How to Set up an Android Work Profile

If your teams use Android devices, an Android work profile is the simplest way to separate corporate data from personal content without frustrating users. It applies security controls to work apps while leaving personal apps alone. Knowing how to set up a work profile on Android reduces tickets, speeds up onboarding and keeps policies consistent across models.

This guide outlines the advantages of Android work profiles, how to set them up manually or via QR code, and how to automate provisioning through directory triggers and Android Enterprise APIs.

Benefits of an Android work profile

An Android work profile isolates corporate apps and data from the device’s personal side. You apply policies where they matter while preserving user privacy. The result is fewer support issues and stronger control.

• Enhanced security: Enforce encryption, strong authentication and remote wipe on the work profile.
• Lower user friction: Employees use personal apps normally outside the work profile.
• Consistent policy enforcement: Apply the same rules across Android versions and OEM skins.

A well-managed Android work profile also supports compliance by preventing corporate data from mixing with personal apps or storage. All of this can lead to improved security and adoption.

Manual work profile setup on Android

When you need to set up a work profile quickly, the native settings flow is pretty straightforward. Use it for one-offs, pilot devices or when testing policies before broader rollout.

Set up a work profile via device settings

Some devices allow creating a work profile directly through Android settings.

1. Open Settings → Accounts
2. Select Add account, then choose Work (or Work profile, if available)
3. Follow the prompts to enroll the device with your organization’s MDM (Mobile Device Management) system.

Note that the exact options vary by device and Android version. Some organizations may require enrollment through a dedicated app or QR code instead.

Watch for common issues that cause enrollment to fail. If the device prompts for management permissions, approve them, otherwise the work-profile creation will stop. If an old or partially removed work profile is still on the device, delete it before enrolling again (a factory reset may be required in stubborn cases).

Network restrictions can also interfere with provisioning, so ensure the device can reach your MDM service and Google’s Android Management/Play enrollment endpoints. Catching these early helps avoid failed setups and unnecessary support tickets.

Android work profile setup using QR code enrollment

QR code enrollment simplifies Android work profile provisioning by packaging enrollment tokens, server details and configuration settings into a single scan. This removes manual data entry, one of the most common causes of setup errors.

To generate and use a QR code:

1. In your MDM or Android Enterprise console (e.g., Google Admin, Zero-touch, Intune, Workspace ONE), generate a work-profile enrollment QR code.
   Note: The “Google Enterprise Console” terminology is outdated—each MDM provides its own QR generation workflow.
2. Configure the required work profile settings and export or display the QR code.
3. On the device:
   • For corporate-owned devices: Scan the QR code during the device’s initial setup (tap the screen multiple times on the “Welcome” page to launch QR provisioning if needed).
   • For BYOD work profiles: open the MDM’s enrollment app or use the Android Device Policy app if prompted; some OEMs also allow scanning from Settings → Accounts → Add work profile, but this isn’t universal.

On supported devices, QR codes can be combined with Android zero-touch enrollment for true out-of-box provisioning with no manual configuration.

Automating Android work profile provisioning

Manual steps won’t scale across hundreds or thousands of phones. Automating Android work profile provisioning removes repetitive work, accelerates onboarding and keeps policies aligned with role changes.

Integrate directory-triggered workflows

Connect your MDM to directory events so work-profile provisioning happens automatically when user attributes change in AD or Azure AD. For example, when a new hire is added to the Sales group, your workflow can trigger enrollment, assign the correct policy set, and deliver required apps.

In practice, you subscribe to directory change notifications, map those events to MDM actions, and verify the full workflow. Microsoft Graph webhooks are a common way to detect group or user changes. Your orchestration layer then calls your MDM’s API, or Android Management API for fully managed environments, to apply the appropriate enrollment or policy update. Test the flow in a staging tenant and pilot it with a single department before broad deployment.

This approach shortens onboarding and reduces misconfigurations that typically generate support tickets.

Leverage Android Enterprise APIs for automated enrollment

Android Enterprise APIs let you provision devices at scale and enforce policy without touching each phone. A common pattern is to create an enrollment token, deliver it to target devices, then apply a policy that installs apps and sets restrictions.

You generate an enrollment token using the Android Management API, deliver that token during device setup or via an approved channel, then assign a policy that specifies app install types, password requirements and network settings. Plan for token expiration and idempotent workflows to prevent duplicate objects from being created on retries.

Sample policy request:

POST https://androidmanagement.googleapis.com/v1/enterprises/{enterpriseId}/policies

{

“name”: “PolicyID”,

“applications”: [

{

“packageName”: “com.example.app”,

“installType”: “FORCE_INSTALLED”

}

],

“passwordRequirements”: {

“passwordQuality”: “NUMERIC”,

“minimumLength”: 6

}

}

Using these APIs, MSPs and internal teams can standardize Android work profile setup, enforce security controls and ship updates on a schedule instead of device by device.

Troubleshooting OEM-specific setup variations

OEM Android skins can introduce extra steps, restrictions or default behaviors that impact enrollment. As you set up work profiles, plan for these manufacturer differences and test on the same models your users carry.

For example, Samsung devices with Knox may require additional permissions or Knox-specific settings for work-profile creation to complete smoothly. If you encounter blocked enrollments or unusual prompts, review Samsung’s Knox guidance. On the other hand, some Huawei models need “Enterprise” capabilities enabled before provisioning can proceed, and Xiaomi devices often apply aggressive battery and notification controls that can suppress MDM prompts or background tasks.

Maintain a representative device lab, validate enrollment flows for each model and adjust MDM policies to pre-approve necessary permissions or disable conflicting OEM features.

Deprovisioning profiles and ensuring compliance

When employees leave or change roles, deprovision their work profiles quickly to protect corporate data. Maintain a clear, repeatable process and review it periodically.

To deprovision a work profile:

• Wipe the work profile from your MDM or Android Enterprise console, removing managed apps, accounts and corporate data.
• Remove the user from provisioning or entitlement groups in AD/Azure AD to stop automated actions.
• Confirm the wipe completed and that only corporate data was removed.

Sustain compliance with continuous monitoring. Use MDM reports to flag devices that haven’t checked in or drifted from policy, and automatically quarantine them until they remediate. Keep role-based policies current so new requirements flow into profiles consistently. If you use conditional access, align compliance status with access rules so out-of-policy devices lose access until they meet standards again.

Streamline Android management with NinjaOne

NinjaOne’s Android MDM software gives you the automation, visibility and control you need to deploy and secure Android work profiles at scale. Try NinjaOne to orchestrate enrollment, apply policies at scale and keep every device compliant—without any manual effort. Give us a call today.