Android Work Profile (previously Android for Work) is a native Google solution that allows to create separate business profiles on personal devices and improves the management and security capabilities over those devices. It gives you a possibility to securely isolate business from private data on employees’ devices.
To set up Managed Google Play Accounts functionality in FAMOC you need to prepare:
Google account, which is not assigned to any Google domain (e.g. testAccount@gmail.com)
Organization in FAMOC and admin privileges
First, navigate to the Organization Settings via the “User Menu” button. Then, in the Android tab, click “Enroll” in the Managed Google Play Account section.
A picture below presents how the process looks like. The first step is to click “Authorize Google”.
You’ll be forwarded to Google’s Admin sign up portal to create a new enterprise. Click “Sign in” and enter your organizations’ Google account credentials to be used for Managed Google Play and Android Enterprise. The account used will become the owner for the enterprise.
Note: The account used cannot be a G Suite account.
After signing in you’ll be forwarded back to the Admin sign up portal. Click “Get started”, fill in the required Business name field. Then click “Next” to proceed.
Fill in the Data Protection Officer and EU Representative data if available. Providing the data at this point is optional. Read the Managed Google Play agreement and tick the box at the bottom of the page then click “Confirm” and finally “Complete Registration”.
At this point, you’ll be redirected to FAMOC and notified of the account successful enrollment. Click “Next” to proceed and publish your applications.
Android Work Profile settings
After successful enrollment you can activate Android Work profile in the Policies tab in FAMOC. Work profile settings allow admin to set work profile restrictions, configure and set permissions for applications.
To activate Android work profile in the policy:
Go to ADVANCED => Settings => Policies tab.
Add new Policy template or edit existing one .
Select Work profile tab and click Enable work profile in a current policy.
Main work profile settings
Mark the checkbox next to: Enable Samsung KNOX API in work profile to use KNOX API.
If you select that option, additional features will be displayed:
Work profile settings
In order to active KNOX in the policy – proper KNOX license key must be provided. KNOX license can be added/changed/removed by using plus/minus icons next to the license key field.
If set, an additional operation for Samsung KNOX attestation process will be added to the queue and will check the device’s software integrity before creating the KNOX container.
Work profile components
In the next tab you can configure Policy components. Available components are Applications and Configurations.
NOTE: You can only choose from apps that were previously added to FAMOC. Process of adding apps is described here.
You can decide which apps will be installed with the policy by clicking Select application.
Select apps by clicking the checkbox next to its name. To confirm your choice click the Select button in the bottom right corner.
Selected applications will be installed in the Work Profile container while applying the policy on the device and will be marked with the briefcase icon.
When the policy assigned to a device is changed, the new policy will be applied and new list of application will be installed. When selecting the application, it is possible to specify number of installation retries (in case an application installation is cancelled by user, FAMOC will retry the operation). Possible options:
Installation obligatory (default option) – if installation is canceled, it will be applied every next day.
One installation attempt – if installation is canceled, it will not be retried.
Several installation attempts – installation will be retried specified number of times.
Policy components can be set in custom installation order using down/up arrows in Order column. By default, each item is installed in a sequence (next item starts when previous has been successfully installed). It is possible to mark an item as independent (Independent column), which means the next action starts independently of the previous action, not waiting for its success report.
Select Ignore failure to execute the next action if the previous one failed.
To add configuration to the policy click the Select configuration button. Popup with configuration list will appear.
Configuration can be set for:
Peak – configuration will be applied in peak
Off-peak – configuration will be applied in off-peak
Always – configuration will be applied always
Work profile restrictions
In the Work profile restrictions tab admin can configure:
Enable/Disable USB debugging – allows or blocks the possibility to install applications through ADB to the work profile. If disabled, application will be installed only in the private part of the device.
Enable unknown sources – allows or blocks the possibility to install applications through .apk files to the Work Profile. The policy will not be active on Android 5.0 devices (installation
of .apk is blocked).
Block screen capture in application, which run in work profile to prevent from sharing data with that method.
Disable accounts modification - blocks the possibility to add, edit or delete an account.
Disable camera - block the possibility to use camera.
Disable cross profile copy-paste
Disable application control
Disable one lock code - block the possibility to use one lock code for the device and Work Profile.
Allow moving apps to work profile
In this section Admin can enable Google system applications in the work profile to be automatically accessible for users after profile activation. Enabled applications on the device may be different as some Android versions (especially branded versions) may not include all listed system applications. The admin can change the list of enabled applications and hide them according to needs. Default applications, which are always visible after profile activation are FAMOC Base Agent and managed Google Store.
In this tab you can set global permission policy and set exceptions for specific apps.
Runtime permission policy – setting responsible for behavior of applications, which asks for specific permission during its work. You can set three values:
Managed by user – default value, the user will be asked to give apps access to functions, which require specific permission. The user also will be able to change permissions for application.
Allow – applications, which ask for permission, will have it granted automatically and the user will not be able to change it.
Deny – applications, which ask for permission, will have it denied automatically and user will not be able to change it.
Work profile lock code
Each user of work profile and device with Android version 7.0 or higher has to have set work profile password, which will be required to open work profile applications. Rules required to set password can be set through configuration Android Work profile lock code. During enrollment process user will be asked to provide compliant password, until then he will not be authorized to use work profile applications on his device. In case of connecting DO + AFW it is possible to set password in Work profile container on devices with Android 8.0 or higher.
To create and assign to policy configuration, admin needs to:
Go to Config center -> Configurations tab.
Click on Add configuration button.
Choose from the list configuration named Android Work profile lock code (from Security -> Device security section).
- On configuration view, set up password policy from possible options:
Work profile lock complexity,
Minimum work profile lock length,
Maximum failed attempts, after which work profile will be wiped from the device.
Save configuration and choose it as policy component in work profile policy.
During enrollment of device with Android version 7.0 and higher, user will be asked to provide compliant password, until then work profile applications will not be accessible (icons will be greyed out).
To be able to configure managed Google Play Account profile on the device, the device needs to meet the following system requirements:
Android OS version 5.0 or higher
Support for work profile functions
Device has to be encrypted – the password must be set on the device before Android start
Device has to have lock code set
NOTE: For devices with Android OS version < 6.0 the Android work profile functions are limited, as it is not required by Google in these system versions and the device producers could remove Android support for work profile in their branded software.
If the device meets all the requirements work profile will be created automatically if you enable it in the policy. If you enroll a device for the first time, profile will be activated during the enrollment process. If the device is already registered in FAMOC you will have to refresh the policy on the device once the work profile has been activated.
Click notifications when they appear.
Click on SET UP and OK on the profile activation screen. Delete all previously installed FAMOC Agents manually if needed.
Work apps icons will be visible on the device.
The FAMOC Base Agent will be reinstalled to work profile.
At the end of the process Google Play for Work Store opens and you need to accept the Terms of service.
You can view successful operations in Logs tab in FAMOC.
Security of business data
Admin can block access to enterprise applications and data for users in two methods:
Disable work profile – after this operation all applications in the profile will be hidden (except FAMOC base Agent) and the user will not have the possibility to use it anymore until the profile is enabled.
Enterprise wipe – after this operation work profile with assigned Google account will be removed from the device. All enterprise data will be cleaned and to enable work profile again new enrollment is needed. After enterprise wipe, the user needs to uninstall FAMOC Base Agent from private Play Store to be able to enrol device again into FAMOC.
To block the user access to enterprise data:
Go to device details page.
Go to ‘Security’ tab.
There you can see two tabs which are responsible for disabling profile and enterprise wipe.