Menu

Work profile on company owned device (WP-C)

With Android 10 and lower deployments, the COPE use case is supported by the fully managed device with a work profile deployment mode. With this mode, an IT admin has full visibility and control over the user's personal area, and the user does not have privacy. To better protect user privacy, a new mode is introduced with Android 11.

With the introduction of Android 11, company-owned devices deployed with a work profile are referred to as work profile on company-owned devices, or WP-C. WP-C is the preferred terminology when describing Android 11 company-owned devices deployed with a work profile, but it should not be used in cases where using the term work profile generically would be sufficient.

Android 11 utilizes the same privacy protections of a work profile on personally-owned devices, and extends them to WP-C devices. This is accomplished by introducing the concept of ownership that determines what an IT admin can and cannot do with a work profile on the device.

Previously, when a work profile was added from the setup wizard using the provisioning tools in Android 10, the device was recognized as personally owned.

Going forward, when a work profile is added to a device from the setup wizard, Android 11 recognizes the device as company-owned, and a wider range of asset management and device security policies is available to the device policy controller (DPC). If a work profile is added at any other time, it is considered a work profile on personally-owned. The behavior and features available to work profiles on personally-owned devices remains unchanged.

For more information on the functionality both introduced and deprecated with Android 11, go to: What's new for enterprise in Android 11.

Migration

Android 10 devices that upgrade to Android 11 automatically migrate existing work profile on fully managed devices to the added work profile features on WP-C devices.

NOTE – Configuring a fully managed device with a work profile is not permitted on the Android 11 platform. After setting up the fully managed device, the DPC’s request to create a work profile fails with no workaround.

Keep in mind, the following occurs during an Android 11 upgrade from a fully managed device with a work profile to a WP-C device:

  • Device owner (DO) mode is disabled

  • The Knox policies available on new WP-C devices, and called by EMMs, are silently migrated to the profile owner

  • Those Knox polices not available on new WP-C devices are unset

A fully managed device with a work profile will undergo the following changes upon upgrade to Android 11:

  • A new device ownership flag is set to company-owned, granting additional privileges to the profile owner

  • Device-level and personal use policies previously, set by the device owner, are silently migrated to the profile owner or be unset

  • The now redundant device owner is disabled, its privileges revoked, and any cross-profile communication with the profile owner is stopped

A list of migrated Android policies, as well as unset policies can be reviewed within Appendix A and Appendix B of Google's EMM Migration Guidelines, which requires a partner login.

The complete list of policies that will be:

  • Migrated is found in Appendix A of Google's guidelines. Policies are migrated silently, and DPCs need to query the policy state if they want to review in greater detail.
  • Unset is found in Appendix B of Google's guidelines. Policies not migrated are removed. For example, the managed configurations applied to apps in the personal profile.

KSP post migration

EMM vendors supporting KSP need to ensure they:

  • Do not uninstall the KSP app in user0 prior to an Android 11 upgrade

  • Make sure the KSP app is updated to the latest version prior to the upgrade. If the KSP app is not updated to the latest version, the device may go into a bad state

After the upgrade to Android 11, the Knox framework uninstalls the app from user0.

The following KSP features are not supported in WP-C mode:

  • Enterprise Billing policy

  • Universal Credential Manager policy

  • Certificate management policies

  • Client Certificate management (CCM) policies

  • Network Platform Analytics (NPA)

Knox API

As described in Work profile on company-owned devices, Android 11:

For a summary of allowed Knox API methods, go to: Knox APIs in the personal profile. If a particular method is not listed, it is not allowed.

You now need to call a new Knox SDK v3.7 API method of either EnterpriseDeviceManager.getParentInstance or EnterpriseKnoxManager.getParentInstance, to use allowed Knox API methods in the personal profile.