I was helping a customer who was trying to set up an android enterprise personally enabled (BYOD) work profile configuration.
In this blog post, I will try to explain the expected behavior (based on my testing) of the Android Enterprise work profile password.
A work profile is something that you can be set up on an Android device to separate work apps and data from personal apps and data. With a work profile you can securely and privately use the same device for work and personal purposes.
Using Intune, the work profile can be used in Android Enterprise personally owned devices with a work profile (BYOD) and Android Enterprise corporate-owned work profile (COPE).
For more information about the android enterprise, please refer to https://docs.microsoft.com/en-us/mem/intune/enrollment/android-enterprise-overview
Initially, when I configured Android Enterprise personally owned work profile, device restriction policy, I did configure the work profile password.
As you can see in the configuration, I do have some configurations for work profile to be applied when the device is enrolled to Intune with work profile.
As per the Microsoft docs, Require Work Profile Password: Require forces a passcode policy that only applies to apps in the personally-owned work profile. By default, users can use the two separately defined PINs. Or, users can combine the PINs into the stronger of the two PINs.
With this statement, we assume that, when the device is enrolled to Intune, the user gets prompt to set up a work profile password length of 8 as per the work profile which is true, and we agree with that.
At this stage, we were in the assumption that we will have 2 passwords 1) Device lock that is set up by user 2) Work profile.
We also expect that every 30 min of inactivity, the work profile should prompt for a password which is what we configured in the policy but does it happen? No
Let’s try to go a little deep and understand about Require Work Profile Password with a simple example.
I have a personal android device with a 4-digit password (easy to remember) and is enrolled to Intune using android enterprise (work profile). When the device is enrolled to Intune, the work profile password policy prompts me to set up a password with a length of 8 as per the policy.
By setting up this work profile password, it is replacing/removing your personal profile (device lock) password (4 digit) and making work profile password as your device lock password. So once this is done, you will be prompted only once for the device lock password and never for work profile because they share same password now.
It is also true that the inactivity time which we have configured for 30 min is also applicable to personal profile/device lock happens.
As an end-user, I always try with my 4 letter password to unlock the screen because that is what I have used all this while, but it won’t accept once the device is enrolled to Intune. you must always use work profile password.
If you are using face ID/fingerprint/Iris, you won’t be impacted with this but when these modern passwords don’t work, you will have to use the work profile password to unlock the device.
There is 1 more configuration setting in the work profile which is to apply the personal profile on devices using work profile.
If you configure this along with the work profile password, you will have only 1 configuration applied of which, the most restrictive WIN’s for both screen lock (personal) and work profile.
Summary:
The device will always use work profile passcode for both screens unlock, and Work profile unlock. when the user uses a passcode to unlock the screen, the work profile is also unlocked, when a user tries to access the work profile, there won’t be any passcode because the user has already used the passcode to unlock the screen.
In simple terms, this setting will replace the end-user password and screen lockout settings.
Why is this happening and how to prevent this?
When an android device is enrolled to Intune and work profile password is applied, the ‘Use One Lock’ setting will be enabled by default, and this will take over the device settings and replace it with work profile settings.
You need to disable the use one lock which is available work profile setting on the android device. In the process of disabling this setting, you will be prompted to setup work profile password. So, in this case, you will have 2 different passcodes 1) for device lock 2) work profile.
How do we disable this use One Lock? There is no configuration in Intune that you can do at the moment but there is user voice to disable this setting. https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/36211675-android-entreprise-disable-one-lock-password Please go and vote for it if you need this feature.
Hope it helps!
1 Comment
Thanks very much. Would never have found this. Great post ! Looked high and low for this setting and wrongly assumed this would be a policy setting.