Security

    Android Enterprise managed configurations and the work profile

    A 2026 view of Android Enterprise where an administrator sets managed configuration values an app reads at runtime, with work data isolated from personal data in a work profile

    When a company deploys your Android app to its employees through a mobile management system, it often needs to configure the app remotely: set the server URL, turn features on or off, enforce restrictions. Android Enterprise provides this through managed configurations, settings an administrator sets that your app reads at runtime, and it runs managed apps in a work profile that keeps company data separate from personal data. Supporting this well makes your app deployable in regulated and security-conscious organizations, but it also means reading admin-supplied configuration and respecting a data boundary you must not cross. Here is what managed configurations and the work profile are and how to support enterprise management securely.

    Short answer

    Android Enterprise lets an organization manage your app: managed configurations are settings an administrator defines and pushes through a management system, which your app reads at runtime via the restrictions framework, and the work profile keeps managed app data separate from the user's personal data. Per Android, supporting managed configurations means declaring the configuration keys your app exposes and reading the admin-set values, while respecting the work-profile boundary means not leaking work data into the personal profile. The security points are to validate managed configuration values rather than trusting them blindly, not hardcode settings that should be admin-controlled, and honor the separation between work and personal data. Done well, this makes your app deployable in security-conscious organizations.

    What you should know

    • Managed configurations are admin-set values: your app reads them at runtime.
    • They are declared by your app: the configuration keys you expose.
    • The work profile separates work and personal data: a data boundary to respect.
    • Validate managed config values: do not trust them blindly.
    • Support it for enterprise deployment: secure, configurable rollout.

    What are managed configurations and the work profile?

    They are the two pillars of Android Enterprise management for your app. Managed configurations are settings your app declares, a list of keys like a server URL, a feature flag, or a restriction, that an administrator can set remotely through the organization's management system, and your app reads them at runtime via the restrictions framework. This lets an enterprise deploy your app pre-configured for its environment, without each user setting it up, which is essential for managed rollouts. The work profile is the other pillar: on a managed device, work apps and their data live in a separate, managed profile, isolated from the user's personal profile and apps, so company data stays contained and the organization can manage it without touching personal data. Together they let an organization deploy, configure, and contain your app. For you as the developer, supporting managed configurations means exposing the right keys and reading them, and operating in a work profile means honoring the boundary that keeps work data separate from personal data.

    How do they work?

    Through declared keys, admin-set values, and a profile boundary. The table summarizes.

    ElementDetail
    Configuration keysYour app declares the settings it exposes to admins
    Admin-set valuesAn administrator sets them via the management system
    Runtime readYour app reads the values through the restrictions framework
    Work profileManaged app data is isolated from the personal profile
    Cross-profile limitsSharing between work and personal is restricted

    The flow for managed configurations is that your app declares which settings it supports as a set of keys with types, an administrator configures values for those keys in their management console, and the management system applies them to the device, where your app reads them at runtime and can be notified when they change. The values are set by a trusted administrator, but they still arrive as input your app consumes, so they warrant validation. The work profile flow is about isolation: a managed device can have a work profile containing managed apps and their data, separated from the personal profile, with the platform restricting data sharing across the boundary, so a work app generally cannot freely move data into the personal space and vice versa. Both mechanisms exist to give organizations control and containment over the apps they deploy.

    How do you support enterprise management securely?

    Expose the right configuration, validate it, and respect the profile boundary. Declare managed configuration keys for the settings an enterprise legitimately needs to control, server endpoints, feature and security toggles, restrictions, so administrators can deploy your app correctly without users hand-configuring it, and avoid hardcoding values that should be admin-controlled. Read the admin-set values at runtime and respond to changes, but validate them as you would any input, since a misconfigured or unexpected value should be handled gracefully rather than trusted to be well-formed, even though it comes from an administrator. Respect the work-profile boundary: do not attempt to move work data into the personal profile or otherwise undermine the separation the platform enforces, since that isolation is the point of the managed deployment and a key expectation of the organizations relying on it. Where your app handles sensitive enterprise data, keep it within the managed profile and apply your normal secure storage and transport. Follow Android Enterprise guidance for the management features you support. The principle is that managed configurations let administrators securely tailor your app, so expose what they need, validate what you read, and honor the work-and-personal data boundary that makes managed deployment safe.

