question

computerpaul2-0779 avatar image
0 Votes"
computerpaul2-0779 asked Jason-MSFT commented

Corporate-owned work profile enrollment

This question comes from MS doc found here: https://docs.microsoft.com/en-us/mem/intune/enrollment/android-dedicated-devices-fully-managed-enroll

When we switched from device administrator to Android Enterprise, having a work profile was the only enrollment option unless you wanted a fully managed device like for a kiosk. The work profile was a bit different, but we like it a lot having corporate data separated. A few months ago, we noticed there is an additional enrollment profile as well as compliance policies distinguishing between "Corporate-owned devices with work profile" and "Personally-owned devices with work profile". We still have the ability to apply Personal vs Corporate device ownership, but now we have these 2 mostly identical enrollment profiles where the only difference is that for corporate owned devices you have to enter in the "afw#setup" on a FRESH WIPED device.

Will there ever be a way to configure "Corporate-owned devices with work profile" without requiring the device be wiped first? If not, it will be quite the undertaking moving from Android device administrator if we tell everyone they need to wipe their phones first. For personal devices with a work profile it is not required, so what are the technical differences?


mem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

This is a question for Google. Intune is simply using the device management modes made available by the underlying Android platform and is thus subject to the design and constraints of those modes and their constraints.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

computerpaul2-0779 avatar image
0 Votes"
computerpaul2-0779 answered

I appreciate the quick reply, but after checking Android Ent documentation, they only have 3 deployment types whereas Microsoft added a 4th...
86335-image.png

86326-image.png



image.png (74.6 KiB)
image.png (48.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

I don't remember the exact mapping off-hand, but two of the Intune modes simply map to one of Android modes. I think it's the Personally-owner devices with work-profile and Corporate owned devices with work profile are just variations of the Personally-enabled Android mode.

We in no way did or can change how Android works.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

computerpaul2-0779 avatar image
0 Votes"
computerpaul2-0779 answered

Yea absolutely. I wasn't suggesting a change in how Android works. Simply inquiring about the reasoning for a "company owned work profile" AND a "employee owned work profile". For all of our company owned devices that have a work profile now, it makes it seem like they are personal owned devices because of the enrollment profile.

In order to get that device to show "corporate-owned" in the OS column, I had to wipe it first.
86405-image.png

Everything else between these devices are the same.

Since we're moving away from Android device administrator, I'm trying to figure out if I need to tell every employee with a corporate phone that they need to wipe the device to continue using it.


image.png (12.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuDaiMSFT-0289 avatar image
0 Votes"
LuDaiMSFT-0289 answered LuDaiMSFT-0289 commented

@computerpaul2-0779 Thanks for posting in our Q&A.

For this issue, based on the official article that you provided, I find that Intune enrollment for dedicated devices, fully managed devices, and corporate-owned with a work profile start with a factory reset. So, it is needed to wipe the corporate devices before enrollment.

Thanks for understanding and have a nice day.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@computerpaul2-0779 I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.


If the response is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
computerpaul2-0779 avatar image
0 Votes"
computerpaul2-0779 answered Jason-MSFT commented

I'm not sure I want to accept that as an answer. How can I find out WHY the work profile requires a wiped device? It functions differently then a fully managed device or dedicated device, but functions the same as the personally owned work profile.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

but functions the same as the personally owned work profile

Not really. It may look the same on the surface, and even uses the same constructs under the covers, but they are different. Ultimately, same answer. If you want to know why, ask Google as this is their doing. Microsoft and Intune are simply leveraging what they've designed and implemented.

0 Votes 0 ·