Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/Mobile/help/en-us/index.html?contextId=get-started-with-Android-work-profile

Get started with work profile management

This page shows you how to set up the Android Enterprise work profile management mode and enroll personal devices.

The work profile management mode lets you manage a dedicated workspace, the work profile, on a user’s Android device. This management mode is commonly used for a bring your own device (BYOD) setup, because you can only monitor and manage apps, accounts, and data within the work profile.

Requirements

  • You set up Android Enterprise in Sophos Mobile. See Set up Android Enterprise.
  • You added the device user to Sophos Central. See Users.
  • You created the device group you want to add the device to. See Device groups.

See the following sections to learn how to set up Android Enterprise work profile enrollment and enroll devices.

Set up work profile management

You must perform the following one-time tasks before enrolling the first device in work profile management mode.

Create policy

  1. In Sophos Central, go to My Products > Mobile.
  2. In the Sophos Mobile menu, go to Policies > Android.

  3. Click Create > Android Enterprise work profile policy.

    The "Android Enterprise work profile policy" command.

  4. On the Edit policy page, enter a name for the policy and, optionally, a description.

    The "Edit policy" page with example input.

  5. Sophos Mobile automatically adds a Restrictions configuration, which you can’t delete.

    Click Restrictions to view and edit the settings as required.

    See Restrictions configuration (Android Enterprise work profile policy).

    The "Restrictions" entry in the list of policy configurations.

  6. When you’ve made the required changes, click Apply.

    The "Apply" button.

  7. Click Add configuration to add more configurations to the policy.

    For a description of available configurations and their settings, see Configurations for Android Enterprise work profile policies.

    The "Add configuration" button.

  8. After you’ve added all required configurations, click Save.

    The "Save" button.

Next, add the policy to an enrollment task bundle.

For a general description of creating device policies, see Create policy.

Create enrollment task bundle

  1. In Sophos Central, go to My Products > Mobile.
  2. In the Sophos Mobile menu, go to Task bundles > Android.

  3. Click Create > Create task bundle.

    The "Create task bundle" command.

  4. On the Edit task bundle page, enter a name for the task bundle and, optionally, a description.

    The "Edit task bundle" page with example input.

  5. Click Add task > Enroll.

    The "Enroll" command.

  6. In the Select enrollment type step of the assistant, do as follows:

    1. In Task name, enter a name for the task, for example, “Enroll”.

      Sophos Mobile shows the name on the Task details page when it processes the task bundle for a device.

    2. In Select enrollment type, select Work profile.

    The "Select enrollment type" step of the assistant.

  7. In the Select policy step, do as follows:

    1. In Task name, enter a name for the task, for example, “Assign policy”.
    2. In Select policy, select the policy you created before.
    3. Click Finish.

    The "Select policy" step of the assistant.

  8. Optionally: Click Add task and select another task to add to the task bundle.

    For a list of available tasks, see Task types (Android).

    The expanded "Add task" menu showing a list of available tasks.

  9. After you’ve added all required tasks, click Save.

    The "Save" button on the "Edit task bundle" page.

For a general description of creating task bundles, see Create task bundle.

Enroll device

Add device to Sophos Mobile

To add an Android Enterprise work profile device to Sophos Mobile, do as follows:

  1. In Sophos Central, go to My Products > Mobile.
  2. In the Sophos Mobile menu, go to Devices.

  3. Click Add > Add device wizard.

    The "Add device wizard" command.

  4. In the User step of the assistant, do as follows:

    1. Select Search for user.

    2. Enter search criteria for the user account in one or more of the following fields:

      • User name
      • First name
      • Last name
      • Email address

    The "User" step of the assistant with a name entered in the "Last name" field.

  5. In the User selection step, you see a list of all users matching your search criteria. Select the user you want to assign to the device.

    The "User selection" step of the assistant with a user selected.

  6. In the Device details step, do as follows:

    1. In Platform, select Android.
    2. In Name, enter the name of the device in Sophos Mobile.
    3. Optional: In Description, enter a description for the device.
    4. Optional: In Phone number, enter the device’s phone number in international format.
    5. In Owner, select Personal.
    6. In Device group, select the device group you want to add the device to.

    Email address is a read-only field showing the user’s email address.

    The filled out "Device details" step of the assistant.

  7. In the Enrollment type step, do as follows:

    1. In Select the enrollment type, select Enroll device with task bundle.
    2. Select the task bundle you created before.

    The "Enrollment type" step of the assistant showing the settings to select.

  8. In the Enrollment step, you see the enrollment instructions the user must follow on their Android device.

    The "Enrollment" step of the assistant.

