Hi @Lizzie,

regarding "Offer employees a private space within their personal profile" i guess this was the topic where i stated in the PES that this would also be nice to have for a fully managed device (with our use case described) to generate a secured ("private") space. Anything new to that or why this hasn't been implemented?

Hello @Moombas,

Thanks for your comment on this. I hope you don't mind, I've moved it to this article as it's relating to the 'private space' tool. 

This is a good question, I think at the stage you heard about this, the feature was pretty far along for Android 15 - as mentioned at the time, I think this is a really interesting Enterprise use case for 'private space' and so it's certainly something I think we should discuss more.

It would be great to hear if this would be useful to other members here in the community with fully managed devices, do you think you could provide a little more information on your idea here please? 

Thanks so much, looking forward to discussing this more. 💡

Lizzie

No Problem @Lizzie.

In general our use case is pretty easy to describe:

Our devices are used by store staff, including store manager (and maybe deputy).

So, storemanagers ahve a seperate mail which can contain personal data so shouldn't be accessible for the other staff. So, without a dedicaded space, they won't be allowed to use it on the store devices as all other employees have access to it.

If we could provide such private space for them where they can put in outlook as a seperated app (but keeping the original one for store staff mail) and maybe other apps like teams or so secured by a psk only known by them, they could use this the devices way better.

There are manufacturers who provide similar functionality like Motorola with Thinkshield + secured folder but thiose are isolated to manufacturer which is not nice as we wopuld need this as a functionaliity over all devices, manufacturer independent.

Also want to mention, it would be good to have the possibility from admin side to remove this private space (but not to unlock it!; just in case a store manager switched or has forgotten his passcode) from the MDM (of course the MDM has to use that API and implement it as well).

Massive thanks @Moombas for the additional detail. 

@jasonbayton, @mattdermody, @Michel, @davidguill, @Timmy, @Alex_Muc thought you might be interested to hear this idea suggestion. 😀

Hi @Lizzie , i like @Moombas idea! 

But the idea description also sounds a bit like shared device usage, where you ideally are able to have multiple profiles on a devices, each user has their own profile. Samsung has developed it sort off with Knox Authentication manager, Apple is doing it with shared ipads (but they don't recommend using it..). The way samsung has developed this shared device usage seems to be the best i've seen so far. But its limited to just Samsung. 

In Android's vision, and Apple btw, every phone is personal. But in healthcare or education, and stores, thats not the case. We have so much customers with shared devices that it can't be ignored. 

I quite like the prospect of reversing the existing COPE model to fully manage the device, but have an inaccessible profile (private space) for workers. Maximum control of the device with a lower-perceived, but potentially acceptable level of privacy for workers. As indicated for pool/shared devices where you auth, but can pop a few personal apps for break/other reasons the admins can ultimately remove at will.. I like it.

I like the potential opportunities that could come with the private space. 😀

Despite COPE, we keep seeing cases where company data and personal data are getting mixed up. We are only allowed to release apps in the Work Profile that have been approved by our IT security and data protection department. Sometimes these processes take too long for users, are not worthwhile due to a very small number of users or are even rejected by security due to security concerns (e.g. potential data leakage). If there is still a need among users, such apps are simply installed and used in the personal profile.
Processing work data in a personal context is forbidden organizationally, but is still done by some users out of necessity.

As a first step, users could use such apps with the private space and separate their personal data from work-related data. Although the private space is not necessarily intended for this purpose, it would certainly help to separate personal data even better.
An “additional space” that can be managed with UEM in Work Managed and Work Profile would be awesome. We would assign apps there that should not interact with the rest of the apps and data in the work context.

If something like this were to be realized for Android Enterprise, I see a big obstacle in a transparent display of the available apps in Managed Google Play.

"...But the idea description also sounds a bit like shared device usage, where you ideally are able to have multiple profiles on a devices..."

@Michel, not really, as this needs a login/logoff of the entire device which is NOT needed and wanted on our end. All apps are used by both and the manager is allowed to see mails and so on send by store staff account but not the other way around. So they have just a secured area for 1-3 apps but the rest of the device stays.

This also saves time as the login and logoff on the entire devices costs time and can be forgotten. For example the secure folder, how Motorola provides, locks the secure folder (and all apps from there) already when device is locked. This is save and fast handling and no shared device needed which make sense in other environments but not ours.

Hello, great topic, in case my feeling on this brings something, I also have requests from managers for shared device usage in their teams but today I refuse to put it in place due to the fact that we never know who has the device when we want to tell to update it at a convenient time (and not force it when people maybe use them for example). When people call the service desk, it is also easier to provide the user name than the serial number or whatever reference of the device. Using devices as personal, we can also make the login easier with biometrics or smartcard / smart tokens for example. In case of multi-users, I don't know if it is possible to unlock the device with a finger / face and knowing if it is the one of user1 or user2 to be able to open the right area. Up to now, in my case, I prefer to increase all the possibilities users can do with a smartphone so that he / she uses it for everything and thus, having a shared one is less important. I remember a meeting at my bank, the operator only get out the tablet to make me sign a document and then go back to the PC, funny example to me who uses Samsung DEX and my phone as unique device.

However, as Michel told, the pressure is so high (for people working in 3*8h for example) that we'll need to look at it. Maybe get an easy login / logoff experience would also help to adopt shared devices and not create a new kind of setup. I'll follow this topic closely, interested to see what others do or would like to do around this "shared" or "halfly shared" devices.