Android work profiles are a way to separate work and personal data on personal Android devices running recent versions of the OS -- ideally Android 10 and above.
IT departments will need to enroll these devices into a mobile device management (MDM) platform to enact this data separation.
For years, Google has expanded the options for Android administrators and users to control their devices. Services have changed and adapted over time to meet new business needs, with Android for Work evolving into Android Enterprise, the Android Device Administrator evolving into Device Owner and Android corporate-owned, personally enabled Android controls turning into Android work profile. With the Android 13 management API, Google is giving IT administrators and users more options for privacy and management.
How do Android work profiles work?
Android work profiles are based on the concept of containers that originate when a user enrolls into an organization's MDM. They are isolated spaces within a device where specified data and apps are stored. Administrators can think of it as two secured lockers right next to each other: one has corporate-only apps and data, and the other has personal apps and data. Although they are in the same phone these two parts of the phone can't share information or communicate with one another. When the MDM creates a work profile, it creates a new container on the device. This container is encrypted and cannot share data unless configured.
The user's corporate email, calendar and contacts are automatically added to the work profile. IT can also push down other apps and data to the work profile. For example, an airline might push down its mobile app to the work profile of its customer service agents.
With work profile, Google allows dual apps on a device, such as two Outlook apps or two Google Play Stores. Users will have visual cues on their devices to tell them which app is the business version and which is a personal version by a small briefcase icon on the corporate version of the app. When users try to access work app or data, they'll enter a sandbox on the Android device. IT admins can also configure security policies such as prompts to enter their corporate credentials or pin code for these work apps. This helps to keep work data secure beyond simple concerns about data leakage from the business side to the personal side.
Because the work profile is encrypted and secure, IT can be confident that corporate data is safe even if the device is lost or stolen.
What's new with work profiles in Android 13?
As with any new release of a mobile OS, Android 13 brings several new features that will be staples of the OS' management for years to come.
Updated open-in capabilities
With Android 13, users can open an app in either personal or business profile. This way, users can separate their business and personal life by viewing different content in whichever apps they prefer. Google gives the example of opening a YouTube link in a work browser instead of the personal YouTube app to ensure it does not conflict with the user's personal YouTube feed and recommendations.
Google is also mirroring a feature already on the iOS platform, allowing users to grant different profiles access to selected files and photos or all files and photos. Users can also switch between work and personal photo galleries when sharing pictures via text messages or apps.
NFC for work apps
Devices running Android 13 can use near-field communication (NFC) for work apps to allow the use of digital badges. This will enable companies to turn users' Android phones into ID badges that allow them to enter buildings, potentially saving costs on procuring, shipping and replacing physical badges for employees.
Local device-based dictation -- Google Pixel only
Google has introduced on-device smart dictation for work profile apps, allowing the separation of work and personal-based language.
Android and ChromeOS notifications
If an organization uses Chromebooks, IT can take advantage of a new integration between ChromeOS' Phone Hub and Android 13 that allows employees to access work profile notifications, messages and pictures securely. These interactions are protected by end-to-end encryption, and IT admins can manage these interactions via policies.
New security features in Android 13
Google has introduced a new "central hub" that allows employees to view and manage device security settings and policies that are provisioned to their devices from the MDM or other management agent.
Wi-Fi connectivity controls
Android 13 offers IT admins more control over device Wi-Fi connectivity for features such as Wi-Fi Direct and Wi-Fi tethering. In addition, it provides security logs for activities related to Wi-Fi, Bluetooth and passwords that meet National Information Assurance Partnership requirements.
Moving Bluetooth and UWB to mainline
For faster security patching and updates, Google has moved Bluetooth and ultra wideband to mainline so that IT can update these components through Google System Updates.
New passcode complexity requirement for Android 13
Passcode security and complexity are important components of a secure mobile device environment, and to meet this demand Android offered passcode security requirements for a long time. However, Google recently introduced changes to the passcode policy from passcode quality to passcode complexity.
The new passcode requirements in Android 12 and later increase security and privacy on the device by adding new levels of passcode complexity. Password complexity increases the difficulty of hackers guessing or cracking a password by adding more conditions, such as length and character types. When setting the password complexity requirements within a given MDM, it's important to select an appropriate level. MDM administrators can choose from four levels of password complexity: None, Low, Medium and High.
- The None setting leaves the device unchanged and might not require a password at all.
- By increasing the requirement to Low, a password will be required. However, repeating sequences -- such as 4444 -- and ordered sequences -- such as 1234 4321 2468 -- are allowed.
- For stronger security, the Medium level will block repeating and ordered sequences while requiring at least four characters.
- For maximum security, there is the High setting where repeating and ordered sequences are still blocked and the passwords must be at least eight characters in length. Additionally, the alphabetic or alphanumeric length must be at minimum six characters.
IT administrators must keep in mind that Google changed the device passcode and password policy to a higher security setting. The device passcode policy will automatically change to the higher security policy on enrolled devices. This might result in some end users needing to update the passcode on their devices and will be prompted to do so by the MDM agent.