Android Work Profiles provide a secure, isolated workspace on a personal device. This allows organizations to manage corporate data and apps without taking full control of the user's personal device, perfectly balancing security and privacy.
Work Profile as a Managed Profile
At the framework level, a Work Profile is implemented as a specific type of secondary user: a Managed Profile. Unlike a full secondary user, a managed profile shares the device UI (launcher, notifications, recent apps) with the primary user but maintains strict data and process isolation.
Apps installed in the work profile are marked with a distinct badge. The Android framework routes intents and manages file access based on the User ID of the profile.
// Checking if a user is a managed profile
UserManager userManager = (UserManager) context.getSystemService(Context.USER_SERVICE);
boolean isManaged = userManager.isManagedProfile();
Profile Owner Policies
The core of work profile management is the Profile Owner. This is the Device Policy Client (DPC) app that provisions and manages the profile. The Profile Owner uses the DevicePolicyManager API to enforce corporate policies exclusively within the boundaries of the work profile.
Common policies include:
- Enforcing strict password requirements for the work profile challenge.
- Disabling screen capture within work apps.
- Configuring managed app configurations.
- Wiping the work profile remotely.
DevicePolicyManager dpm = (DevicePolicyManager) context.getSystemService(Context.DEVICE_POLICY_SERVICE);
ComponentName adminComponent = new ComponentName(context, MyDeviceAdminReceiver.class);
// Disabling screen capture for the work profile
dpm.setScreenCaptureDisabled(adminComponent, true);
Cross-Profile Intent Sharing
To make the dual-profile experience seamless, Android allows controlled communication between the personal and work profiles. This is governed by Cross-Profile Intent Filters.
By default, an Intent fired in the work profile stays in the work profile. However, the Profile Owner can configure rules to forward specific intents (like opening a web link or capturing a photo) to the personal profile, or vice versa.
// DPC adding a cross-profile intent filter
IntentFilter filter = new IntentFilter(Intent.ACTION_VIEW);
filter.addCategory(Intent.CATEGORY_DEFAULT);
filter.addCategory(Intent.CATEGORY_BROWSABLE);
filter.addDataScheme("http");
filter.addDataScheme("https");
dpm.addCrossProfileIntentFilter(adminComponent, filter,
DevicePolicyManager.FLAG_MANAGED_CAN_ACCESS_PARENT);
When an intent crosses the boundary, AMS intercepts it, changes the target User ID, and routes it to the resolved component in the destination profile.
IT Admin Enrollment Flow
The enrollment flow provisions the work profile and sets up the DPC:
- Initiation: The user downloads the DPC (e.g., Android Device Policy) or initiates enrollment via a corporate portal.
- Profile Creation: The DPC requests the framework to create a managed profile using
ACTION_PROVISION_MANAGED_PROFILE. - DPC Initialization: The system creates the profile, copies the DPC into it, and sets it as the Profile Owner.
- Policy Sync: The DPC inside the work profile connects to the Enterprise Mobility Management (EMM) server, downloads corporate policies, and applies them.
- App Installation: Managed Google Play installs necessary corporate applications silently in the background.
To simulate provisioning via adb:
adb shell dpm set-profile-owner --user 10 com.example.dpc/.MyDeviceAdminReceiver