A work profile is a separate area of an Android device for storing work apps and data. Work profiles provide platform-level separation of work apps and data, giving organizations full control of the data, apps, and security policies within a work profile. At the same time users retain privacy over their personal apps, data, and usage. On devices designated as company-owned during setup, organizations can enforce some policies that apply to a device’s personal profile and overall device behavior.
The work profile user experience is seamless—work profile notifications and icons of apps installed in a work profile are marked with a work badge (briefcase icon) so users can distinguish them from personal apps. For more information on how to use a work profile device, see What is a work profile.
What features do devices with work profiles support?
Key features
All EMM providers offering work profiles support the following key features:
Device setup
| Feature |
Description |
| Management app |
Download the EMM provider's management app from Google Play to launch work profile setup. |
Device security
| Feature |
Description |
| Set lock screen restrictions |
Set and enforce the type of passcode (e.g. PIN/pattern/password) required to unlock a device. |
| Set work profile lock screen restrictions |
Set and enforce the type of passcode (e.g. PIN/pattern/password) required to unlock a work profile. |
| Wipe and lock work data |
Remotely lock and wipe the work profile on a device. |
| Automatic compliance enforcement |
Automatically restrict access to data and apps in work profiles on devices that aren't in compliance with security policies. |
App management
EMM providers support Android app management through an enterprise version of Google Play, called managed Google Play. With an EMM, you can create managed Google Play Accounts* for your users. These accounts enable app distribution to their work profiles.
| Feature |
Description |
| View and manage your app catalog |
View a list of purchased apps, approved apps, and private apps. |
| Distribute apps silently |
Silently install apps on a device without any user interaction. |
| Download apps from the managed Play app |
Users can install and update apps approved for them through the managed Google Play app on their device. |
| Set managed configurations |
Configure work apps for individual users or devices. |
*For organizations with G Suite or Cloud Identity, users can access managed Google Play with their G Suite or Cloud Identity account.
Device management
| Feature |
Description |
| Set default runtime permission policies |
Set the default response (prompt, allow, or deny) to all runtime permission requests from apps in a work profile. |
| Set specific runtime permission policies |
Set the default response (prompt, allow, or deny) to specific runtime permission requests from apps in a work profile. |
Advanced features
In addition to the key features above, all Android Enterprise Recommended EMM providers offering work profiles support the following advanced features:
Device security
| Feature |
Description |
| Set advanced lock screen restrictions |
Set and enforce the quality, length, and complexity of the passcode required to unlock a device. |
| Device integrity verification |
Validate device integrity to help detect if a device has been tampered with or modified. Set up automated rules (e.g. wipe and lock) if validation fails. |
| Google Play Protect enforcement |
Google Play Protect's Verify Apps feature is enabled by default and scans apps for malware before and after installation. |
App management
| Feature |
Description |
| Managed Google Play in EMM's console |
Access managed Google Play directly through the EMM's console to search for, approve, and manage work apps. |
Device management
| Feature |
Description |
| Configure Wi-Fi settings |
Remotely deploy Wi-Fi login settings (SSID, password) to a device. |
| Configure certificate-authenticated Wi-Fi |
Remotely deploy Wi-Fi settings to a device that include identity, certificates for client authorization, and CA certificates. |
| Restrict access to authorized accounts |
Ensure that only authorized corporate accounts can interact with work profiles data by preventing users from adding or modifying accounts. |
| Manage certificates |
Deploy identity certificates and certificate authorities to a device to enable access to corporate resources. |
| Manage advanced certificate details |
Select certificates for specific work apps, remove CAs and identity certs from an active device, and prevent users from modifying credentials in the managed keystore. |
| Enable Always On VPN |
Enable Always On VPN for specified apps in a work profile to ensure they always go through a configured VPN. |
Device usability
| Feature |
Description |
| Manage lock screen features |
Control the features accessible to users before unlocking a device's lock screen and work profile lock screen. |
Additional features
Support for additional features varies by EMM provider. To view the features supported by a specific EMM, see the Android Enterprise Solutions Directory.
Device setup
Device security
| Feature |
Description |
| Configure Smart Lock settings |
Enable or disable specific Smart Lock methods, such as trusted bluetooth devices, face recognition, or voice recognition. |
App management
| Feature |
Description |
| Customize users' managed Play app |
Customize the app store layout displayed in the managed Google Play app on a device. |
| Support Google-hosted private apps |
Publish Google-hosted private apps from the EMM's console and distribute them to work profiles. |
| Support externally hosted private apps |
Publish externally hosted private apps from the EMM's console and distribute them to work profiles. |
Device management
| Feature |
Description |
| Manage G Suite accounts |
Ensure that only authorized G Suite (or Cloud Identity) accounts can interact with corporate data. |
| Manage 3rd party certificates |
Distribute a 3rd-party certificate management app to a work profile and grant the app privileged access to install certificates in the managed keystore. |
| Control access to input methods |
Configure the input methods (e.g. keyboards) that a user can configure on their device. Input methods are shared across both work and personal profiles |
| Control access to accessibility services |
Configure the accessibility services that can be enabled on a device. |
| Set location sharing preferences |
Configure location sharing settings (e.g. high accuracy, battery-saving, sensors only, off) for apps in a work profile. |
| Disable screen captures |
Prevent users from taking screenshots when using apps in a work profile. |
| Retrieve network statistics |
Retrieve network usage statistics for a work profile. |
Device usability
| Feature |
Description |
| Set default apps for specific activities |
Set the default app for specific activities. For example, choose the default browser for opening web links. |
| Customize work profile setup UI |
Set the color, logo, and terms and conditions displayed during work profile setup. |
| Customize work profile UI |
Customize work profiles with corporate branding. |
| Customize lock screen message |
Set a message to display on a device's lock screen. |
| Set contact info sharing policies |
Control what contact information can be shared from a device's work profile to its personal profile. |
Which Android devices are supported?
Personally-owned devices running Android 5.1 or later, and company-owned devices running Android 8.0 or later. Learn more about the difference between personally and company-owned devices.
Which EMM providers support work profiles?
EMM providers that support work profiles are listed in the Android Enterprise Solutions Directory.