This post guides you to prevent One Lock for Android Device and Work Profile Access using Intune. You can configure the setting to block users from using the same password to unlock the device and access the work profile on Android Enterprise personally owned devices.
The Android device restriction profiles allow you to enforce security policies on both the device and the work profile, ensuring that corporate data is protected. You can maintain a secure and productive environment for work-related activities on Android devices by implementing Android Work Profile security features.
When a personally owned work profile is enabled, “One Lock” is configured by default to combine device and work profile passcodes. One Lock may be disabled to separate work profile and device passcodes under work profile settings.
On Android Enterprise personally owned devices with a work profile, users can use the same password to unlock the device and access the work profile. If the work profile password doesn’t meet the policy requirements, device users are notified. The device isn’t marked as non-compliant.
You can follow the CIS benchmark recommendation of Screen Lock in two ways, using Device configuration profiles and using Compliance policies. Intune allows users to have either Numeric passcode or Alphanumeric passcode types, here’s how you can enforce screen lock for Android Devices in Intune.
- Zero Touch Enrolment For Corporate-Owned Android Devices In Intune
- Best Method To Block Access To M365 Apps Outside Android Work Profile Using Intune
Prevent One Lock for Android Device and Work Profile Access using Intune
The setting inside Device Restrictions can enforce different passwords to unlock the device and access the work profile (Android Enterprise > Personally Owned Work Profile (platform) > Device Restrictions). Here’s how to configure the settings to prevent one lock for Android device and work profile access.
- Sign in to Microsoft Intune Admin Center https://intune.microsoft.com/
- Click on Devices > Android > Configuration Policies. I selected the existing configuration profile (Device Restriction) for modification. This setting is optional and doesn’t impact existing configuration profiles.
You can check more details, you wanted to create device restriction policies from scratch, Enforcing Screen Lock For Android Devices In Intune
You can see the different categories of applied configuration in the configuration settings for Android Enterprise personally owned devices with a work profile (BYOD). The Work profile settings allow you to configure the policy to control the same password usage for the device or work profile.
You will find the settings inside the Work Profile Password category, By default, Intune doesn’t change or update this setting. By default, the OS might allow users to access their work profile using a single password.
- One lock for device and work profile: Block prevents users from using the same password for the lock screen on the device and work profile. End users are required to enter the device password to unlock the device and enter their work profile password to access their work profile.
Here you can review the available restriction settings under Work profile settings. You can select and customize them as per your requirements and click Review + Save.
The next step is to review the setup policy and Save. A notification prompt will appear when you save the profile, Profile “HTMD Android Device Restriction Policy” saved successfully.
Monitor the Android devices to ensure that the users won’t be able to use one lock profile security. Let’s test the devices to confirm the users behaviour, the device will block users from using the same password to unlock the device and access the work profile.
In Security and Privacy >Work Profile Security > If the “Use one lock” toggle is Off, you won’t be allowed to use one lock for both your work profile and your phone’s Lock Screen.
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.