Get started with work profile management

This page shows you how to set up the Android Enterprise work profile management mode and enroll personal devices.

The work profile management mode lets you manage a dedicated workspace, the work profile, on a user’s Android device. This management mode is commonly used for a bring your own device (BYOD) setup, because you can only monitor and manage apps, accounts, and data within the work profile.

See the following sections to learn how to set up Android Enterprise work profile enrollment and enroll devices.

Set up work profile management

You must perform the following one-time tasks before enrolling the first device in work profile management mode.

Create policy

1. In Sophos Central, go to My Products > Mobile.
2. In the Sophos Mobile menu, go to Policies > Android.

3. Click Create > Android Enterprise work profile policy.

   

4. On the Edit policy page, enter a name for the policy and, optionally, a description.

   

5. Sophos Mobile automatically adds a Restrictions configuration, which you can’t delete.

   Click Restrictions to view and edit the settings as required.

   See Restrictions configuration (Android Enterprise work profile policy).

   

6. When you’ve made the required changes, click Apply.

   

7. Click Add configuration to add more configurations to the policy.

   For a description of available configurations and their settings, see Configurations for Android Enterprise work profile policies.

   

8. After you’ve added all required configurations, click Save.

   

Next, add the policy to an enrollment task bundle.

For a general description of creating device policies, see Create policy.

Create enrollment task bundle

1. In Sophos Central, go to My Products > Mobile.
2. In the Sophos Mobile menu, go to Task bundles > Android.

3. Click Create > Create task bundle.

   

4. On the Edit task bundle page, enter a name for the task bundle and, optionally, a description.

   

5. Click Add task > Enroll.

   

6. In the Select enrollment type step of the assistant, do as follows:

   1. In Task name, enter a name for the task, for example, “Enroll”.

      Sophos Mobile shows the name on the Task details page when it processes the task bundle for a device.

   2. In Select enrollment type, select Work profile.

   

7. In the Select policy step, do as follows:

   1. In Task name, enter a name for the task, for example, “Assign policy”.
   2. In Select policy, select the policy you created before.
   3. Click Finish.

   

8. Optionally: Click Add task and select another task to add to the task bundle.

   For a list of available tasks, see Task types (Android).

   

9. After you’ve added all required tasks, click Save.

   

For a general description of creating task bundles, see Create task bundle.

Enroll device

Add device to Sophos Mobile

To add an Android Enterprise work profile device to Sophos Mobile, do as follows:

1. In Sophos Central, go to My Products > Mobile.
2. In the Sophos Mobile menu, go to Devices.

3. Click Add > Add device wizard.

   

4. In the User step of the assistant, do as follows:

   1. Select Search for user.

   2. Enter search criteria for the user account in one or more of the following fields:

      • User name
      • First name
      • Last name
      • Email address

   

5. In the User selection step, you see a list of all users matching your search criteria. Select the user you want to assign to the device.

   

6. In the Device details step, do as follows:

   1. In Platform, select Android.
   2. In Name, enter the name of the device in Sophos Mobile.
   3. Optional: In Description, enter a description for the device.
   4. Optional: In Phone number, enter the device’s phone number in international format.
   5. In Owner, select Personal.
   6. In Device group, select the device group you want to add the device to.

   Email address is a read-only field showing the user’s email address.

   

7. In the Enrollment type step, do as follows:

   1. In Select the enrollment type, select Enroll device with task bundle.
   2. Select the task bundle you created before.

   

8. In the Enrollment step, you see the enrollment instructions the user must follow on their Android device.

   

9. Optional: Click Send to send the enrollment instructions to the user’s email address.

   Sophos Mobile sends the instructions to the email address configured in the user account by default. To send the instructions to a different address, edit the Send instructions email field before clicking Send.

   

10. Tell the user to follow the enrollment instructions on their device.

    See Enroll device with Sophos Mobile for a detailed description of the enrollment steps.

11. Close the assistant by clicking the X button in the top right.

    Alternatively, wait until the device is enrolled and then click Finish.

    

12. You can monitor the enrollment status on the device’s Show device page. Do as follows:

    1. In the Sophos Mobile menu, go to Devices.

    2. Click the name of the device.

       

    3. Go to the Tasks tab.

       When all tasks have the status Successful, enrollment is completed.

       

When the user has completed the steps described in Enroll device with Sophos Mobile, the Devices page shows the device with management mode Work profile and status Managed.

Enroll device with Sophos Mobile

After you add the device to Sophos Mobile, the user must follow the enrollment instructions on their device.

To enroll the device with Sophos Mobile, the user must do as follows:

1. On the device you want to enroll, open Google Play, go to the Sophos Mobile Control app, and tap Install.

   

2. When Google Play has installed the app, tap Open.

   

3. Tap Scan QR code.

   

4. Allow Sophos Mobile Control to take pictures.

   Tap While using the app or Only this time.

   

5. Scan the QR code from the enrollment instructions.

6. On the Create work profile page, tap Next.

   

7. Tap View terms to read the usage terms, then go back and tap Accept & continue.

   

8. When Android has completed setting up the work profile, tap Next two times.

   

   

9. The Android setup assistant opens Sophos Mobile Control in the work profile. To complete the setup, you must allow Sophos Mobile Control the required permissions. See Allow app permissions.

10. Uninstall the Sophos Mobile Control personal app.

    After enrollment, there are two versions of Sophos Mobile Control on the device: The app you installed and the app the setup assistant installed in the work profile. After your device is enrolled, you only need the work app and can uninstall the personal app.

    In the image below, the personal app is on the left, and the work app is on the right. You can identify the work app by its briefcase badge.

    

11. Open the Sophos Mobile Control work app to check the device status and server connection.

    1. On the app’s dashboard, all tiles are green when your device is compliant and there are no actions to take.

       

    2. Tap the Management info tile for details about the Sophos Mobile server.

       

Allow app permissions

1. Allow Sophos Mobile Control the Display over other apps permission.

   1. In the Display over other apps notification, tap Allow.

      

   2. On the Work tab, tap Sophos Mobile Control.

      

   3. Turn on Allow display over other apps.

      

   4. Go back several times until you’re back in Sophos Mobile Control.

2. Allow Sophos Mobile Control the Location permission.

   1. Tap Allow.

      

   2. Tap Open.

      

   3. Tap Permissions > Location > Allow all the time.

      

   4. Go back several times until you’re back in Sophos Mobile Control.

3. Allow Sophos Mobile Control to always run in the background.

   1. In the Battery optimization notification, tap Stay protected.

      

   2. Tap Allow.