Android BYOD Profile for Employee Owned Devices

Device Profiles are a great way to streamline your enrollment process. Like Device Profiles for Corporate devices, you can create BYOD Profiles for employee owned android devices. BYOD Profiles are a great way to unify all your policies under one entity which then can be assigned to a QR Code configuration or a User Group.

At a high level a BYOD profile offers the following policies,

  1. Application Policy: Select the applications that are to be installed in the secure work container.
  2. Browser Shortcuts: Select the browser shortcuts that will be shown in Scalefusion workplace, to provide your employees with quick bookmarks.
  3. Restrictions: Choose and control the finer security policies that should be applied on a employee owned device.
This document covers the BYOD policy that is used for Personal/Employee owned devices. If you are looking to manage corporate owned devices please refer to our guide on Device Profile for Corporate Devices.

Before You Begin

✅ You must have a valid Scalefusion account.

✅ Completed the Android for Work setup.

Creating a BYOD Profile

  1. Sign In to Scalefusion Dashboard and navigate to Device Profiles & Policies ➞ Device Profiles.
  2. Click on Create New Profile in the upper right corner.
  3. From the Android tab, select Personal (BYOD) option. Enter a name for your new Profile and click SUBMIT, to see the profile creator window.

Select Apps

  1. The first section in the profile creator window helps you decide the application policy. Enable all the applications that you would like to be installed and used in Work Apps as shown below and click NEXT once done.
The first time you are here, you will only see the recommended Scalefusion applications. We suggest you use the Application Management guide to search and add the applications that you want to allow in your organization so as to add more Work apps.

Select Browser Shortcuts

  1. The next section is the BROWSER SHORTCUTS section, where you can select the previously allowed websites. The visible shortcuts will appear in Scalefusion Workplace as bookmarks so that your users can easily navigate to them. Click NEXT once you are done.
Use Device Profiles & Policies > Allowed Websites section to create and allow websites.

Restrictions

  1. The last section is the RESTRICTIONS section which gives you a wide range of policy controls. Configure the policies as per your requirement. The section is divided into sub-sections allowing you define various policies,
    Device Settings

    Setting

    Category

    Description

    Allow Screenshot of Works App

    Security

    Control if the user is allowed to take screenshot or share screen of the Work Apps.

    Allow Camera

    Security

    Allows work apps to access device camera.

    Allow keyguard Fingerprint Sensor

    Security

    Choose if users can configure a fingerprint based unlock on the lock-screen.

    Allow Keyguard Trust Agent State

    Security

    Choose if users can pair their Bluetooth device as trust agents to auto-unlock the device.

    Allow Keyguard Underacted Notifications

    Security

    Choose if unredacted notifications are allowed on Lock screen. This can prevent possible loss of critical information vis Lock screen notifications.

    Allow Adding Google Accounts

    Account Management

    Allow users to add Google accounts on the Work Profile side.

    Allow Add Accounts

    Account Management

    Allow users to add non-Google accounts on the Work Profile side.

    Allow Unknown Sources

    Account Management

    Allow users or other applications to install applications from Unknown sources on the Work side.

    Allow Installing Applications

    Account Management

    Allow users to install applications from Play Store on the Work side.

    This disables the app installations from Scalefusion Dashboard as well.

    Allow Uninstalling Applications

    Account Management

    Allow users to uninstall applications on the Work side.

    This disables the app uninstallation/removal from Scalefusion Dashboard as well.

    Allow clipboard between Managed/Unmanaged Apps

    Data Sharing

    Choose if the user's are allowed to copy/paste data between their Work Apps and Personal apps.

    Allows Work Apps to Access Documents from Personal Apps

    Data Sharing

    Choose if Work Apps can access documents from the personal app side. This let's user

    Allow Personal Apps to Access Documents from Work Apps

    Data Sharing

    Choose if Personal applications can access documents of the work applications.

    Allow Personal Apps to Share Documents with Work Apps

    Data Sharing

    Choose if user can share personal documents using the work applications

    Allow Work Apps to Share Documents with Personal Apps

    Data Sharing

    Choose if the user can share work app documents with the personal applications.

    Allow Work Contact's caller ID info to Show in Dialer

    Data Sharing

    Choose if a work contact can appear in the personal dialer application.

    Allow App Widgets to be added to Home Screen

    Data Sharing

    Choose if user can add home screen widgets for work applications.

    Share Enterprise contacts with Bluetooth Devices

    Data Sharing

    Choose if user can share their work contacts via Bluetooth devices.

    Allow Work Contacts in Personal Contacts App

    Data Sharing

    Choose if the work contacts appear in the personal contacts app.

    Allow GMail

    Application Management

    Choose if GMail application should be allowed on the work side.

    ⚠ For the GMail application to appear in Scalefusion Workplace, enable GMail in SELECT APPS section of Device Profile.

    Allow YouTube

    Application Management

    Choose if YouTube application should be allowed on the work side.

    For the YouTube application to appear in Scalefusion Workplace, enable YouTube in SELECT APPS section of Device Profile.

    Allow Chrome

    Application Management

    Choose if Chrome should be allowed on the work side.

