According to IDC, more than 50% of enterprise IT decision makers consider both PC and mobile devices to be critical for enhancing workforce productivity. This has been emphasized even more over the recent challenging yet evolutionary years in the workplace, where many employees have now stitched together their digital work environments with whichever device — be it desktop or mobile — they could get their hands on. Bring your own, or BYO, is a concept that refers to partially managed, personally owned devices used by employees to access work content or applications. Organizations have increasingly adopted this strategy as a more cost-effective option of equipping their employees with corporate resources and applications. However, not every organization’s business needs are alike, and a BYO approach may not always suit every organization’s needs.
The history of the Android COPE model
Android Enterprise’s corporate-owned, personally enabled (COPE) model, now also known as corporate-owned devices with work profile, is a Google solution set that facilitates personal use on company-owned work devices. Introduced with Android 8 (Oreo) in 2017, COPE enables devices to house work apps and data in a dedicated container that separates work from personal content. This mode of Android device management addresses fundamental challenges with BYO — namely, the lack of inherent consistency across devices, along with the inability to enforce device-wide compliance policies. A part of COPE’s appeal was that it assured ubiquitous OS compatibility across device models, ensuring uninterrupted and constant communication between employees, along with analogous access to mission-critical software across devices. Furthermore, according to a Google and Qualtrics study, a clear delineation between work and personal data gave employees the assurance that their work data was separate from their personal data. Thus, by implementing an OS level partition, organizations can instill a strong sense of employees for their personal profile, establish balance between work and personal, and greatly reduce the chances of unwanted mistakes, such as sending a corporate or personal email from the wrong account.
Prior to Android 11, personal profile — the segment that houses the employee’s personal data — was as manageable as the inflated work container, and admins were able to push settings and configurations to both work and personal profiles. However, with Android 11’s release in 2020, Google introduced sweeping changes to COPE to bolster user privacy and to limit security and regulatory risks for the organization. These changes meant that although IT teams were now allowed to enforce specific rules enhancing overall device security and compliance, they experienced reduced device-wide visibility and control over the personal profile that was previously available. This nuanced approach by Google sought to intricately balance device protection against cross-profile data breaches and compliance with regulatory responsibilities, as well as grant end users autonomy over their personal data and privacy. To view a comprehensive list of changes to COPE in Android 11, refer to this knowledge base article on VMware Customer Connect.
How Workspace ONE supports COPE devices
VMware first introduced support for Android COPE devices in 2018 via Workspace ONE, a platform utilized by some of the world’s largest customers to manage COPE devices. With the evolution of COPE introduced in Android 11, Workspace ONE UEM strategically redesigned its approach to better adapt the new balance between personal usage privacy and organizational control within the work profile.
This multi-pronged approach began with the introduction of enhancements to create comprehensive device-wide control required to comply with organizational policies. Next was the roll out of new feature sets that safeguarded end users’ personal data. Manuel Perez, Senior Product Marketing Manager for Workspace ONE Android Enterprise integrations, explained, “By combining these enhancements with the rich management feature set Workspace ONE Unified Endpoint Management (UEM) offers — along with its intelligent analytics, remote support, and identity and access management (IAM) capabilities integrated into a holistic ‘Digital Workspace’ offering — we have empowered some of the world’s largest organizations to achieve their enterprise mobility objectives involving Android’s COPE-enabled devices.”
Several key features of Workspace ONE are pivotal in the overall success of the device deployment strategies for our largest customers. For example, the “Single User Staging” feature allows IT admins to prepare devices en masse for rapid distribution by staging them on behalf of pre-designated end users. Users then complete device setup by inputting their unique credentials, enabling Workspace ONE to conduct a one-time reassignment and link the device to its respective end user. Another feature is “MobileSSO,” which facilitates secure sign-on to any app — native, virtual or cloud — using certificate-based authentication. This capability eliminates the need for end users to repeatedly enter multiple passwords during mission-critical tasks. Additionally, Workspace ONE provides best-in-class support for real-time troubleshooting through Workspace ONE Assist, further distinguishing itself when troubleshooting by prioritizing end-user privacy and limiting its scope to the work profile.
Top 5 Workspace ONE capabilities for COPE devices
Keeping up with the changes introduced in COPE with Android 11, we invested in enhancing Workspace ONE to cater to our customers’ needs. Let’s look at the top five Workspace ONE capabilities that can help IT admins better optimize device management, maximize ROI, ensure overall compliance, and boost employee engagement on Android 11 and the mentioned COPE devices:
- App restrictions for both work and personal profiles. IT admins can enforce comprehensive control on apps within the work profile, such as mandating a VPN for a work email app. Within the personal profile, they can curate app allowlists/denylists and force-uninstall potentially harmful apps. IT admins can further bolster device security by restricting app installations from sources beyond Google Play on both work and personal profiles.
- Shift-based access control. IT admins can selectively restrict access to sensitive company apps, such as inventory management apps, when employees are off duty. Employees can still access non-work and personal data on their respective COPE devices after business hours, as well as non-sensitive corporate content like HR and shift-scheduling apps.
- Maximum days to disable work profile. Admins can set a limit on consecutive days employees can disable the work profile on COPE devices. Workspace ONE UEM can auto-suspend personal apps until the work profile is re-enabled, because disabling the work profile is an out-of-compliance action.
- Password reset in direct boot mode. IT admins can mandate separate passcodes for work and personal profiles on COPE devices. In case users forget their work profile passcode, admins no longer need to wipe the full device. Instead, users can request to reset the work profile password by using the “Forgot My Password” button available during direct boot mode — a mode where the device has been powered on, but the user has not yet unlocked the work profile. This button instructs end users to contact their IT admin and start the work profile in a locked state. This allows Intelligent Hub to complete the required steps to facilitate a secure work profile password reset.
- Enterprise wipe. If there is a need to wipe the work profile — perhaps if the device has become non-compliant or needs retirement/transfer — admins can initiate an enterprise wipe to completely remove corporate apps and data without erasing the employee’s personal data.
Conclusion
In the End-User Computing (EUC) Division, we believe that organizations can strike the right balance between both regulatory compliance and employee privacy satisfaction, all while ensuring a seamless digital employee experience. This is precisely why the Workspace ONE platform offers a comprehensive approach, effortlessly integrating COPE Android devices, among others, into your organization’s ecosystem.
To learn more about leveraging the COPE solution-set for your dynamic workforce, try out a free Workspace ONE UEM trial today.
