Device wide blocking of Unknown Sources outside of the Work Profile is a "feature" added to Android Enterprise management relatively recently. I see this as an unfortunate example of Google already breaking their promises around Work Profile and containerization between work and personal. 

https://developer.android.com/work/versions/android-10

While this initially seemed to be a feature of Android 10, Google has actually made this available to a lot of older versions as well, via an over the air update. They are very concerned with the public perception of security vulnerabilities in Android and are doing everything in their power to dispel those previous conceptions. This unfortunately can conflict with Android management strategies in Enterprise environments. Work Profile was supposed to solve the problem of DA having too much control over a personal device and here we already have examples of device level control outside of Work Profile popping up. Google Play Protect is another great example of an attempt by Google to dispel security concerns that can also have negative effects on legitimate business apps in an AEDO environment. 

https://bayton.org/docs/enterprise-mobility/android/feature-spotlight-block-unknown-sources-on-work-profile-deployments/

From a SOTI perspective, they will need to update their configuration profiles to allow this particular feature to be administered if they haven't already. You are not doomed per se, since it is an exposed configuration by Android Enterprise, but SOTI will have to actually provide support for administration. 

Hello Ozan,

Thank you for your post,

Is there any specific reason for enrolling your device as Work Profile?

Because as you mentioned in the post, you would like to give complete access to the device user.

You can enroll your device as Android Plus, in this case user will be having full access on the device

Correction - My apologies, I meant enroll your device as Android Managed Device

feature control available - 

Regards,

I don't think you quite understand the architecture of Android+ (DA) vs. Android Enterprise JVMOD. Android+ is based around Device Administrator based device management which puts full control of the device into the hands of EMM admin whether or not you're in a dedicated device environment where you do want full control as an admin or a BYOD environment where the user wants full control.

Android Enterprise introduced the ability to put the control back into the hands of the actual owner of the device. If the corporation owns the device then fully managed strategies like Device Owner (DO) can be employed so that the entire device can be managed. On the other hand, if it s a personal device owned by an employee used in a BYOD scenario, Profile Owner can be used so that the corporate EMM only has control over a smaller container called a Work Profile, leaving the rest of the control to the end user. In this example, Jambo is attempting to use this BYOD management concept and there is bleed over outside of the Work Profile container into the global device configuration settings. This arguably should not be possible in this architecture but Google has recently provided this access. 

@Matt Thank you for your input and even for the resources. They should help me a bit to explain the cause to others.

@JVMOD I want to enroll my devices as work profile because my users are allowed to use the device as a personal device
outside of the work profile. They need to use the work container only for business (contacts, telephone, photos, etc.)
and are allowed to turn it off whenever they want. This scenario was a requirement from the upper guys. They wanted the
the business date secured by the work profile / work container. And i share this decision for this use case.

Hi Ozan,

Your description was lengthy but vague, if not contradictory in some way.  Frankly speaking, I am not 100% sure what your problem was.

I've just done a test with the same device agent as yours on a Samsung Android-Enterprise device ernolled in Work Profile mode.  I have no problem getting an app apk  residing in the persoanl profile to be installed in the personal profile, irrespective of whether a feature control profile with "disable installation from source" option is enabled or not. 

It is of course not possible for any device end-user to get an app apk residing in the personal profile to be installed in the work profile (container).  

If you have an app apk you want to silent push or allow end-user to install on-demand in the work profile, it can always be included in a .pcg package and deployed to the work profile (container) with a profile policy.

Everything works just fine as expected in a typical BYOD use case.

Do you have wrong expectation of what the Android-Enterprise work profile mode provides and misunderstand what use-case it is designed for?

Hey Raymond,

sorry for confusing. i apologize that my description is not really clear. I'm not sure how to describe it.

I'll try to get it right...

Requirements:
- the devices are provided by the company
- the users can use this device as a private device
- the work container is mandatory (turn on/off whenever they want & secured)
- the work profile should't interfere outside of the container
- the personal profile is not allowed to be managed

What i did:
- configured the device as a private device
- enrolled the device by using the enterprise agent into MC
- set a work profile containing restrictions, app assignments via Managed Google Play Account, etc.

That's how it works right now. I am happy and the users too.

But some of the users are developer who tried to install apps outside of the container. To test their app and so on.
But MC doesn not allow the installation of their apk files. And there is not really a way to push their apk's via MC
outisde the work profile into their private area.

So my question is here....
- is there a way to allow the installation of "unknown sources" outside of the work container?
- did choose the wrong way to configure my devices?

 


EDIT: after reading my own comment i realized that i have a BYOD like configuration.
So i am looking for a solution to allow the installation of unknown sources on a BYOD.

The Android-Enterprise Work-Profile mode, primarily designed for BYOD use case, supported by MobiControl and used  on your corporate-owned devices  can satisfy all the five requirements you listed.  

How come you want the work profile (i.e. MDM policies) not to interfere outside of the container according to your fourth requirement, but at the same time you want  those developer's apps apk to be installed/pushed by MC?

If the developers are working/testing their apps, they can always install the apps apk freely in their personal profile (i.e. outside the work profile container).  If the apps are corporate apps that eventually need to be deployed to the device for intenal use only, then such apps should be submitted to you for inclusion in a .pcg package  and subsequent deployment to the work profile container via a profile policy. 

If the apps are not an internal app and need to be deployed to the personal work-space,  their deployments are not done via MDM solution, but have to be submitted as public apps to the public (i.e. non-managed) Google Play store. 

Google recently added a new Android-Enterprise  mode to support more control by MDM software over the personal work-space (actually a second work space in a COPE device,. but this is currently not supported by Soti MobiControl.  But as far as I know, even this new mode does not support what you need.

We are having the same problem. We have 12 s10's atm on our server and they all have the same issue. 

When you try to change the unknown sources setting of any app (on the private part of the device) it will give a notification that you cannot change it. It will say:

Action not allowed

This action is disabled by MobiControl. Contact your organization's administrator to learn more.

It seems like MobiControl blocks this option that is on the private part of the device. Which of course they shouldn't be able to. They have to completely unenroll the Workspace to be able to change this setting.

It seems like MobiControl blocks this option that is on the private part of the device. Which of course they shouldn't be able to. They have to completely unenroll the Workspace to be able to change this setting.

I take it you didn't take the time to read my original response? Control over unknown sources outside of the Work Profile is a feature of Android Enterprise now. I agree that it shouldn't have ever been added since it breaks from the original tenets of BYOD Work Profile containerization, but Google has added it so here we are. 

I did, but I thought (/hope) that this is still a configurable option that has to be added under device feature control. I don't blame Soti for not having it yet, but we have 1 customer that is really keen on this BYOD scenario and everything that we can do/see outside the 'Workspace' is one to many. So it would be really appreciated if they build it in (if possible). If it's not possible we will have to go the board and explain the changes in Android 10. 

They just made an order for a couple hundred Android 10 devices so they are gonna see this.

@Matt i set your first post as a the solution until SOTI supports the the feature. Hope that's fine for you.

And thanks to all for your input and help :)

This now is apparently getting even worse with Android 11. Google is now allowing an Enhanced Work Profile mode that extends the reach and power of the Work Profile on a non-Fully Managed device. 

https://bayton.org/2020/02/android-enterprise-in-11-google-reduces-visibility-and-control-with-cope-to-bolster-privacy/