Navigating the Challenges of Implementing Android Enterprise Work Profiles

In today’s fast-paced business environment, companies are continually seeking ways to optimise their operations and reduce costs. The practice of allowing employees to use their personal devices for work, known as Bring Your Own Device (BYOD), has been around for years. However, we’ve seen a notable increase in discussions and implementations over the past year in certain industries. While this approach offers financial benefits by reducing the need for companies to purchase work phones for every employee, it introduces a set of complex security and management challenges.

The Security Gap in BYOD

The primary concern with BYOD is the security risk it poses. Allowing employees to access work data and apps on their personal devices opens up a plethora of potential threats. These range from the basic issue of varying operating systems and security patches to the more complex problem of malicious apps that could compromise both the user’s personal data and the company’s sensitive information. The risk of phishing and other cyber threats also escalates, making the job of IT administrators significantly more complicated.

Introducing Android Enterprise Work Profiles

Android’s solution to this dilemma is the Work Profile, a feature designed to segregate personal and work data on a single device. This separation ensures a user’s privacy is maintained; Enterprise Mobility Management (EMM) tools are only able to enforce policies and deploy applications in the work profile without visibility of anything on the personal side, and applications and data in the work profile are stored and encrypted separately from the personal profile. Administrators can enforce security measures and policies, such as preventing the sharing of corporate data with personal applications, ensuring devices can access corporate Wi-Fi networks, and automatically deploying critical business apps so employees can perform their jobs effectively.

Challenges in Work Profile Adoption

However, implementing Work Profiles is not without its challenges. The first major challenge is ensuring user enrollment into the organisation’s EMM solution. Without mandatory enrollment, the effectiveness of BYOD policies is significantly diminished. Educating users about the privacy protections of Work Profiles, assuring them that their personal data remains untouched, is essential to overcoming resistance to EMM enrollment.

The second challenge is related to the inherent functionality of work profiles and the fact that a user might end up with the same app across both their work and personal profiles. This functionality, if not dealt with correctly, can result in the user inadvertently using the personal version of the app for work purposes, undermining the security benefits of the work profile.

Effective Solutions for BYOD Security

To address these challenges, a two-pronged strategy involving both technical enforcement and user education is necessary:

1. Conditional Access and App Protection Policies:

Conditional access enables administrators to control the ability for a user to access work content, based on various conditions including requiring the device to be marked as compliant.

App protection policies allow administrators to enforce app level data security settings, enforcing the requirement for a pin, preventing data from being copied with unmanaged applications and crucially requiring users to re-authenticate after inactivity.

In combination they allow for administrators to prevent users from accessing work content through a compliancy check (for example enrolled into an EMM/UEM system that supports integration with Entra and conditional access) and ensure that work content is only accessed on managed applications (apps deployed by an EMM/UEM), addressing the issue of having two of the same app on the device.

The additional bonus here is that anyone that has not enrolled their device into the EMM/UEM system will be blocked from accessing 365 content by the conditional access policy, solving the challenge of enforcing enrolment.

2. Mobile Threat Detection (MTD):

MTD solutions protect against dynamic threats through continuous monitoring, rather than policy enforcement. On a device with a work profile, this can further enhance the security of applications residing in the work profile, protecting against phishing and man-in-the-middle attacks as well as monitoring OS versions and notifying when updates are required.

Integrating the MTD with Entra conditional access (depends on the MTD) therefore enables a further security mechanism blocking access to work content if a threat is detected.

What about applications that don’t use Microsoft for authentication?

For applications that don’t integrate with the Microsoft Authentication Library (MSAL) and the Intune App SDK (MSAL is a prerequisite), other approaches will need to be taken. One possible option is to utilise managed app configurations.

Managed app configurations enable administrators to specify certain parameters for supported applications. This could enable a unique key to be passed through to the app without which a user is unable to login, securing the app and ensuring a login is not possible unless the app was deployed by the EMM/UEM system.

This heavily relies on the app supporting managed configurations.

While the Android Enterprise Work Profile offers a promising solution to the BYOD security conundrum, its successful implementation requires careful planning and execution. Companies must not only invest in the right technical solutions but also commit to educating employees on the benefits and protections Work Profiles provide.

While these tools go beyond the core functionality of Work Profiles, they form part of a broader, more comprehensive BYOD security framework. As the workplace continues to evolve, embracing these integrated solutions will be key to maintaining secure and flexible mobile operations.

To learn how we can help simplify and secure your BYOD policy, contact Subsidium today. Let us handle your mobile management, so you can focus on growing your business.