BYOD: Secured Work Profile for Android devices

Fully aware of the risk involved in not having BYOD managed, more and more companies are adopting an MDM software to secure employees’ personal devices, and thus access to business data. MDM solutions offer the ability to protect sensitive data (password management for access to the work profile, delete pro data in case of loss/theft, etc.), and to make key resources available (remote installation of business applications, synchronization of pro contacts, etc.). As an official Android enterprise MDM, one of Tiny MDM features is to manage personally owned devices in a Bring Your Own Device setup.

Business-related apps managed by the Work Profile are held in a secure container and protected by a password. A managed Google Play Store is also created on the Android device, with always up-to-date business apps and data: end users just have to tap the work tab to see their business apps, differentiated by a briefcase icon.

Employees no longer have the option of inadvertently downloading malicious applications within the work profile, or connecting to unsecured Wi-Fi networks to process sensitive data. All business applications and documents are protected in a dedicated storage compartment, which can be remotely wiped in case of a compromised device.

As an official Android EMM partner, TinyMDM seamlessly integrates Android Enterprise (AFW) and thus the Android encryption protocol FBE: the FBE encryption method encrypts storage areas with unique, user-dependent recovery keys randomly generated by the AES 256-Bit encryption algorithm. The keys are also protected by a component similar to the Trusted Execution Environment, as in the FDE implementation.The security policy is enforced via a DPC application installed in the work profile and controlled by TinyMDM. The separation of personal and business profile data is based on the multi-user logic of Android.

Enabling a Work Profile allows companies to manage the business data and apps, but leave everything else on the mobile device under the user’s control. Admins can securely manage the corporate part but have no control over personal apps and data: cannot view, access, or delete anything personal. The end user can turn off / pause the work apps at any time in one click, thus respecting the right to disconnect. In addition, at any time the employee can go to the terminal settings and delete the work profile if it is no longer needed: all work data and business applications present in the container will be deleted from the phone.