separate from the rest of the applications.
Finally, the Miradore Online client running on the primary user profile will be deactivated, and a dialog is shown to prompt the user to completely uninstall it from the private side.
Click on OK and the Miradore Online client is uninstalled from the primary user. Only the created work profile remains and the Miradore Online client operates as the profile owner of the work data.
Now, the device is ready for managed Google Play deployments. You can check that the profile owner status is shown on the device page correctly. Also the default tag Profile owner is added for each device where work profile has been successfully enabled. This helps to identify work profile devices in your Miradore Online site and can be used, for example, to create a separate business policy for work profile enabled devices.
A Work profile can also be automatically enabled to the devices during the enrollment process. Just add a tag afw to the enrollment or user and the work profile is automatically installed to the Android device that is enrolled with the created credentials. The process of creating the work profile on the device is the same as above.
Please send comments to firstname.lastname@example.org.