  9. Optional: Click Send to send the enrollment instructions to the user’s email address.

    Sophos Mobile sends the instructions to the email address configured in the user account by default. To send the instructions to a different address, edit the Send instructions email field before clicking Send.

    The "Send" button next to the email address.

  10. Tell the user to follow the enrollment instructions on their device.

    See Enroll device with Sophos Mobile for a detailed description of the enrollment steps.

  11. Close the assistant by clicking the X button in the top right.

    Alternatively, wait until the device is enrolled and then click Finish.

    The location of the X button to close the assistant.

  12. You can monitor the enrollment status on the device’s Show device page. Do as follows:

    1. In the Sophos Mobile menu, go to Devices.

    2. Click the name of the device.

      The device on the "Devices" page.

    3. Go to the Tasks tab.

      When all tasks have the status Successful, enrollment is completed.

      The "Tasks" tab showing all tasks with status "Successful".

When the user has completed the steps described in Enroll device with Sophos Mobile, the Devices page shows the device with management mode Work profile and status Managed.

The managed device on the "Devices" page.

Enroll device with Sophos Mobile

After you add the device to Sophos Mobile, the user must follow the enrollment instructions on their device.

Requirement

Before the user can enroll the device, they must set it up with their personal Google account.

To enroll the device with Sophos Mobile, the user must do as follows:

  1. On the device you want to enroll, open Google Play, go to the Sophos Mobile Control app, and tap Install.

    The "Install" button.

  2. When Google Play has installed the app, tap Open.

    The "Open" button.

  3. Enter the enrollment information. Usually, you do this by scanning the QR code from the enrollment instructions. If required, you can enter the information manually.

    Click the relevant tab.

    1. Tap Scan QR code.

      The "Scan QR code" button.

    2. Allow Sophos Mobile Control to take pictures.

      Tap While using the app or Only this time.

      The options you must select for allowing Sophos Mobile Control to take pictures.

    3. Scan the QR code from the enrollment instructions.

    1. Tap More (three dots) in the upper right.

      The More button.

    2. Select Enter manually.

      The Enter manually menu entry.

    3. Enter the information from the enrollment instructions. Make sure you select Create work profile.

      The page to enter the enrollment information.

    4. Tap Connect.

  4. On the Create work profile page, tap Next.

    The "Next" button on the "Create work profile" page.

  5. Tap View terms to read the usage terms, then go back and tap Accept & continue.

    The "View terms" and "Accept & continue" buttons.

  6. When Android has completed setting up the work profile, tap Next two times.

    The first "Next" button.

    The second "Next" button.

  7. The Android setup assistant opens Sophos Mobile Control in the work profile. To complete the setup, you must allow Sophos Mobile Control the required permissions. See Allow app permissions.

  8. Uninstall the Sophos Mobile Control personal app.

    After enrollment, there are two versions of Sophos Mobile Control on the device: The app you installed and the app the setup assistant installed in the work profile. After your device is enrolled, you only need the work app and can uninstall the personal app.

    In the image below, the personal app is on the left, and the work app is on the right. You can identify the work app by its briefcase badge.

    The icons of the Sophos Mobile Control personal and work apps.

  9. Open the Sophos Mobile Control work app to check the device status and server connection.

    1. On the app’s dashboard, all tiles are green when your device is compliant and there are no actions to take.

      The app’s dashboard with all tiles in green.

    2. Tap the Management info tile for details about the Sophos Mobile server.

      The "Management info" page.

Allow app permissions

Note

The steps for configuring app permissions depend on device type and Android version and may be different on your device.

Note

Sophos Mobile Control doesn’t request the Location permission if finding devices is turned off in the Sophos Mobile Privacy settings. See Configure privacy settings.

  1. Allow Sophos Mobile Control the Display over other apps permission.

    1. In the Display over other apps notification, tap Allow.

      The "Display over other apps" notification.

    2. On the Work tab, tap Sophos Mobile Control.

      The "Sophos Mobile Control" app in the list of work apps.

    3. Turn on Allow display over other apps.

      The "Allow display over other apps" setting turned on.

    4. Go back several times until you’re back in Sophos Mobile Control.

  2. Allow Sophos Mobile Control the Location permission.

    1. Tap Allow.

      The notification for allowing Sophos Mobile Control the Location permission.

    2. Tap Open.

      The "Open" button.

    3. Tap Permissions > Location > Allow all the time.

      Three images showing the locations of the "Permissions", ""Location", and "Allow all the time" buttons.

    4. Go back several times until you’re back in Sophos Mobile Control.

  3. Allow Sophos Mobile Control to always run in the background.

    1. In the Battery optimization notification, tap Stay protected.

      The "Battery optimization" notification.

    2. Tap Allow.

      The "Allow" button.