Android Enterprise Customer Community

Yunchuan · 3 weeks ago

Hello,

When a device is enrolled with Google workspace, there are 2 applications environment (personal and work), when we restrict access to only work applications menu, how can we enable applications that are already in the device to the work applications list please?

Thanks!

Michael · 3 weeks ago

Hi @Yunchuan,

Thank you for posting this question. I would like to add an additional perspective that would enable you to continue using Work Profile.

You can allow apps which are already installed on a device in the personal side, to appear within the Work Profile (Work Apps). You just need to search for, and approve them through Managed Google Play within the Workspace Admin console, and then assign them to the users who need them. This is the same process as allowing any other app which is not yet installed on the device.

Step by step instructions for adding apps within Workspace can be found here.

View solution in original post

Moombas · 3 weeks ago

You can't. You need to provide the app in the work profile as well but will be seperated from the personal profile data.

I guess you most likely try to acchieve a fully managed device state and look more likely look for a COBO than a BYOD or COPE enrollment.

Yunchuan · 3 weeks ago

Thanks Moombas. So basically we need to change the management type to a more strict one like COPE or COBO so there is no private Personal space anymore?

Do you know if Google Workspace device management can support all the management types?

Thanks!

Moombas · 3 weeks ago

As you seem to try to "blend out" the private profile i guess you even don't want COPE as well.

I don't have experience about Google Workspace regarding management maybe someone else here can help with that.

Michael · 3 weeks ago

Hi @Yunchuan,

Thank you for posting this question. I would like to add an additional perspective that would enable you to continue using Work Profile.

You can allow apps which are already installed on a device in the personal side, to appear within the Work Profile (Work Apps). You just need to search for, and approve them through Managed Google Play within the Workspace Admin console, and then assign them to the users who need them. This is the same process as allowing any other app which is not yet installed on the device.

Step by step instructions for adding apps within Workspace can be found here.

Yunchuan · 3 weeks ago

Thanks Michael!

Yunchuan · 2 weeks ago

Hi Michael,

Our customer tried following the guide, but they are not able to directly "enable" the application already installed on the device, but rather it directs to Google Playstore.

The issue is that those are paid applications, and the installed applications have a license already but if it redirects to the Playstore, then it will not recognize the license and ask for payment.

Thanks!

Michael · 2 weeks ago

Hi Yunchuan,

This sounds like expected behaviour.

The purpose of a Work Profile is to keep personal and work apps, identities, and data separate. If the paid app licenses are attached to the personal identity on the device, then it will not be available in the Work Profile (where the personal identity does not exist).

Most paid enterprise applications will have the ability to license their apps via a web portal or other means so that licensing can be managed and tracked centrally. If the customer would like to deploy paid applications within the Work Profile, then we recommend that the IT Admin works with the application developers directly to discuss enterprise licensing options.

Moombas · 2 weeks ago

Just to add here FYI:

We have 2 license models in use which may work for you but depends on the developers how they want to provide it):

1. Special accounts with which to login to the apps where the license is assigned to. Example for this can be Office 365.
Recommendation: Also provide that account to the device without the user knowing the password to prevent it being used on any other device (data safety). This can be done via managed app config.

2. Is to provide a license key via managed app config through the MDM to the app provided to the device in the work profile or to get prompted during startup of the app if no license key is stored on the device.
Recommendation (work profile only): Use managed app config without the user knowing the license key to prevent it being used on any other device (data safety) and ideally without possibility being looked up in the app through settings.

Both would be independent on which profile the app is installed. But in general: if it's a work app, i would recommend to install in both cases on the work profile and won't allow an installation on the private profile because of data protection again.

P.s.: Managed app config must be provided by the developers and is nothing default available.

Yunchuan · 2 weeks ago

Thanks Michael and Moombas.

It's a fairly small app, that only has a Paid version on Playstore, there is no login page and not sure if there is a licensing mechanism. There is no Free version that can be upgraded to Premium version through a license.

So if the device in using a different configuration method that doesn't have a separation between Personal and Work profile, then it should be fine to directly have access to all preloaded content on the device? If we are in COBO or COSU where the device is dedicated to corporate usage, then will it be possible to directly use the pre-installed app in the device rather than needing to go through Playstore?

Thanks!

Michael · 2 weeks ago

Yes - you should be able to use a fully managed deployment to enable the use of pre-loaded apps without needing to re-download them through Google Play.

Note: It is likely that you will still need to allow the application through Managed Google Play for the app to be visible to the user.

Android Enterprise Customer Community

Android Enterprise Customer Community

Google workspace enrolled devices, enable applications in work profile