Here we are for Part 2 of our Citrix Endpoint Management and Android Enterprise series. As I mentioned in our earlier post, Google announced device admin deprecation from its 2019 Android release. As an alternative, Google has provided newer, better, and more secure built-in deployment modes – work profile, fully managed and dedicated device.

In this post, we will deep dive into work profile mode and understand its use and its advantages.

So, what is an Android work profile?

An Android work profile is best suited for bring-your-own (BYO) device scenarios. When you want to use your personal device for work-related matters, you need to be sure that the IT administrator does not have access to your personal applications and data and that these are kept private to you.

A work profile provides the solution for separating personal applications and data for user-owned devices. It gives you the ability to access your work data and apps securely on the same device. IT administrators are allowed to deliver corporate apps, data and management profiles to a self-contained work profile on your device, thereby separating the work-related data and the personal data while maintaining user privacy.

Let’s look into how the work and personal data separation can be achieved by using Citrix Endpoint Management

When a user’s Android device is enrolled into Citrix Endpoint Management using the Citrix Secure Hub app, an Android Enterprise work profile container is created on the user’s device.

The IT admin can configure management policies, work applications in Citrix Endpoint Management console and then deliver them to the work profile container created on the device. These management policies and work apps are confined to the container only.

Below are the work profile set up screens when the user enrolls his device into Citrix Endpoint Management:


Once the user accepts the terms and continues to finish the setup, Citrix Endpoint Management delivers the work apps to the profile container through a managed Google Play.


Work apps are delivered from a managed Google Play store and are badged with a briefcase icon for the users to distinguish the work apps from their personal apps.

Now you might still be wondering, “what information on my device would the IT administrator might have access to?”

“Would he be able to look into my personal photos?”

“Or know what my personal apps are?”

First, your IT administrator will not have access to any of your personal information like your photos or files, nor would the admin know what personal apps are running on your device.

Second, since the management is confined to the data and apps inside the container, your IT admin has no way to take invasive device actions such as deleting personal apps or factory resetting the device.

Citrix Endpoint Management provides the following support for delivering management policies and work apps to the container:

  • Setting the passcode to the work profile container thereby ensuring security compliance while accessing your work apps,
  • Distributing privately-owned apps and public Play apps to the work profile container
  • Ability to lock and wipe your work apps
  • Delivering application restrictions and permissions to the managed apps.

If you are wondering how to move your existing managed Android devices into work profile mode, do the following:

  • Configure Android Enterprise in your Citrix Endpoint Management console either by using your existing G-Suite account or a corporate Gmail account
  • Unenroll your existing managed Android devices directly from the console
  • Send notifications to your users to enroll their Android devices again through Citrix Secure Hub app using their preferred enrollment authentication.

Once the devices are enrolled again, they will be in work profile mode and both the IT admin and the end-users can reap the full benefits of it.

In the upcoming Part 3 of the series, we will look into Android fully managed mode and how to deploy it through Citrix Endpoint Management.