by Android Enterprise Corporate-Owned Devices with Work Profile is designed for scenarios where the company owns the device but allows limited personal use. This mode creates a clear separation between work and personal data by leveraging a work profile on the device. IT administrators maintain full control over the work profile while keeping personal apps and data private, ensuring compliance without sacrificing user experience.
The purpose of Android Enterprise Corporate-Owned Devices with Work Profile is to give organizations a secure and efficient way to manage company-owned Android devices while still respecting employee privacy. The main goal is to combine strong corporate control with flexibility for personal use. This is achieved by creating two separate environments on the same device: a work profile for business apps and data, and a personal profile for the user’s own apps and information.
This approach ensures that sensitive corporate data is protected under strict security policies, while personal content remains private and untouched by IT. It reduces the need for employees to carry two devices, lowers hardware costs, and improves user satisfaction by allowing personal use without compromising compliance. Ultimately, the purpose of this deployment mode is to strike a balance between organizational security requirements and the modern expectation of convenience and privacy.
Microsoft Intune
The options for Android Enterprise Corporate-owned with Work Profile configurations are quite similar to those with Fully Managed devices. We see two possibilities within the enrollment profile, namely Corporate-owned with Work Profile and Corporate-owned with Work Profile, via staging. The difference between Corporate-owned with Work Profile and Corporate-owned with Work Profile, via staging, lies primarily in how the devices are enrolled and provisioned before reaching the end user.
Corporate-owned with Work Profile (Default) versus Corporate-owned with Work Profile via staging
Corporate-owned with Work Profile (Default)
Enrollment Flow
The enrollment process for Android Enterprise Corporate-Owned Devices with Work Profile using Microsoft Intune, the enrollment process begins with the device in a factory-reset or out-of-box state to ensure a clean start. The user powers on the device, connects to Wi-Fi, and initiates enrollment by scanning a QR code provided by Microsoft Intune. Once enrollment starts, Microsoft Intune provisions the device by applying the corporate configuration, installing the Company Portal app, and creating the work profile alongside the personal profile. After this step, business apps and policies are deployed inside the work profile, while the user retains the ability to add personal apps outside the work profile.
Use Case
Imagine a consulting firm that provides employees with a single Android device for both work and personal use. Employees need access to Microsoft Teams, Outlook, and corporate resources while also being able to use personal apps like WhatsApp or Spotify.
With this type of enrollment, IT enforces security policies on the work profile (e.g., app protection, conditional access) while leaving personal data untouched. If an employee leaves, IT wipes only the work profile, preserving personal content.
Device State Before User Sign-in
Before the user signs in, the device is in a corporate-owned but unenrolled state. It has no work profile yet, and only the default Android setup wizard is available. Once enrollment begins, Intune provisions the device and creates the work profile, applying corporate policies.
Pros
They provide strong security for corporate data while respecting user privacy, ensuring that sensitive information remains protected without interfering with personal content. Employees only need one device, which reduces hardware costs and simplifies device management. IT administrators can remotely wipe work data without affecting personal data, making offboarding secure and efficient. This deployment model also supports modern work scenarios where flexibility and compliance are both critical, allowing organizations to meet security requirements while giving employees the convenience of a single device for both work and personal use.
Corporate-owned with Work Profile via staging
Enrollment Flow
Staging enrollment allows IT or a deployment team to pre-provision devices before handing them to end users. The process begins with a factory-reset device to ensure a clean state. An IT administrator or staging user signs in and completes the initial setup using Intune’s enrollment method, such as a QR code, NFC, or token. Once enrolled, Intune applies corporate policies and creates the work profile, installing all required business apps and configurations. After staging is complete, the device is handed over to the end user, who simply signs in to the work profile with their own credentials without affecting the personal profile.
Use Case
Consider a large retail chain that needs to deploy hundreds of Android devices to store managers. Instead of requiring each manager to go through the full enrollment process, IT uses staging to pre-configure devices with corporate settings and apps. When managers receive the device, they only need to sign in to the work profile, which saves time and ensures consistency across all devices.
Device State Before User Sign-in
Before the end user signs in, the device is fully enrolled under the staging account. The work profile has been created, and corporate apps and policies are already applied. The personal profile remains untouched, and the device is ready for the user to authenticate into the work profile.
Pros
Staging provides faster deployment because devices can be prepared in bulk before distribution. It ensures consistency across all devices, reduces the effort required from end users, and maintains security by applying corporate policies before the device reaches the user.
