Explainer: Android 11+ COPE Devices with Setup Guide

We take a look at the corporate owned, personally enabled deployment scenario (COPE) and how it changes with Android 11 +.

Explainer: Corporate Owned, Personally Enabled (Android 11 +) with Setup Guide
Similar to the BYOD deployment scenario, employees commonly have a separate work profile where they access corporate apps and data.

What Is COPE – Corporate Owned Personally Enabled?

COPE (corporate owned, personally enabled) typically describes company-owned smartphones and tablets which are configured for both business and personal use.

Several synonyms for COPE only apply to specific Android versions: “fully managed device with a work profile” for Android 8 – 10, or “enhanced work profile” / “work profile on a company owned device” for Android 11 +.

Similar to the BYOD deployment scenario, employees commonly have a separate work profile where they access corporate apps and data.

This secure and intuitive separation of business and personal use is enabled by a MDM solution and the Android operating system. COPE therefore gives organizations and companies an easy way of protecting their mobile data in today’s dynamic, digitalized workplace.

The clear difference between BYOD and COPE is obviously device ownership. A COPE device is enrolled as a company device. This means you can configure settings that apply to the work profile and the device as a whole.

The user has access to the standard Google Play Store with a private Google account outside the work profile and can download and use apps privately, however the organization can wipe all data on the device at any time.

Major Changes to COPE Introduced to Android 11

With the release of Android 11 in 2020, user privacy was given much more focus. Google is expected to introduce more end user privacy protections in Android 12.

The previous COPE deployment method, which is called “fully managed device with a work profile”, was deprecated in 2020. It is still available for devices running Android 8-10. A new enrollment method, called “work profile on a company-owned device” (WPCOD), is available for Android 11 + devices.

WPCOD guarantees greater privacy in the personal profile. Admins no longer have complete visibility over a user’s private data and apps. More transparency is also built in. To name just one example, the user is notified when an admin enables location services.

If complete visibility over both profiles is important for your use case, you need to upgrade to a fully managed device (COBO) setup for devices running Android 11 +.

Advantages and Features

Here are some of the key features you can expect with COPE (Android 11 +)

  • You can install mandatory apps in the work profile without user interaction.
  • You can set different settings for inside and outside the work profile. E.g., you can disable the screen capture function within the work profile but allow it on the private profile.
  • All company data, apps and company contact details are kept separate in the work profile.
    Personal apps on the device are not visible to the admin. The user may download apps from the standard Google Play Store on their separate profile. Admins can however blacklist specific apps.
  • You can wipe the entire device.

In combination with Android zero-touch, you can give pre-configured COPE devices to workers for an out of the box feeling. End users only need to supply their credentials during the initial setup.

How to Set Up COPE – Video Guide

The steps required to enroll a COPE device vary according your MDM vendor. Here is the example setup process with Cortado MDM.

The following deployment scenario is only available for devices running Android 11 or higher. Both the device user or a company admin can complete the set up process. We recommend you set up Android zero-touch if users are to enroll devices themselves. Please watch our walkthrough video on Android zero-touch for more information.

Easy Setup with Cortado MDM

User Portal

First, open the Cortado MDM User Portal. The enrollment process without Android zero-touch is as follows: After clicking on “Enroll New Device“, select Android and the enrollment type – “I want to use my corporate device for business and private purposes and keep the data between them separated”.

QR Code Scanning

Please reset the device to its default factory settings before starting. Power on the device and wait for the welcome screen to appear. Tap six times on the screen to initiate the QR code scanner. Then scan the QR code in the User Portal.

Device belongs to organization

Connect the device to Wi-Fi. A notification will appear telling you that the device belongs to your organization.

Set Up Work Profile

Proceed and set up the work profile by logging in with the same password created for the user portal. Now verify your organization and proceed with the enrollment.

Add Personal Account

Add a personal account to the device. Agree to the terms and conditions. After agreeing once more, set a password for the device. Click proceed and the device will start getting ready. Click finish when done.

User Portal Overview

Your device is now set up and a separate work profile is on the device. If we take a look at our user portal, the device will now be visible. You can view the enrollment type, send a lock screen request, change the device password or wipe the device by resetting to factory defaults.

Corporate Owned, Personally Enabled – A Balancing Act That Works

All in all, COPE remains the deployment scenario which offers the widest range of features for organizations whilst respecting user privacy. If you would like to learn more about how to implement COPE in your organization, please visit our website. A free trial is also available.