IBM Security MaaS360

 View Only

Work Profile On Corporate Owned Android Devices

By Matt Shaver posted Tue December 22, 2020 12:41 PM


I hope that everyone is familiar with Android Enterprise and the various management styles that have been supported by MaaS360 since it's inception in Android 5.0 (if not, check out this link):
Work Profile (often referred to as Profile Owner or PO) - creates a work partition on the device which securely separates work and personal apps and data.

Fully Managed (often referred to as Device Owner or DO) - fully managed device, no separate partition.  Requires device in a factory reset state.

Within fully managed DO devices we can also layer on what is known as COSU - a form of kiosk in which the device can be locked to a single app or a series of apps.

Around Android 9, Google also introduced the idea of COPE - Corporate owned, personally enabled.  This amounted to devices running the PO experience on a DO device.  The original COPE execution was deprecated with Android 10 and Android 11 re-introduced the idea with some differences that had to be addressed by EMM providers.  This new experience is known as Work Profile on Corporate Owned (WPCO).

The basic idea is the same, but this is feature is now GA within MaaS360 (Our previous COPE implementation never left beta.  As it has been replaced by WPCO, there are no plans to continue COPE support on Android 10).

Why use WPCO?

It's really going to come down to the needs of the end users and the organization alike.  WPCO requirements are the same as DO - the device must be in a factory reset state and Android Enterprise compatible.  It will only work on Android 11+ and devices on Android 10 or below do not support this new functionality.  If a device on 10 or below receives a WPCO enrollment request, it will simply enroll as standard DO.

The big selling point of WPCO over PO is that it allows admins to remain in control of certain device features across both profiles, while the user retains many of the personal features of the Android experience. 

  • Admins can wipe the whole device.
  • Certain features and restrictions can be implemented across both profiles - restricting camera and screenshots, for example.
  • Disable/Override Factory Reset Protection.
  • Ability to remove work profile only and relinquish ownership of the device to the user (not possible with standard DO).
  • User has full access to the Google Play store without admins having to make concessions in the policy.
  • User data and work data exist in two separate areas - work profile can be disabled by the user, but admins may set limits on how long they may do so before device is out of compliance.

Sample wipe command with new options:


Those are just a few, but adoption will additionally depend on comfort level with deployment.

Currently WPCO is supported via QR code enrollments only, but will be coming soon for zero touch enrollments as well.

Getting setup in the portal is just a matter of generating a new QR code (with optional credentials) and scanning on a supported Android 11 device.  Navigate in the portal to Devices >> Enrollments >> Other Enrollment Options >> Android Enterprise QR Code Provisioning



The user fields are optional, but for WPCO enrollment to be successful, the Android Enterprise Enrollment Mode must be set as Profile Owner (PO).  There is also the option to set ownership as BYOD with this method as control can be removed without requiring a full device reset.  This is great for companies that subsidize device purchases and/or allow users to buy devices from the organization at the end of the device lifespan or when user leaves the company.


Not a huge change to get setup.  The enrollment experience will differ, from both DO and PO, and requires a level of trust between the employer and employee.

When the QR is scanned, the user will see some of the same initial screens as a normal DO enrollment but the overall experience will be quite different.

  • First they'll see language specific to PO-type enrollments:


  • Next, the user will be brought back to some standard setup screens - such as the option to add their personal Google account


  • Finally, when the device setup is complete, they will be brought to a standard home screen view.  The MaaS360 agent will not be pinned as this is not possible in the WPCO experience.  The user will have to manually launch the MaaS360 agent in the work profile to complete enrollment with their credentials, if they are not included in the QR code.



Once the device is enrolled, the status (both on the device and in the portal) will reflect Work Profile On Company Owned, and portal features marked as PO and WPCO will apply. 


Though I've heard a lot of requests for WPCO, I strongly recommend that organizations consider use cases before deploying.  Some of it may seem appealing, but there is some DO functionality that is sacrificed in order to give users a more BYOD experience on company provided assets.  Most of the arguments I've heard in favor of this management style is for C-levels and executives who demand a more seamless personal experience from their Android devices.  Regardless of any hangups I might have about full deployments, I believe this is a useful addition to the Android Enterprise canon, and once Android 11 is more commonplace on the market, I'm sure we'll see some interesting use cases arise for WPCO.

#Cloud Pak for Automation