A Work Profile is a self contained profile on an Android device for storing work apps and data. Work Profile allows separation of work apps and data, giving organizations full control of the data, apps, and security policies within a Work Profile. Simultaneously, users retain privacy over their personal apps, data, and usage. On devices designated as company-owned during setup, organizations can enforce some policies that apply to a device’s personal profile and overall device behavior.
Apps installed in the Work Profile are marked with the briefcase icon, so as to be easily distinguishable from personal apps. For more information on how to use a Work Profile device, see What is a Work Profile.
Feature support for devices with Work Profile
Standard features
All EMM providers offering Work Profiles support the following standard features:
Device setup
Feature | Description |
---|---|
Management app | Download the EMM provider's management app from Google Play to launch Work Profile setup. |
Authenticate with managed Google accounts | Set up a device by entering a user's managed Google account details. |
Device security
Feature | Description |
---|---|
Set lock screen restrictions | Set and enforce the type of passcode (e.g. PIN/pattern/password) required to unlock a device. |
Set Work Profile lock screen restrictions | Set and enforce the type of passcode (e.g. PIN/pattern/password) required to unlock a Work Profile. |
Wipe and lock work data | Remotely lock and wipe the Work Profile on a device. |
Automatic compliance enforcement | Automatically restrict access to data and apps in Work Profiles on devices that aren't in compliance with security policies. |
Configure Smart Lock settings | Enable or disable specific Smart Lock methods, such as trusted bluetooth devices, face recognition, or voice recognition. |
App management
EMM providers support Android app management through an enterprise version of Google Play, called managed Google Play. With an EMM, you can create Managed Google Play accounts* for your users. These accounts enable app distribution to their Work Profiles.
Feature | Description |
---|---|
View and manage your app catalog | View a list of purchased apps, approved apps, and private apps. |
Distribute apps silently | Silently install apps on a device without any user interaction. |
Download apps from the managed Play app | Users can install and update apps approved for them through the managed Google Play app on their device. |
Set managed configurations | Configure work apps for individual users or devices. |
Customize users' managed Play app | Customize the app store layout displayed in the managed Google Play app on a device. |
Support Google-hosted private apps | Publish Google-hosted private apps from the EMM's console and distribute them to Work Profiles. |
Support externally hosted private apps | Publish externally hosted private apps from the EMM's console and distribute them to Work Profiles. |
Disable app installs from locations other than Google Play | App installations from locations other than Google Play and OEM-approved sources are disabled by default. |
*For organizations with Google Workspace or Cloud Identity, users can access managed Google Play with their Google Workspace or Cloud Identity account.
Device management
Feature | Description |
---|---|
Set default runtime permission policies | Set the default response (prompt, allow, or deny) to all runtime permission requests from apps. |
Set specific runtime permission policies | Set the default response (prompt, allow, or deny) to specific runtime permission requests from apps. |
Manage certificates | Deploy identity certificates and certificate authorities to a device to enable access to corporate resources. |
Control access to input methods | Configure the input methods (e.g. keyboards) that a user can configure on their device. |
Control access to accessibility services | Configure the accessibility services that can be enabled on a device. |
Set location sharing preferences | Configure device location sharing settings (e.g. high accuracy, battery-saving, sensors only, off) for apps. |
Block users from uninstalling apps | Prevent users from uninstalling apps or modifying apps through Settings. |
Disable screen captures | Prevent users from taking screenshots when using apps. |
Retrieve network statistics | Retrieve network usage statistics for a device. |
Device usability
Feature | Description |
---|---|
Customize Work Profile setup UI | Set the color, logo, and terms and conditions displayed during Work Profile setup. |
Customize Work Profile UI | Customize Work Profiles with corporate branding. |
Set contact info sharing policies | Control what contact information can be shared from a device's Work Profile to its personal profile. |
Set default apps for specific activities | Set the default app for specific activities. For example, choose the default browser for opening web links. |
Advanced features
In addition to the standard features above, all Android Enterprise Recommended EMM providers offering Work Profiles support the following advanced features:
Device security
Feature | Description |
---|---|
Set advanced lock screen restrictions | Set and enforce the quality, length, and complexity of the passcode required to unlock a device. |
Device integrity verification | Validate device integrity to help detect if a device has been tampered with or modified. Set up automated rules (e.g. wipe and lock) if validation fails. |
Google Play Protect enforcement | Google Play Protect's Verify Apps feature is enabled by default and scans apps for malware before and after installation. |
Block external data transfers | Lock down bluetooth and hardware elements (e.g. Quickshare, NFC beam, external media, USB storage) to prevent users from sharing or transferring work data. |
App management
Feature | Description |
---|---|
Managed Google Play in EMM's console | Access Managed Google Play directly through the EMM's console to search for, approve, and manage work apps. |
Device management
Feature | Description |
---|---|
Configure Wi-Fi settings | Remotely deploy Wi-Fi login settings (SSID, password) to a device. |
Configure certificate-authenticated Wi-Fi | Remotely deploy Wi-Fi settings to a device that include identity, certificates for client authorization, and CA certificates. |
Restrict access to authorized accounts | Ensure that only authorized corporate accounts can interact with Work Profiles data by preventing users from adding or modifying accounts. |
Manage advanced certificate details | Select certificates for specific work apps, remove CAs and identity certs from an active device, and prevent users from modifying credentials in the managed keystore. |
Manage 3rd party certificates | Distribute a 3rd-party certificate management app to a Work Profile and grant the app privileged access to install certificates in the managed keystore. |
Enable Always On VPN | Enable Always On VPN for specified apps in a Work Profile to ensure they always go through a configured VPN. |
Which Android devices are supported?
Work Profile is supported on devices with 2GB or more of RAM, personally-owned devices running Android 5.0 or later, and company-owned devices running Android 8.0 or later. Learn more about the difference between personally and company-owned devices.
Which EMM providers support Work Profiles?
EMM providers that support Work Profiles are listed in the Android Enterprise Solutions Directory.