Okta Mobility Management with Android for Work
Android for Work, or Android in the enterprise, is Google's solution to enterprise mobility management. Enrolling an end user in Okta Mobility Management (OMM) through Android for Work creates an encrypted, containerized Work profile on their device, and installs a managed Google Play store. These allow you to assign separate managed versions of work apps, like Box or Outlook, as well as selectively wipe company data from an end user's device, while leaving their personal data intact.
Supported Versions of Android
Android for Work is supported on devices running Android 5.1.1 (L) and above.
Note: If you enable Android for Work, we strongly recommend you deploy Google Chrome to your OMM users in order to prevent unexpected behavior on certain older Android devices. See Enable access to managed mobile apps for information on deploying managed apps.
Note: When a work profile is configured on an Android O device, Google Chrome is automatically installed. This prevents Okta Mobile and other apps that use web views from crashing due to a bug in Android O. See the Google documentation of the bug for details.
Set up Android for Work
See Setting up Android for Work in Okta for instructions.
OMM allows you to configure passcode policies for any supported Android device. These policies allow you to require your users to enter a passcode that meets your specifications to unlock their device. They are applied based on groups you create, which allows you to set different levels of access and security for different people.
For an additional level of flexibility, you can also set a separate work profile passcode policy for your users with Android 7.0+ devices. You can use this policy to require users to enter a passcode before accessing apps managed by their work profile, which allows you to set a more secure policy for accessing work resources than for accessing personal apps and data. This way, your users can easily access their personal resources without having to enter complex passwords, while still keeping company data safe and secure.
Note: Requires Okta Mobile 3.0 or above.
To set a work profile passcode policy, you must create or edit a device policy, then configure that policy's Android rule.
Create a device policy
Edit an existing device policy
If you have an existing policy that is assigned to the correct groups, you can edit it to include a work profile passcode policy.
Configure an Android rule with a work profile passcode
GENERAL ANDROID DEVICE PASSCODE REQUIREMENTS
For Android devices earlier than 7.0 – Select Require a device passcode if you want to require users running versions of Android earlier than 7.0 to enter a passcode to unlock their device. Then, specify the passcode requirements. For Android devices 7.0+, see this section.
ANDROID DATA SEPARATION
If you want to allow unmanaged apps to open files from the work profile, select Work profile can transfer data to personal profile under Android Data Separation.
OPTIONAL: ANDROID 7.0+ WORK PASSCODE REQUIREMENTS
Prompt for work passcode
Under Android 7.0+ Work Passcode Requirements, select Require Work passcode if you want to require Android 7.0+ users to enter a passcode in order to access apps in their work profile, and then specify the passcode requirements.
PIN minimum length — Minimum number of required characters (from 4 to 30).
Characters — You can specify whether passcodes must contain at least one letter, and/or at least one symbol.
Expiration — Either passcodes never expire (the default), or you can specify the number of days after which they expire (Max age), and the number of distinct passwords a user must create before they can reuse a previous password (History limit; prevents users from reusing a previous password for a specified period of time ).
Failed attempts before wipe — Specify the maximum number of times end users can enter the wrong passcode before their device is wiped. Note the following:
Device lock timeout — Use the dropdown menu to specify how long after the device display is turned off that a passcode is required to unlock the device.
Note: Only supported on Android devices running Okta Mobile 2.8 or higher.
Prompt for device passcode on 7.0+
Important: If you configured a work passcode for your users with Android 7.0+ devices, the general device passcode policy that you may have configured above in General Requirements no longer applies to them. If you want to require these users to lock their device as well as their work profile, select Require a device passcode here, and then specify the passcode requirements.
(Applies to Android devices running versions 7.1 or 7.1.1; fixed in 7.1.2) After an admin strengthens a group's work profile passcode policy, end users are prompted to update their passcode to comply with the updated policy. However, when end users respond to the prompt, their device passcode is updated instead of their work profile passcode. If the end user's Security settings allow different device and work profile passcodes, they are prompted continually to update their work profile passcode until they change it in their device settings.
Configure Mobile PoliciesTop