    What to watch out for

    The first trap is not supporting managed configurations when your app targets enterprises, forcing manual setup and hardcoded values where admins should have control. The second is trusting managed configuration values without validation, when they are still input that could be misconfigured. The third is undermining the work-profile boundary by moving work data into the personal profile, which breaks the isolation organizations depend on. Managed configuration and profile behavior are implemented in your app, so a pre-submission scan such as PTKD.com (https://ptkd.com), which reads the compiled APK or AAB against OWASP MASVS, assesses your app's data handling and configuration, while exposing and validating managed config and respecting the profile boundary are yours to implement.

    What to take away

    • Android Enterprise manages your app through managed configurations, admin-set values your app declares and reads at runtime, and the work profile, which isolates managed app data from personal data.
    • Support it by declaring the configuration keys enterprises need, reading and validating the admin-set values, and not hardcoding settings that should be admin-controlled.
    • Respect the work-profile boundary by keeping work data within the managed profile and not undermining the separation from personal data.
    • Use a pre-submission scan such as PTKD.com to assess your app's data handling and configuration, and implement managed configuration and profile separation correctly.
    • #android
    • #android-enterprise
    • #managed-configurations
    • #work-profile
    • #mdm
    • #owasp-masvs
    • #app-security

    Frequently asked questions

    What are Android managed configurations?
    They are settings your app declares as a set of keys, like a server URL, a feature flag, or a restriction, that an administrator can set remotely through an organization's management system, and your app reads at runtime via the restrictions framework. This lets an enterprise deploy your app pre-configured for its environment without each user setting it up, which is essential for managed rollouts. The values are set by a trusted administrator but still arrive as input your app consumes, so they should be validated rather than assumed to be well-formed.
    What is the Android work profile?
    It is a separate, managed profile on a device where work apps and their data live, isolated from the user's personal profile and apps, so company data stays contained and the organization can manage it without touching personal data. The platform restricts data sharing across the work-personal boundary, so a work app generally cannot freely move data into the personal space and vice versa. For developers, operating in a work profile means honoring that boundary, keeping work data within the managed profile rather than leaking it into the personal one.
    Should my app support managed configurations?
    If your app targets enterprises, yes. Supporting managed configurations lets organizations deploy your app correctly, setting endpoints, feature and security toggles, and restrictions centrally, without users hand-configuring it, which is often a requirement for enterprise adoption. Declare the configuration keys an enterprise legitimately needs to control, read and respond to the admin-set values, and avoid hardcoding settings that should be admin-controlled. Not supporting it forces manual setup and removes the central control that security-conscious organizations expect when deploying managed apps.
    Do I need to validate managed configuration values?
    Yes. Although managed configuration values are set by a trusted administrator, they still arrive as input your app reads at runtime, so a misconfigured, unexpected, or malformed value should be handled gracefully rather than trusted to be correct. Validate them as you would other input, applying sensible defaults or error handling. This is defensive practice that keeps your app robust against configuration mistakes, and it follows the general principle of validating any external input, even from a relatively trusted source like an enterprise management system.
    How do I check my enterprise app's security?
    Scan the build. A pre-submission scan such as PTKD.com reads the compiled APK or AAB against OWASP MASVS and assesses your app's data handling and configuration, which helps you confirm sensitive enterprise data is stored and transmitted securely within the managed context. The enterprise-specific behavior, declaring and validating managed configurations and respecting the work-profile boundary so work data stays separate from personal data, is implemented in your app code, while the scan covers the underlying storage, transport, and configuration posture that managed deployment relies on.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free