WSO2 EMM enables you to register mobile devices via the BYOD or COPE device enrollment scenario. Data containerization allows you to have a separation between data. Therefore, if you are registering your device via the BYOD scenario you are able to have a clear separation between your personal data and the enterprise data. To understand the underlying concept clearly, take a look at the example given below.
Example:
MobX uses WSO2 EMM to manage and monitor the employees mobile devices and applications. Kim joins as the new marketing Manager and needs to register her personal mobile device with WSO2 EMM, but she is concerned because she doesn't want to expose the personal data on the device to the Organization. On the other hand, MobX is concerned about not letting the other applications installed in Kim's device to access the confidential enterprise data. For example Kim has installed an application for enterprise docs on her device. This application has access to all the enterprise docs and the personal docs as they are all stored in the same location. Therefore, it is important to clearly separate the enterprise and personal data in a BYOD device enrollment scenario. Follow the steps given below to enable data containerization on your device.
Setting up the work profile
Data containerization for Android devices was implemented using the Managed Profile feature that is available on the Android devices that supports the Android Lollipop OS or upwards. Let's take a look at the how data containerization works on WSO2 EMM.
- When you download and install the Android Agent on your Android mobile device, the agent will check if the device supports the managed profile feature.
If the device supports the managed profile feature, the agent will prompt the user to set up the work profile before the installation.
Having the Android Lollipop OS version or above alone will not enable you to set up the work profile. At times the set up will fail because of the customizations done to the OS by some of the mobile device manufacturers.
Example: The managed-profile doesn't work as expected on Asus Zenfone 2 device that supports Android Lollipop.
- Once the profile is set up, the EMM Agent is automatically copied into the new work profile. Therefore, WSO2 EMM will prompt you to uninstall the agent you downloaded previously as it was installed in the devices personal profile.
After setting up the work profile you need to follow the default steps to register an Android device with WSO2 EMM.
Once the registration process is completed, navigate to the launcher of the device and you will be able to see the application that are used by the worker profile and the personal profile. The applications having an icon of a bag are used by the WSO2 EMM work profile.- Using this approach, you don't have to switch between the personal profile and work profile as all the applications used by each profiles is shown in the same launcher.
- Based on the underlying architecture, the profiles have their own storage locations that can not be accessed by each other.
Applying Android device operations
After registering your device with WSO2 EMM you can apply operations on a device.
The EMM agent is the profile owner of the newly created work profile and only has control over it. Therefore, now the agent is unable to perform operations that affects the entire device, such as changing the device PIN and wiping data of the entire device.
If your Organization has imposed a policy to restrict the usage of the camera, you will not be able to use the camera application that is installed in the work profile. You will only be allowed to used the camera application that is installed in your personal profile.
The enterprise wipe operation will delete the enterprise related data along with the work profile on your device while keeping the personal data intact.