Okta Mobility Management with Android for Work Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005udesaa&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fokta-mobility-management-with-android-for-work-1461251126
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Okta Mobility Management with Android for Work
Published: Jan 31, 2018   -   Updated: Jun 22, 2018

 

 

okta-doc-source

Okta Mobility Management with Android for Work

Android for Work, or Android in the enterprise, is Google's solution to enterprise mobility management. Enrolling an end user in Okta Mobility Management (OMM) through Android for Work creates an encrypted, containerized Work profile on their device, and installs a managed Google Play store. These allow you to assign separate managed versions of work apps, like Box or Outlook, as well as selectively wipe company data from an end user's device, while leaving their personal data intact.

Supported Versions of Android

Android for Work is supported on devices running Android 5.1.1 (L) and above.

Note: If you enable Android for Work, we strongly recommend you deploy Google Chrome to your OMM users in order to prevent unexpected behavior on certain older Android devices. See Enable access to managed mobile apps for information on deploying managed apps.

Note: When a work profile is configured on an Android O device, Google Chrome is automatically installed. This prevents Okta Mobile and other apps that use web views from crashing due to a bug in Android O. See the Google documentation of the bug for details.

Set up Android for Work

See Setting up Android for Work in Okta for instructions.

Configure a Work profile passcode policy

OMM allows you to configure passcode policies for any supported Android device. These policies allow you to require your users to enter a passcode that meets your specifications to unlock their device. They are applied based on groups you create, which allows you to set different levels of access and security for different people.

For an additional level of flexibility, you can also set a separate work profile passcode policy for your users with Android 7.0+ devices. You can use this policy to require users to enter a passcode before accessing apps managed by their work profile, which allows you to set a more secure policy for accessing work resources than for accessing personal apps and data. This way, your users can easily access their personal resources without having to enter complex passwords, while still keeping company data safe and secure.

Note: Requires Okta Mobile 3.0 or above.

To set a work profile passcode policy, you must create or edit a device policy, then configure that policy's Android rule.

Create a device policy
  1. Go to Devices > Mobile Policies.
  2. Click Add Device Policy, then specify:
    • A unique Policy name
    • An optional Description
    • The groups of users to whom this policy will apply
    • An optional User Agreement

      If you select this box, enter a brief custom user agreement in the text field. The agreement appears on end users devices and end users must acknowledge it before they can proceed to OMM enrollment. As part of the OMM enrollment process, end users are warned that enrolling in OMM gives admins certain controls over their devices. This User Agreement is an opportunity to provide additional custom terms and conditions you may want your end users to acknowledge.
  3. Click Save and Add Platform Rule, then select Android to continue.
Edit an existing device policy

If you have an existing policy that is assigned to the correct groups, you can edit it to include a work profile passcode policy.

  1. Go to Devices > Mobile Policies.
  2. Select the policy you want to edit.
  3. If the policy already has an Android rule, click the pencil icon to edit the rule. Otherwise, click Add Platform Rule, then select Android to continue.
Configure an Android rule with a work profile passcode
  1. Go to Devices > Mobile Policies.
  2. Select Allow devices.
  3. Select Android for Work. If this option is disabled, click Set up AfW.

    Note: You may also select Samsung SAFE or Native Android if you wish to support devices incompatible with Android for Work. Okta will attempt to enroll devices using the top-most selected option first, then continue down the list until enrollment succeeds.

  4. Click Next. and then configure settings in the following sections as appropriate:
  5. GENERAL ANDROID DEVICE PASSCODE REQUIREMENTS

    For Android devices earlier than 7.0 – Select Require a device passcode if you want to require users running versions of Android earlier than 7.0 to enter a passcode to unlock their device. Then, specify the passcode requirements. For Android devices 7.0+, see this section.

    PIN minimum length — Minimum number of required characters (from 4 to 30).

    Characters — You can specify whether passcodes must contain at least one letter, and/or at least one symbol.

