I manage phones for a big corp. Just want to clarify what's possible. Google highly limits what you can do in Work Profile mode, you can't control much outside the work profile.
We can't see the app list on the personal side in work profile mode, BUT we can specify some that are a no-go. I'll show up as a compliance violation. But we can't view the list anymore like we could do with the pre-work profile Android Device Admin management (and still can with Apple).
We're not blocking any apps ourselves right now but it is possible. We do grant all BYOD phones access to our network, so for that reason we would want the capability to block any known threats if they are around.
We can also control some minor things on the personal side, like a pincode requirement and forbidding of sideloading and rooting. But in general we have very little visibility and control, which is the way I (as an admin) like it too. I only want to know what I really need to know especially on the personal side. We can (and do) also block copy/paste from work profile to personal, as data loss prevention, but we allow it the other way around.
In general users complain a lot about the work profile being separate, and not being able to integrate their personal and work calendars.. But for personal privacy it's a big win IMO. Apple has something similar since iOS 13 (called User Enrolment) but it's still a bit too limited to be sufficient for us. And it requires Apple federated accounts which have some requirements that are impossible for us to meet :(
Oh, that's very interesting! I knew about the PIN requirement as an example of control outside the work profile, but I didn't know this was possible. It makes sense though.
But roots can be defected and labeled as a compliance violation. They could then revoke your accsess to emails or other network services, or issue you a warning or more
We can't see the app list on the personal side in work profile mode, BUT we can specify some that are a no-go. I'll show up as a compliance violation. But we can't view the list anymore like we could do with the pre-work profile Android Device Admin management (and still can with Apple).
We're not blocking any apps ourselves right now but it is possible. We do grant all BYOD phones access to our network, so for that reason we would want the capability to block any known threats if they are around.
We can also control some minor things on the personal side, like a pincode requirement and forbidding of sideloading and rooting. But in general we have very little visibility and control, which is the way I (as an admin) like it too. I only want to know what I really need to know especially on the personal side. We can (and do) also block copy/paste from work profile to personal, as data loss prevention, but we allow it the other way around.
In general users complain a lot about the work profile being separate, and not being able to integrate their personal and work calendars.. But for personal privacy it's a big win IMO. Apple has something similar since iOS 13 (called User Enrolment) but it's still a bit too limited to be sufficient for us. And it requires Apple federated accounts which have some requirements that are impossible for us to meet :(