Intune App Protection Policies vs Android Enterprise Work Profiles

A lot of people gets confused when comparing Intune App Protection Policies to Android Enterprise Work Profiles. It’s two similar features to separate work data from personal data in your smartphone. Both features are supported in Intune so which one is the right way to go? I’ll try to explain the basics.


Intune App Protection Policies

First of all, Intune App Protection Policies is a Microsoft Intune feature which encrypts and protects work data on the app level. The apps are protected by PIN/biometrics. Intune App Protection Policies are platform independent and works the same on both iOS and Android, but it requires support by the targeted apps. Available apps are primarily the Microsoft apps connecting to Office 365. However, more and more third-party vendors are integrating their own apps using the Intune App SDK from Microsoft.

You can find a list of all the currently supported apps here.

App Protection Policies encrypts and protects the corporate data inside an app targeted by an app protection policy. The policy tells the smartphone how the data can be used. For example, work data cannot be shared with unmanaged apps, copy/paste between managed and unmanaged apps is not allowed, printing is not allowed, and so on.

Android Enterprise Work Profiles

Android Enterprise Work Profiles is an Android specific feature by Google which uses two different user accounts to separate work apps and data from personal apps and data. Each user account has its own app store, one of them is managed by the organisation. There is no limit on which apps can be installed in the work profile.

You can look at Android Enterprise Work Profiles as having two virtual devices in one physical device. Google has made a good job integrating the feature in the Android GUI and it’s easy for the user to switch between personal profile and work profile. Apps in the work profile can be protected by PIN/biometrics.

Android Enterprise Work Profiles can be used to limit sharing and copy/paste of data between profiles. It’s worth to know that this feature primarily is intended for BYOD scenarios and not for corporate owned devices. However, this might change over time since the user experience is straight-forward and liked by many users. All of the work profile settings can be managed from Intune.


We are looking at two very similar features which protects company data in two very different ways.

I believe Intune App Protection Policies should be used by all Intune organisations since it can protect app data on both personal and corporate devices. It protects the data inside supported apps. It can also be used together with device enrollment and it works the same on both Android and iOS which is a big plus. Last but not least, it can be used as a condition with Azure AD Conditional Access.

Android Enterprise Work Profiles can be used for BYOD scenarios as a extra layer of protection, and as a complement to Intune App Protection Policies, on personal Android devices. Corporate devices should be enrolled as Android Enterprise Fully Managed devices.


Please follow me here, on LinkedIn and on Twitter!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s