Getting started with Workspace ONE Mobile Threat Defense Dual Enrollment for Android Work Profile & COPE
With the Launch of Workspace ONE Mobile Threat Defense and the additions of Phishing and Content Protection there was still one use-case that was not supported. This is the Android Work Profile or COPE Enrollment with Protection on Personal and Work side. While this seems to be strange initially, it is definitely a quite important scenario. Imagine all the Phishing messages that come via Text or personal Mail. so you might want to protect the personal space as well. This is now possible with the Workspace ONE MTD Solution without the need to the Lookout for Work App in the Work Profile.
Setup
MTD General :
As a Pre-Requisite make sure you have MTD Setup and Pishing and content Protection enabled like descriped in my Blog from June 2023:
https://digitalworkspace.one/2023/06/06/bringing-workspace-one-mobile-threat-defense-to-the-next-level-with-integrated-safe-browsing-aka-phishing-content-protection/
MTD Feature Flag:
Make sure you have the FF on Workspace ONE MTD (Lookout) enabled for the Dual Enrollment:
L4E_dual_enrollment_required_default
If not request it via a Lookout or Omnissa Ticket. In the Integration page you should see the following two options:
UEM SDK:
As you may remember from the inital activation we used the Custom Settings. Go to Settings in UEM, Select “Apps” , “Settings and Policies” , ” Settings”and add the “dualEnrollmentRequired”:true setting to the OG where the Dual Enrollment is expected. This OG should only Contain COPE or WorkProfile Devices , for Fully Managed Devices this Setting needs to be set to “False”.
If you want to copy it out here the JSON, make sure to update the enrollmentCode to you Device Group enrollment code:
{<br>"mtdSettings":{<br>"isEnabled":true,<br>"enrollmentCode":"XXXXX",<br>"dualEnrollmentRequired":true<br>}<br>}Please note that Android Hub 24.06+ or newer is required to have Dual Enrollment supported.
Enroll the Personal Side on a Device:
Open Hub and go to the MTD Section, there is a “Enroll Personal Profile” section, Click that:
Once there Follow the Instructions , so Download the “Lookout for Work” App from PlayStore and open it.
P.S.: Note down the Activation Code, as you will need to type it in or just copy & paste it if your MDM Restrictions allow it.
Go. to the personal side of the Device and Download from the PlayStore the “Lookout for Work” app and open it:
Enter the Activation code from the Hub App and Follow the instructions.
Now, MTD with Phishing and Content Protection is activated.
If you wish the L4W App to have a Workspace ONE branded icon, reach out to support, they can active this Featureflag on the Lookout side.
MTD Admin Console:
When you login to the MTD Console you see that the Personal Profile as well as the Work Profile is enrolled for the specific device and you also see when the last connection was made:
Also for Issues (like Phishing pages) you see from what side of the device it is reported / blocked:
To verify the Activation Apps (Lookout for Work / Workspace ONE Intelligent Hub), Activation times etc. all this information is available in the console as well :
Device Enablement :
To show the User Experience end to end I created a Video:
vExpert, blogger and VMware champion. Worked 10 years as a VMware & Microsoft consultant for a partner before joining VMware in 2017.