    Expiration — Either passcodes never expire (the default), or you can specify the number of days after which they expire (Max age), and the number of distinct passwords a user must create before they can reuse a previous password (History limit; prevents users from reusing a previous password for a specified period of time ).

    Failed attempts before wipe — Specify the maximum number of times end users can enter the wrong passcode before their device is wiped. Note the following:

    • Select Unlimited attempts if you never want to wipe a device because of failed passcode attempts.
    • On Android for Work, only the Work profile is wiped.

    • Devices are not wiped if users enter the wrong passcode less than 4 times.
    • You can allow up to 10 attempts before a wipe occurs.

    Device lock timeout — Use the dropdown menu to specify how long after the device display is turned off that a passcode is required to unlock the device.

    Note: Only supported on Android devices running Okta Mobile 2.8 or higher.


    ANDROID DATA SEPARATION

    If you want to allow unmanaged apps to open files from the work profile, select Work profile can transfer data to personal profile under Android Data Separation.


    OPTIONAL: ANDROID 7.0+ WORK PASSCODE REQUIREMENTS

    Prompt for work passcode

    Under Android 7.0+ Work Passcode Requirements, select Require Work passcode if you want to require Android 7.0+ users to enter a passcode in order to access apps in their work profile, and then specify the passcode requirements.

    PIN minimum length — Minimum number of required characters (from 4 to 30).

    Characters — You can specify whether passcodes must contain at least one letter, and/or at least one symbol.

    Expiration — Either passcodes never expire (the default), or you can specify the number of days after which they expire (Max age), and the number of distinct passwords a user must create before they can reuse a previous password (History limit; prevents users from reusing a previous password for a specified period of time ).

    Failed attempts before wipe — Specify the maximum number of times end users can enter the wrong passcode before their device is wiped. Note the following:

    • Select Unlimited attempts if you never want to wipe a device because of failed passcode attempts.
    • On Android for Work, only the Work profile is wiped.

    • Devices are not wiped if users enter the wrong passcode less than 4 times.
    • You can allow up to 10 attempts before a wipe occurs.

    Device lock timeout — Use the dropdown menu to specify how long after the device display is turned off that a passcode is required to unlock the device.

    Note: Only supported on Android devices running Okta Mobile 2.8 or higher.

    Prompt for device passcode on 7.0+

    Important: If you configured a work passcode for your users with Android 7.0+ devices, the general device passcode policy that you may have configured above in General Requirements no longer applies to them. If you want to require these users to lock their device as well as their work profile, select Require a device passcode here, and then specify the passcode requirements.

    PIN minimum length — Minimum number of required characters (from 4 to 30).

    Characters — You can specify whether passcodes must contain at least one letter, and/or at least one symbol.

    Expiration — Either passcodes never expire (the default), or you can specify the number of days after which they expire (Max age), and the number of distinct passwords a user must create before they can reuse a previous password (History limit; prevents users from reusing a previous password for a specified period of time ).

    Failed attempts before wipe — Specify the maximum number of times end users can enter the wrong passcode before their device is wiped. Note the following:

    • Select Unlimited attempts if you never want to wipe a device because of failed passcode attempts.
    • On Android for Work, only the Work profile is wiped.

    • Devices are not wiped if users enter the wrong passcode less than 4 times.
    • You can allow up to 10 attempts before a wipe occurs.

    Work lock timeout — Use the dropdown menu to specify how long after the device display is turned off that a passcode is required to unlock the device. Note: This setting is only supported on Android devices running Okta Mobile 2.8 or higher.



Known Issue

(Applies to Android devices running versions 7.1 or 7.1.1; fixed in 7.1.2) After an admin strengthens a group's work profile passcode policy, end users are prompted to update their passcode to comply with the updated policy. However, when end users respond to the prompt, their device passcode is updated instead of their work profile passcode. If the end user's Security settings allow different device and work profile passcodes, they are prompted continually to update their work profile passcode until they change it in their device settings.


Related Resources

Configure Mobile Policies

Configure Okta Mobility Management

Okta Mobile

Top