Work profile on corporate-owned devices (WPCO)

Information on how to set up a work profile on corporate devices that will also be used for personal activities.

With WPCO, administrators can set up a work profile on corporate devices to secure and separate work data from personal data. Organizations can retain the ownership of the devices and assign corporate policies to devices while maintaining employee privacy. Employees can securely use company-owned devices for personal activities without sacrificing privacy. Administrators can enforce selected policies that apply to the entire device (device wipe, block USB) and restrictions that apply to the personal profile (disallow certain apps), but personal apps, data, and usage are not accessible to organizations.

Supported WPCO policies

Work profile on corporate-owned devices (WPCO) supported policies are marked with the WPCO label in the MaaS360 Portal. Policies that are available for Profile Owner (PO) devices also apply to the work profile on corporate-owned devices (WPCO) devices. MaaS360 also supports a set of policies that administrators can apply to the personal profile on the work profile on corporate-owned devices (WPCO) devices.

Path Policy Description

Security > Device Security

Allow fingerprint on personal profile If set to false, disables the fingerprint sensor on the lock screen.
Allow IRIS Recognition on personal profile If set to false, disables IRIS authentication on the lock screen.
Allow face recognition on personal profile If set to false, disables face authentication on the lock screen.
Allow trust agents on personal profile A trust agent is a service that notifies the system on whether the device is in a safe environment. For example: Google Smart Lock or Profiles Trust Provider. If set to false, the device ignores the trust agent state on secure keyguard screens.

Security > Work profile-specific settings

Set maximum number of days a work profile can remain off The maximum number of days the work profile can be turned off before personal apps are disabled on the device. Minimum possible value is 3 days. Enter 0 for no limitation.
Security > Data Security Allow screen capture on personal side If set to false, disables the screen capture on personal device.
Restrictions > Device Features Allow camera on personal profile If set to false, disables the use of the camera on the device. If set to true, allows the use of the camera on the personal profile, but the camera app must be allowed in the native app compliance settings.
App Compliance > Configure Application Compliance Configure personal apps to be Blocked/Allowed The list of apps that are blocked or allowed from the Google Play Store app on the personal profile. Supports the following options:
  • No: Allows the installation of all apps from the Google Play Store on the personal profile.
  • Allowed: Allows the installation of configured apps from the Google Play Store on the personal profile only. Use the (+) icon to add multiple app IDs.
    Note: If no app IDs are provided, all apps are blocked.
  • Blocked: Blocks configured apps from installing from the Google Play Store on the personal profile. If you want to block apps, use (+) icon to add multiple app IDs.
    Note: If no app IDs are provided, all apps are allowed.
Device Management > Disable Device Management Actions Select wipe mode when user disables device management Wipes all data or work profile data when the user disables device management.
Device Management > Enforcement Actions Block personal apps when out of compliance Blocks personal apps on devices that are out of compliance.

Creating device enrollment configuration for work profile on corporate-owned devices (WPCO)

Requirements:
  • MaaS360 for Android app version 7.30 or later
  • Android OS version 11 or later
  • New QR code or Zero-touch JSON file. Older configurations enroll devices in Device Owner (DO) mode.
MaaS360 supports the following modes of enrollment to set up the work profile on corporate devices:

End-user enrollment for work profile on corporate-owned devices (WPCO)

Sample screens for the end-user enrollment flow:
WPCO sample enrollment
WPCO sample enrollment
WPCO sample enrollment
WPCO sample enrollment
WPCO sample enrollment
WPCO sample enrollment
WPCO Enrollment
WPCO Enrollment
WPCO Enrollment

Tracking work profile on corporate-owned devices (WPCO) devices in the MaaS360 Portal

After you successfully enroll devices, you can track the work profile on corporate-owned devices (WPCO) devices in the Device Summary page.
WPCO device view

Advanced search

MaaS360 allows you to filter the work profile on corporate-owned devices (WPCO) devices and create a smart device group with the advanced search option.

Follow these steps to filter the work profile on corporate-owned devices (WPCO) devices:
  1. Go to Devices > Advanced Search.
  2. Use the following search criteria:
    Hardware Inventory Container Type Equal To Work Profile on Company Owned
  3. Click Search. The Search Results page is displayed.
  4. Click Create New Device Group. The Device Group Details window is displayed.
  5. Provide details about the new device group, including the name, description, and whether the group is public or private, and then click Save.

Supported work profile on corporate-owned devices (WPCO) actions

The device-level actions that are available for Profile Owner (PO) devices also apply to the work profile on corporate-owned devices (WPCO) devices. Maas360 also added granular options for the Wipe and Remove Work Profile actions that apply to the work profile on corporate-owned devices (WPCO) devices only. For more information on the work profile on corporate-owned devices (WPCO) actions, see Android device actions.