Summary Table
| Feature | Corporate-Owned with Work Profile | Corporate-Owned with Work Profile via Staging |
|---|---|---|
| Enrollment Token | Generated per user or group in Intune. | Generated for staging account (shared). |
| Setup Responsibility | End user completes enrollment themselves. | IT admin or staging user sets up device first, then hands over to end user. |
| User Experience | User receives device, scans QR code or enters token, sets up work profile. | User receives pre-configured device with work profile already staged; only needs to sign in to work profile. |
| Ideal For | BYOD-like experience but on corporate-owned devices; minimal IT involvement. | Large deployments where IT wants to pre-stage devices before handing to users. |
| Device State Before User | Factory reset state; user performs full enrollment. | Device is already enrolled and staged; user only completes sign-in. |
Configuration – Corporate-owned with Work Profile
Microsoft Entra ID group
As with our Android Enterprise Dedicated devices, this group is also for Enrollment Time Grouping. More information can be found in my previous part here.
Go to Microsoft Entra admin center | Groups and choose New group. Create a group with the following settings and choose Create.
- Group type: Security
- Group Name: AND – DVC – Corporate-owned with Work Profile
- Group Description: Corporate-owned with Work Profile devices
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Assigned
- Owner: Intune Provisioning Client (f1346770-5b25-470b-88bd-d5744ab7952c)
Once the group is created, it is ready for use in our enrollment profile.
Enrollment Profile
Next thing is to create the enrollment profile, and as discussed earlier, for this section, we are going for the Corporate-owned with Work Profile.
Go to Microsoft Intune admin center | Devices | Android | Enrollment and select under Enrollment Profiles for Corporate-owned devices with work profile.
Choose Create policy and create a policy as shown below, and choose Next.
- Name: AND – Corporate-owned devices with work profile
- Description: Enrollment token for Android Corporate-owned devices with work profile devices
- Token type: Corporate-owned devices with work profile (default)
- Apply device name template: No
On the Device group screen, choose Microsoft Entra group and select our newly created group, then choose Next.
Review your settings and choose Create.
Our enrollment token is now ready for use. Next up, we will create a Compliance and Configuration policy to get our enrollment ready.
Compliance Policy
As with our other enrollment types, it is also important, for security, that our devices meet certain requirements before they are allowed to enroll. To control this, we will provide a Compliance Policy that sets certain requirements, such as a minimum OS version and blocking rooted devices.
Go to Microsoft Intune admin center | Devices | Android | Compliance and choose Create policy, select the following, and choose Create.
- Platform: Android Enterprise
- Profile type: Fully managed, dedicated, and corporate-owned work profile
Give the policy a name and description and select Next.
- Name: AND – Android Enterprise Corporate-owned with work profile
- Description: This compliance policy is assigned to Corporate-Owned with Work profile devices
We are now going to define some requirements that our devices must meet, such as a minimum OS version, a password active, etc. This Compliance Policy is a baseline and not a requirement, but a good start. Below is an overview of all the settings per item that we are going to set under Compliance settings. Configure them as shown and choose Next.
Choose Next and configure the Actions for noncompliance after 3 days. This is also to give the device time to become compliant.
Choose Next and assign the policy to our newly created Microsoft Entra group, and choose Next again.
In the Review + create screen, review your settings and choose Create. Our compliance policy is ready to go!
Managed Google Play – Apps
Before we can start with our configuration, we also need applications to add to our Fully Managed configuration. In a previous post, I described how to add an app from the Managed Google Play in Microsoft Intune and assign it to your group. You can find the steps here.
For our Android Enterprise Corporate-owned with Work Profile devices, we will assign our dedicated Microsoft Entra Group to the following applications: Microsoft Edge, Microsoft Outlook, Microsoft Teams, Authenticator, and Microsoft OneDrive. Make sure you do this for all the applications you need in your configuration.
Configuration Profile
We are going to create a Configuration Profile with some base settings for our Android Enterprise Corporate-owned, Fully Managed user devices.
Go to Microsoft Intune admin center | Devices | Android | Configuration and choose Create and then New Policy. Choose the following:
- Platform: Android Enterprise
- Profile type: Templates
Choose Device restrictions underneath the Fully Managed, Dedicated, and Corporate-Owned Work Profile template.
Give the Configuration Profile a name and description, and select Next:
- Name: AND – Corporate-Owned with Work Profile – Device Restrictions
- Description: This policy will set some base configuration for Corporate-owned with Work Profile devices
Let’s set some settings. For our example, you can use the one shown below and choose Next.
Assign our newly created group to the policy and choose Next. Review your configuration and choose Create.
On the Review + create, review your settings and then choose Create.
Our Configuration Policy is now ready to go.
In this last part, I’ll show you how to enroll your device and show the end-user experience for Android Enterprise Corporate-owned, Fully Managed user devices.
Enrollment
Boot your device and tap the Welcome screen 6 times. Select your language, then scan the QR code you created in the Enrollment profile. Choose your Wi-Fi connection and start deploying.
When you get the screen This device belongs to your organisation, choose Next. On the Set up a work profile screen, choose Agree. Your work profile is being set up. Choose Next to continue.
