Android Enterprise Work profile

Android Enterprise Personally owned devices with a work profile and device PIN

When you configure Android Enterprise Personally owned devices with a work profile in Microsoft Endpoint Manager (Intune) to support BYOD, you probably configured the option for a Work Profile Password like the example below. If you did, and your wondering why some users complain they have to set a device PIN, the device PIN they’ve set before no longer works, or somehow the PIN requirements are different then before, continue reading. This post is all about the end-user experience with Android Enterprise Personally owned devices with a work profile and device PIN. I’ve also included a video walkthrough showing the end user experience.

Work profile password

This is a device configuration profile. You can configure it by going to;

  • Devices > Android > Configuration Profile
  • Click on Create profile
  • Select Android Enterprise for Platform
  • You’re creating a Device restriction profile
  • The profile section is split in two
    • Fully managed, dedicated, and corporate-owned work profile
    • Personally-owned Work Profile
  • Choose Device restrictions under Personally-owned Work Profile

Android Configuration Profile

The dreaded Device PIN

You might also have seen the settings to configure settings that apply to the personal profile on devices using a work profile. Read this again “settings that apply to the personal profile” In most cases, this section is left as is, without changing the default settings.

configure settings that apply to the personal profile on devices using a work profile

But even then, most of the time, users are setting up a new device PIN without even realizing it.

Let’s assume you’ve configured everything and are ready for Personally owned devices with Work profiles. Now on my test device, I’ve downloaded the company portal app, signed-in with a work account and completed the work profile configuration.

Android Enterprise Personally owned devices with a work profile user experience

  • Start by downloading the Company Portal app.
  • Open the app and sign in with a work account.
  • Follow the on-screen info and complete the work profile setup.

Right after you complete the work profile setup, you will see there are 2 notifications

  • Secure your work profile
    • You Need to update your work profile passcode
  • Update device settings
    • You need to update your device passcode

Have a look at the next screenshot. Although I already have a device startup and screen lock PIN, the Company portal app gives me a notification to update my device passcode.

Android Update device settings

My device passcode in this test is 1234 (numeric/not complex), and secure startup is enabled. Most users have a very easy to remember passcode right?? Let’s see what happens when users follow the happy flow…and click on Update device settings first

Update device settings

When you click on Update device settings, you’re basically going to set a new device PIN. This new device PIN will enforce the policy PIN requirements you’ve configured earlier. For this test, I’ve configured a minimum password length (6 characters) and Numeric complex.

Update device settings

After setting up a new complex PIN (at the device level), you’ll be able to unlock your device with this new PIN. Furthermore, you don’t need to set a different work profile PIN. You can simply open your work profile and access apps that have been deployed without entering a separate PIN.

Why is this happening? Because you’re using a work profile setting/feature that is called “Use one lock” which enables you to have one lock (PIN) for both the work profile and your phone’s lock screen and/or startup PIN. Use one lock, is enabled by default! More on this later…

Android work profile use one lock

Secure your work profile

Now, lets start over again, but this time, were going to click on Secure your work profile.

Secure your work profile

When you click on Secure your work profile, you’re configuring a separate PIN for your work profile only. Your existing 4 digit easy to remember device PIN will still work at the device level, but when you want to work with apps in your work profile, you’ll need to use your work profile PIN before you’re allowed to use the apps.

Why is this working different then update device settings? Because when you click on Secure your work profile first. The Use one lock setting is disabled, making it possible to have a different PIN at the device level and work profile.

Good to know

In most cases, when a user starts with “Secure your work profile”, the other notification “Update device settings” will disappear almost immediately. But then again, I did find that sometimes, the “Update device settings” notification lingers around a little longer. In these rare occasions, the user already configured a work profile PIN (disabling One Lock), but when they also click on “Update device settings” (enabling One Lock again) they are configuring a new device PIN. Still with me?

Luckily (or not) most users will re-use the same PIN everywhere so you’re good most of the time. But there might be situations, where your users get so confused, and forget their PIN.

No PIN configured at all

Then there are also users, who simple swipe their phone to unlock it. They have no PIN configured at all. Well, in these situations. The users are prompted to set a device PIN and enable secure startup.

Android No PIN configured

Use one Lock

When you configure a work profile, new settings for your work profile become available and you can configure these settings by going to

  • Settings
  • Search for Work Profile
  • Click on Work Profile settings

Work profile settings

Have a look at theses settings and get to know what each setting does so you can support/educate your end-users. Here’s what Microsoft has to say about One Lock;

Microsoft about Android Enterprise Use One Lock

Android Enterprise security configurations for personally-owned work profile – Microsoft Intune | Microsoft Docs

Microsoft about Android Enterprise Use One Lock

Android Enterprise device settings in Microsoft Intune | Microsoft Docs

Better user experience?

You might want to test all of this before deploying it to all your users. Think about your communication and adoption strategy. Perhaps, you’ll even want to configure the Password settings that apply to the personal profile on devices using a work profile. For example, you could require users to have a PIN at the device level with a minimum password length set to 8 😊. This way users always have to configure two separate PINS. Not sure if that’s a good thing for end-user experience, and I can imagine you’ll have some good discussions about Android Enterprise Work profile configuration settings. I’m sure you do test everything you configure in Microsoft Endpoint Manager. Get yourself some test devices or test with virtual android devices.

Tip: Make sure the right stakeholders and decisionmakers are engaged and well informed!

Password settings that apply to the personal profile on devices using a work profile

Although the Number of sign-in failures before wiping device is set to 5, it will only wipe the work profile 😉 So all, personal files and photo’s are untouched… Click on the screen/tool tip for more info:

“Number of consecutive times an incorrect password can be entered before the work profile is removed and corporate data is wiped. (4-11)”

Android Enterprise Work profile User experience video walkthrough

Here’s a video walking through the user experience on Android Enterprise Work profile, step by step. Hope this helps and don’t be shy to post a message about your experiences.

0 0 votes
Article Rating

Oktay Sari

#Microsoft365 | #EMS |#MEM | #Intune | Father | #Diver | #RC Pilot & #Magician in spare time | former Microsoft WI MVP

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
2 months ago

Nice docu, thanks!