In BYOD model employees are encouraged to use their own devices in work. To separate work and private data it is suggested to use Work Profile, a dedicated tool to manage professional space on Android devices. FAMOC gives you intuitive options to configure Work Profile according to your needs.
Before you start configuration of Work Profile in your policy, you must enroll your FAMOC account with Google Enterprise. This process is described in Android Work Profile Guide. Once it is done, you can enable Android Work Profile in your policy. Edit or create a new template and select Work Profile tab. Click Enable work profile in a current policy.Android Work Profile General settings
To keep corporate data secure it is recommended to disallow transferring data from Work Profile to personal part. We suggest following settings:
Block screen capture - prevents sharing corporate data with that method.
Disable account modification - to make sure that only company’s account is working within Work Profile.
Disable cross profile copy-paste - user will not be able to transfer any information outside Work Profile using copy-paste method.
Disable application control - user will not be able to uninstall, disable or modify app data.
Runtime permission policy: Deny - user will not be able to change applications permissions.
Below you will find a list of Android system applications. By default all of them are disabled and user will not be able to use it within Work Profile. It is up to you to decide if you want to enable some of them.
Android Work Profile Applications
In the next tab you can configure Policy components. Available policy components are Applications and Configurations.
NOTE: You can only choose from apps that were previously added to FAMOC. Process of adding apps is described here.
You can decide which apps will be installed with the policy by clicking Select application.
Select apps by clicking the checkbox next to its name. To confirm your choice click the Select button in the bottom right corner.
These apps will be now available in the Work Profile container on the device and will be marked with the briefcase icon.
Setting up security code
To protect the access to the Work Profile it is required to add Android Work Profile lock code. This code may be customized in ADVANCED > Config center > Configurations tab. Click Add configuration.
From the menu on the left select Security > Device Security and then Settings for Android Work Profile lock code.
In the next window configure lock code restrictions. From the Work Profile lock complexity menu decide how complex should the lock code be. You can also set Minimum Work Profile lock length (min.: 4 max.: 16). Other options can be left with the default settings.
Once you made your choices click Save or Save as… to finish configuration.
When the configuration is ready it has to be added to your policy in the same way as applications. In the Policy components tab click Select configuration instead of Select application. Mark the checkbox next to the configuration you want to add and confirm your choice by clicking Select
.
Applications permissions
Next step of setting up BYOD policy is managing applications permissions. In this tab you can set restrictions for the specific app to allow or deny its access to some Android system features such as Contacts, Voice recording, Camera etc.
You can set global Runtime permission policy.
You can also set permissions for specific apps. Click Add application. Find the application you are looking for in package name field and configure permissions according to your needs.
Available settings are:
As global - permissions are granted according to global Runtime permission policy
Managed by user - leaves the decision to user
Allow - automatically allow permission
Deny - automatically deny permission
In BYOD it is suggested to give users more freedom to manage their devices. However, if you wish to block some apps from e.g. accessing contacts, calendar, location data etc., you can do so here.
When everything is configured according to your needs, it’s time to save and implement the policy on devices. With Work Profile installed, private and corporate parts on the device will be separated, and sensitive data should be safe.