Wait until you get a Microsoft login page (Google Chrome will open), and sign in with your Microsoft 365 user account.
On the Your work checklist screen, configure a PIN code and choose Install for the work apps. The final step is to register your device, so choose Set up.
The Microsoft Intune app will open, and you need to choose Sign in and fill in your user password. On the “Help us keep your device secure ” page, choose Register. This will bring us to the final stage. Choose Next in the next screen to complete your device registration. Once the registration is completed, choose Done.
After the registration, you’ll be asked to add a personal account and choose Next. Sign in with your personal account and follow the steps on your device. Once you have gone through the personal section and arrived at the home screen, you will see that there is now a Personal and a Work tab available on the device (as with a Personal device with Work Profile).
So this is how you configure an Android Enterprise Corporate-owned with Work Profile device that is completely user-driven.
Configuration – Corporate-owned with Work Profile via Staging
As already discussed for Fully Managed devices, here too, the difference in configuration is that Enrollment Time Grouping is not supported for Staging. Here, we will work with a dynamic group based on the name of the enrolment profile. It is important that we first determine the name of the enrolment profile. In this post, we will go for AND – Corporate-Owned with Work Profile – Staging.
IMPORTANT: It is important that the name matches exactly in the dynamic rule of the dynamic group, as in the enrolment profile, otherwise the enrolment will not work.
Microsoft Entra ID Group
So, the first thing we are going to do is create a dynamic group based on the enrolment profile name.
Go to the Microsoft Entra admin center | Groups, then choose New group. Create a group with the following settings and choose Create.
- Group type: Security
- Group Name: AND – DVC – Corporate Owned with Work Profile Devices – Staging
- Group Description: Android Enterprise Corporate Owned with Work Profile Devices – Staging Mode
- Microsoft Entra roles can be assigned to the group: No
- Membership type: Dynamic Device
- Dynamic membership rule: (device.enrollmentProfileName -eq “AND – Corporate-Owned with Work Profile – Staging”)
Once the group is created, it’s ready to use for our enrollment profile assignment.
Enrollment Profile
For Android Enterprise Corporate-Owned with Work Profile in Staging mode, we need to create a separate enrollment profile.
Go to Microsoft Intune admin center | Devices | Android | Enrollment and select under Enrollment Profiles for Corporate-owned with work profile.
Choose Create policy and create a policy as shown below, and choose Next.
- Name: AND – Corporate-Owned with Work Profile – Staging
- Description: Enrollment token for Android Enterprise Corporate-owned with Work Profile in Staging Mode
- Token type: Corporate-owned with work profile, via staging
- Token expiration date: (use a date that is at least three months from the day you create the token)
- Apply device name template: No
Note the message that says, Assigning a static security group during enrollment is not supported with staging. If you do so, you’ll get the following error while creating the enrollment profile.
So on the Device group screen, choose None Microsoft Entra group because we are working with a dynamic group, then choose Next.
Review your settings and choose Create.
Our enrollment token is now ready for use.
Compliance policies, Managed Google Apps, and Configuration Profile
For this example, we are just going to assign our new dynamic device group to the same apps and policies described in the Android Enterprise Corporate-owned with Work Profile (default) mode setup. So make sure you assign the dynamic group to the compliance policies, applications, and configuration profiles.
IMPORTANT: The device will only become a member of the dynamic device group after the user stage of enrolment has been completed; nothing happens during the device stage.
Enrollment
Boot your device and tap the Welcome screen 6 times. Select your language, then scan the QR code you created in the Enrollment profile. Choose your Wi-Fi connection and start deploying.
When you get the screen This device belongs to your organisation, choose Next. On the Set up a work profile screen, choose Agree. Your work profile is being set up. Choose Next to continue.
Your device will go into the staging phase of the enrollment and will go through several steps automatically. During enrollment, the Microsoft Intune and Microsoft Authenticator apps will be installed automatically. When you get to the Add a personal account screen, the staging is done, and the device can be turned off and handed over to the end-user.
User Experience
When the end-user turns on the device, it will need to go through some steps. First, they need to Agree to the Privacy Policy, and they will be directed to the home screen. They’ll notice that a Work Profile is already created.
The personal part is the same as configuring your personal Android device, but for the Work Profile, you need to follow some steps. Go to the Work profile and choose the Intune app. The Microsoft Intune app will open, and you need to choose Sign in and fill in your user password. On the “Help us keep your device secure ” page, choose Register. This will bring us to the final stage. Choose Next in the next screen to complete your device registration. Once the registration is completed, choose Done.
After the registration, the device is now added to your corporate account. Sign in with your personal account and follow the steps on your device. After a while (we are using a dynamic device group), all corporate applications and settings assigned to the device will be deployed to the device in the Work Profile.
So this is how you configure an Android Enterprise Corporate-owned with Work Profile via Staging, a way to pre-provision your devices before handing them out to the end-user.
