User profiles

Android Open Source Project (AOSP) since Lolipop has provided the option to enable multiple user profiles on tablets, this feature was added to phones with Marshmallow.

User profiles can be created and deleted from Settings > System > Multiple Users. It is also possible to hide user profiles with the on/off toggle found here.

User profiles are switched by clicking on the user avatar found next to the settings gear ⚙ in the quick tile tray. The avatar can be changed in Settings > About phone > Emergency information

User profiles provide the possibility to have a number of heavily isolated user environments, which are, in many ways, like having a separate phone.

Each user profile has their own home screen, storage, contacts, calendar, apps, app list, VPN service, keyboard and clipboard. There is no simple way to share data with another user profile on the device.

The main user profile has some special admin powers, and has to be logged in first and always runs in the background.  The main user can see all apps installed on a device and uninstall, non-system apps from the device, removing them and their data from all user profiles.

There are some apps that currently only work if installed in the main user, including Termux, Shelter, Island/Isolate

To receive SMS in a secondary user it is necessary to  be using the default AOSP SMS  app, Messaging, in both the main and secondary user.

Device with File Based Encryption (which was introduced in some devices in Android 7, and became mandatory in Android 10) have the user data of each user profile separately encrypted. The data is decrypted when a user logs in. Restarting the device flushes all user data. Deleting a user profile destroys the keys used for encrypting the user data, making data unrecoverable.

Installing the same app in multiple user profiles

When installing an app in a user profile that is already installed in another profile, the app needs to be the same or a newer version and have the same signature (eg. both apps came from F-Droid or the Play Store).  The package manager of a device keeps one copy of each app, so updating it in any user profile, updates it in all. Each profile has its own app data for any given app.  

F-Droid often don't have the latest version of their app available from their home page which can make adding it to a new profile confusing if you have the latest installed in another profile. You can get the latest version here. Make sure to tap on DOWNLOAD APK under the latest version, rather than DOWNLOAD F-DROID at the top of the page.

System VPN settings

Before Android 12 the focused user profile has control of networking, an app using the system VPN service to route traffic  also routes traffic from other active user profiles. With Android 12 VPNs active in each user profile continue to route their traffic when the profile is in the background.

There is a bug, fixed with the release of Android 11, where if the setting to block all connections without VPN is set on more than one profile. This toggle is switched when changing between profiles.

Logging out

Switching to a different user profile does not log the user out, apps can continue to run in the background,  To avoid apps running they can be 'force stopped' before leaving a user profile. Alternatively the device can be restarted which, on devices with file based encryption, flushes the encryption keys for all profiles on the phone. Following the switch to Android 11 GrapheneOS enabled logging out of secondary user profiles. using the 'end session' option in the power menu.

User profile backups

Seedvault

If present on the device seedvault is sometimes not enabled in secondary users. In this case it is possible to use adb (see warnings) to enable seedvault in secondary users.
Use adb shell am get-current-user to find the numeric ID (eg. 10) of the user profile currently in use. Use this number in the place of [ID] in the following commands
adb shell bmgr --user [ID] activate true
adb shell bmgr --user [ID] transport com.stevesoltys.seedvault.transport.ConfigurableBackupTransport

You can check that the commands were successful using.
adb shell bmgr --user [ID] list transports

Restore backup to secondary user profiles

If a Seedvault backup is made available, on app install, user data should be restored from seedvault to the app.
It is also possible to manually activate the Seedvault restore activity.
It may be possible to do this from within seedvault, or you in some other cases using the Activity Launcher app, or when connected by adb its possible to use
adb shell am start-activity -a com.stevesoltys.seedvault.RESTORE_BACKUP

Communication between user profiles

Each profile has strict isolation provided by having its own security level in the multi level security (MLS), that is enforced by SELinux.  Apps in different profiles are blocked from most Inter-process communication.
GrapheneOS introduced notifications forwarding which makes it possible for notifications received in one user profile to fire a notification in other user profiles.

Its possible for users to share data across profiles using-

Networking

A webserver can be set up in a profile and accessed from another. Using 127.0.0.1 keeps data on device, but available to all apps with network permission.

USB Storage

Storage the user has manually inserted into the device can be accessed from any user profile. You may need to remove and reinsert the storage following switching to a different user profile.

Work profiles

Work profiles are a special type of user profile, with its own apps, storage, contacts etc. that shares the phone operating environment,  with the user profile (known as personal profile) in which it was created.

The work profile shares the same home screen with its parent personal profile, apps from both profiles are shown in the recent apps viewer and you receive notifications from both profiles. It is possible to quickly swap between apps in work / personal profiles and it can be possible to share data between apps in either profile using the standard share functionality available in apps.

Work profiles are initiated by an app which defines how porous the boundary between the work and personal profile will be.  You can see where permissable cross profile intents are defined in Shelter

Unlike a secondary user profile, apps in a work profile can run as foreground apps, and potentially record stuff happening in the personal profile.

There are other ways, including apps in a personal profile being able to detect the presence of apps in the work profile the boudary between a work profile is more porous than that of a separate user profile.

Generally work profiles are designed to be managed remotely by an employer via a profile manager app, which may also be the app that activates the work profile, often in a Bring Your Own Device BYOD scenario. Remote management is performed using something like  Flyve mobile device management services

The stock, and some other, app launchers have support for work profiles, giving an extra app draw for the apps in the work profile.  At the bottom of its app draw is a toggle to log out of the work profile.

Once a work profile is activated various work profile related settings are exposed in the Android settings menus. Work profile app permissions, and app info, can be found alongside the app info for the personal profile.

Shelter

The shelter app activates the work profile and enables you to control the work profile, on the device, via the shelter app. You can clone apps to your work profile (but not any app data) and manage apps in your work profile using shelter.  On older versions of Android cloning apps can be temperamental, restarting shelter can help.

Files and media can be shared between apps in the work and personal profile using share functions available in apps. It is possible to store these files in the other profile by sharing them into a storage provider app or an app like Save on Device. Using the NeoLinker app you can share a URL into the other profile, then use the Easy Open Link app, in that profile, to open it in a browser.

Shelter has device admin permission over the work profile, which gives it more power than the device user over what happens there, a big problem if somebody manages to gain control of shelter. It is strongly advised not to grant shelter device admin over the personal profile.

Both profiles share the same clipboard - the magikeyboard in KeepassDX provides a safe way to avoid leaking passwords into the other profile via the clipboard.

Apps in the shelter work profile keep running in the background the same as if they were in the personal profile.

Logging out

The work profile can be logged out, and all apps stopped, using the toggle at the bottom of the work profile app launcher. To stop the work profile being logged in along with the main profile after device starts a separate lock can be set in Settings > Security

Cross profile data leaks

If a work profile has been activated on a device then apps installed in the owner user can see which other apps are installed in all users and work profiles on the device. GrapheneOS fixed this leak in an update on 6th November 2022

Until Android 10 Apps in one user profile could see that other apps in another user profile are making network connections, what these connections are, but the app name is kept anonymous. This information is made available to apps by viewing /proc/net. Android 10 blocks app access to /proc/net which stops this inter profile information leak.

On Android 9 or earlier you can view this network data, which is available to any app with network access by installing the Net Monitor app available from the FDroid app repository.