In modern Enterprise Mobility Management (EMM), the COPE model (Corporate-Owned, Personally Enabled) has become a preferred option for organizations that want full ownership of the device while still allowing personal use. This mixed-use scenario provides flexibility for employees but also introduces technical limitations that directly affect the way managed properties and app-level permissions behave on Android COPE devices.
Because COPE enrollment separates the device into two distinct spaces—a fully managed work profile and a personal profile outside corporate control—certain policies, restrictions, and permission grants simply cannot be applied at the device level. This differs significantly from fully managed, dedicated, or work-managed deployments, where the enterprise has broader administrative control.
Key limitations #
Permissions apply only to the work profile #
Any permission granted, denied, or required through managed properties affects apps inside the work profile only. Administrators cannot enforce permissions on apps in the personal profile.
Sensitive permissions cannot be pre-granted by IT #
Even within the work profile, permissions such as camera, location, or microphone cannot always be auto-granted. The user must manually approve them.
Factory reset cannot be blocked #
Users retain the ability to reset the entire device to factory settings. In COPE mode, EMM solutions—including Applivery—cannot disable or restrict this option.
Location control is limited #
Administrators can request or restrict location access only within the work profile. They cannot force device-wide location tracking or enforce continuous location access.
Phone and SMS permissions are not manageable #
Calls and SMS belong to the personal profile by design; therefore, related permissions cannot be restricted, granted, or controlled from the work profile.
Global device-level restrictions cannot be enforced #
Policies related to screen lock requirements, disabling the camera, controlling Bluetooth, or modifying system network settings apply only to the work profile and do not affect personal usage.
Sensitive personal-profile permissions cannot be controlled #
Access to contacts, call logs, SMS, shared storage, and other privacy-sensitive resources cannot be automatically granted or denied by the EMM—either in the personal profile or, in some cases, even within the work profile.
Summary table #
| Permission | Can it be pre-granted or blocked? |
|---|---|
ACCESS_FINE_LOCATION / ACCESS_COARSE_LOCATION
|
❌ |
CAMERA
|
❌ |
RECORD_AUDIO
|
❌ |
READ_EXTERNAL_STORAGE / WRITE_EXTERNAL_STORAGE
|
❌ |
READ_CONTACTS
|
❌ |
READ_CALL_LOG / WRITE_CALL_LOG / PROCESS_OUTGOING_CALLS
|
❌ |
READ_SMS / SEND_SMS / RECEIVE_SMS / READ_MMS
|
❌ |
READ_CALENDAR / WRITE_CALENDAR
|
❌ |
BODY_SENSORS / ACTIVITY_RECOGNITION
|
❌ |
| Block Factory Reset | ❌ |
These limitations arise from Android’s privacy-by-design approach for COPE enrollment. The OS intentionally ensures that personal data, activity, and system-level capabilities remain under user control, preventing administrators from silently configuring or restricting certain behaviors—even on company-owned hardware.
On COPE devices managed through Applivery, policies and permissions apply fully and exclusively to the work profile, while the personal profile remains protected from administrative control. This also means that certain actions—such as blocking factory resets, enforcing device-wide restrictions, or automatically granting sensitive permissions through managed properties—are not technically possible.
Understanding these constraints is essential when designing corporate policies, ensuring that management strategies are aligned with COPE’s actual capabilities and Android’s built-in privacy protections.