    ⚠ For the Chrome application to appear in Scalefusion Workplace, enable Chrome in SELECT APPS section of Device Profile.

Network & Location Settings
  1. WiFi Settings: This option allows you to choose a WiFi configuration for your BYOD profile. This would create the connection on your BYOD devices but will not enforce it.
Create Wifi configurations under Device Profiles & Policies > All Configurations > Wifi Settings section on the Scalefusion Dashboard.
  1. VPN Settings

From the list of applications, you can select one app and mark it as Always On VPN with an additional flag to lock down the network. 

This feature works only on EMM devices having OS7 and above versions, being setup using afw#mobilock or is setup as Device Owner.

Setting

Description

Select an Always On VPN Application

Simply select an application from the list which will be configured as an Always On VPN app

Enable VPN Lockdown

Once this is enabled, any failure of the VPN provider could break networking for all apps

  1. Location Settings

Configure Location Settings on the device profile which get applied to the devices on which the profile is applied. To configure Location settings, toggle on the first setting that is, Override Global Location Settings. This enables the other settings and makes them configurable. When applied, they override the settings which have been set through Location & Geofencing > Location Settings on Dashboard.

To learn more about Location Settings, visit the section Configure Location Settings

Device Management
  1. Application Management Settings

From this section admin can configure application management settings for EMM managed devices that lets them control the catalog features.

Setting

Description

Google Play for Work App Settings

Force Application Install on Publish

If this flag is enabled, it silently attempts an install of the app (when published) on device else just adds it to managed playstore.

Configure Application Visibility in Managed Google Play Store

The app's visibility on Managed Google Play Store can be controlled with this setting. Following are the options to choose from:

  • All Approved: All Play for Work apps are shown on device when PlayStore app is enabled
  • Published: Only Published apps will be shown on device and not all others. Hence, only the applications that have been explicitly published to this profile will be visible on device.
  • Full Access to Play Store: In Agent mode, this setting allows users to access Full Google Play Store and install any application without adding their personal account. Please note they cannot add/purchase paid applications.

  1. Work Profile Password: This section allows you to enforce a separate password for your Work Apps. This is quite useful if you don't want to enforce a Device Level Password for your employees. This ensures that the access to Work Apps is protected by a password. Once the Require Passcode is enabled, you can configure the Password Type and Password Management policy. The options available are,
    1. Select Passcode type: Choose between numeric or alpha-numeric passcode.
    2. Minimum Passcode length: Provide a minimum length of the password. Note that although 4 is an allowed option, on some devices the minimum accepted value is 6 and in these cases it will default to 6.
    3. Enforce Complex Passcode: Enable this option if you want to enforce a complex passcode. Simply enabling this enforces the user not to have a ascending or a descending order of numbers or characters like for ex: 1111 OR abcd1.
      If the password type is selected as Alphanumeric and complex password is enforced, then additional complexity parameters can be specified as given below,

      Setting

      Description

      Minimum number of symbols

      Enforces a minimum number of symbols in the password.

      Minimum number of lower-case characters

      Enforces a minimum number of lower case characters in the password.

      Minimum number of alphabets

      Enforces a minimum number of alphabets in the password.

      Minimum number of upper-case characters

      Enforces a minimum number of upper-case characters in the password.

      Minimum number of digits

      Enforces a minimum number of digits in the password.

    4. Password Expiry Period: Select how often the user is forced to change the password.
    5. Maximum Password History List: Select the number of historical passwords that the user cannot use while setting a new password.
    6. Maximum Failed Attempts to Factory Reset: Select after how many failed attempts work-profile should be removed. This WILL NOT factory reset the device. It removes the work apps and all work data.
    7. Set Idle Time for Auto lock: Choose an idle time after which the device should auto-lock.
  2. Compliance: Choose the Compliance levels and the actions to be taken for compromised devices. Refer our SafetyNet Attestation guide for complete reference.
  3. Exchange Settings: Use this setting to configure an Exchange account on the device. You can select a previously created exchange configuration. Please refer to our Exchange configuration document for details.
    Note: The GMail client is configured with the given configuration. Currently GMail app does not allow the exchange configuration to be unpublished. So if you want to un-publish at a later point, you would have to publish a dummy/invalid account to the devices.
Dev Tools

Developer API

In the Developer API section of Device profile an MDM SDK is provided that can be used in your enterprise apps to get the device information and perform a wide variety of actions (like launching wifi screen, toggle mobile data, toggle hotspot etc.) locally on device. Visit here for more details.

  1. Once you have configured the various sections click on CREATE PROFILE to create the profile. Once the profile is created it starts appearing in the Device Profile listing view with a User badge next to it, indicating that this is a BYOD profile.
Any future updates to the device profile are automatically pushed to the devices. Hence please make sure to validate the changes before editing.

Once you have created a Device Profile, to apply it to devices, you can do the following,

  1. Create a QR Code Enrollment Configuration: This will make sure that any user's using the QR Code for enrollment will get these policies by default.
  2. Assign to a User Group: This will apply this profile to all the Android devices of the users in that group.


How did we do?


Powered by HelpDocs (opens in a new tab)