July 22, 2024

Introducing Omnissa Workspace ONE Mobile Threat Defense Dual Enrollment

We're excited to announce Workspace ONE Mobile Threat Defense Dual Enrollment which provides full protection for devices with Android work profiles. Give your IT department control over threats in both personal and work areas, and safeguard against application and phishing threats on employees' personal devices.

Android Corporate Owned, Personally Enabled (COPE) devices combine both work and personal profiles on a single device, allowing users to seamlessly switch between their professional and personal activities. The work profile is managed and secured by the organization's IT department, ensuring data protection and compliance with corporate policies while the personal profile is controlled by the user, granting them autonomy over personal apps and data.

When Workspace ONE Mobile Threat Defense with Intelligent Hub is deployed today, organizations can only detect and respond to threats in the work profile, leaving the device exposed to threats in the personal profile. Malicious and vulnerable applications in the personal profile could be left unaddressed for significantly long periods. Even more worryingly, most mobile phishing attacks are targeted at personal applications like text and social media which mainly live in the personal profile. A personal account that has been compromised could easily lead to passwords to corporate accounts being exposed to malicious actors due to password reuse.

While what occurs in the personal profile might be less of a concern to some organizations, many enterprises may encourage or require that their employees have Mobile Threat Defense in the personal profile so that the entire device can be protected. Today we announce Android Dual Enrollment support for Workspace ONE Mobile Threat Defense, enabling advanced protection in the personal profile for managed devices enrolled through work profile, and more benefits, such as:

  • Enable side-by-side protection for Personal and Work Profiles on Android devices
  • Work Profile protection with Intelligent Hub and Personal Profile with Lookout for Work App (Mobile Defense)
  • Extend threat protection for BYOD use cases covering the device’s personal side against device, applications, and phishing threats
  • No extra license is needed, a single device license covers the use of Intelligent Hub and Lookout for Work app 

A screenshot of a black phone</p> <p>Description automatically generated

Figure 1: Mobile Defense (Lookout for Work App) on the Personal Profile and Intelligent Hub on the Work Profile.

Dual Enrollment Requirements

The following requirements are required to activate Dual Enrollment:

  • Android 11+
  • Intelligent Hub 24.06+
  • Device managed by Workspace ONE UEM and enrolled in Work Profile or COPE mode.

How Does it Work?

With all the requirements in place, the UEM administrator can enable the Dual Enrollment SDK settings (dualEnrollmentRequired) on the OG level. It’s recommended to create a separate OG for this use case as the user will be required to perform additional steps on the device to enable protection on the personal profile.

A screenshot of a computer</p> <p>Description automatically generated

Figure 2: Enabling Dual Enrollment settings on SDK configuration.

When Dual Enrollment is enabled, the Enroll for Personal Profile information label will show up on the Device Details page in Intelligent Hub with instructions on how to activate Mobile Threat Defense in the personal profile as shown in Figure 3.

A screenshot of a cell phone</p> <p>Description automatically generated

Figure 3: Dual Enrollment activation process on Workspace ONE Intelligence Hub.

The activation code generated in Intelligent Hub must be entered in the Lookout for Work application which needs to be downloaded in the personal profile. When the Lookout for Work app is activated, the IT administrator will see the status of the personal profile and work profile for each device record that has been enabled for dual enrollment. Administrators will also be able to identify which profiles are affected when threats are detected on the device.

A screenshot of a computer</p> <p>Description automatically generatedFigure 4: Device Dual Enrollment status on Workspace ONE Mobile Threat Defense.

UEM administrators can identify the device status based on tag updates from the Mobile Threat Defense (MTD) console. When Dual Enrollment is enabled, tags are extended to both profiles, allowing the administrator to discern the device's risk status per profile in the UEM console. For example, if a risky app is detected in the personal profile, the device can be tagged to identify the threat originating from that specific profile.

A screenshot of a computer</p> <p>Description automatically generated

Figure 5: UEM-managed devices tagged by MTD on Dual Enrollment scenarios.

Summary

Omnissa Workspace ONE Mobile Threat Defense Dual Enrollment enables full device protection on devices enrolled through an Android work profile, providing IT visibility and control over threats in both the personal and work profile container. This feature allows the organization to bring additional benefits to their employees’ personal devices protecting the personal area of the device against application and phishing threats.

To learn more about Workspace ONE Mobile Threat Defense, check out the following articles:

 

Filter Tags

Workspace ONE Workspace ONE MTD Workspace ONE UEM Blog Announcement Overview Android Public Sector

Andreano Lanusse

Read More from the Author

Staff Architect, End User Computing. Andreano Lanusse is an experienced professional with a diverse background in multiple technologies, including the Omnissa portfolio. He has successfully led some of Omnissa's largest Digital Workspace deployments within the financial sector. In his role as Staff Architect, he serves as a subject matter expert, empowering the technical community through the creation of comprehensive technical content across the Omnissa Platform, Security, and Workspace ONE. His contributions include developing Reference Architectures for Workspace ONE and Horizon, fostering innovation and best practices in digital workspace solutions.