As the use of mobile devices to perform a wide variety of tasks has increased, users have often found it convenient or necessary to use the same mobile device to perform both personal and work tasks. Along these lines, the policy of “bring your own device” (“BYOD”) allows an employee to bring their own personal mobile device (e.g. smartphone, laptop, tablet, smart watch, etc.) to the workplace, and to use it both to access proprietary resources of their employer's enterprise (e.g. applications, databases, etc.), and to also perform personal tasks.
To address security needs of the enterprise under such circumstances, Enterprise Mobility Management (EMM) technologies have been developed that allow an enterprise to specifically control the deployment and operation of enterprise applications that execute on an employee's mobile device, typically based on a set of management policies that may be provided to the mobile device from a remote enterprise server. In mobile devices running the Android™ operating system developed by Google LLC, Android Enterprise provides secure support for EMM through software containerization. As it is generally known, software containerization is a lightweight alternative to full machine virtualization, involving the encapsulation of one or more applications in a container together with their own operating environment. An application executing within a container can only see and use the specific resources that are allocated to that container, such as a subset of the mobile device memory and/or storage that is allocated to the container. In Android Enterprise, a protected workspace container is used to securely execute one or more enterprise applications and store enterprise data in isolation from the user's personal applications and data. The user's personal applications and data are located outside of the workspace container. The workspace container in Android Enterprise is a secure partition associated with a “work profile” user profile for the device, while the user's personal space container is another partition associated with a “personal profile” user profile. In this way, the Android operating system may prevent enterprise applications and/or proprietary data located in the workspace container from being accessed by the user's personal applications.