Android - Corporate-Owned Single User Device

Updated on

Talking Points

  • VMware AirWatch 
  • Work Managed Device / Device Owner Mode (DO) is for corporate owned device use cases, where ONLY the managed persona will exist on the device –  there is no consumer device persona.
  • In device owner mode administrators have complete control of the device. This type of deployment is used for institutionally-owned devices that need to be locked down or in kiosk mode. 
  • There are currently four methods to enroll into work managed/device owner mode:
    • AirWatch Relay App - Admins NFC "bump" configure employee's new device. 
    • "Hashtag enrollment" or DPC identifier device provisioning (Android 6.0+) - Users enter unique "afw#airwatch" identifier during device's initial setup which sets work managed mode on the device. 
    • QR code enrollment (Android 7.0+) - From reset device's setup screen, QR code is scanned to put device in device owner mode. 
      Note: device needs scanning function during start-up.  Please consult the Android platform guide for more information. 
    • Zero-touch enrollment - Purchased devices can be shipped to users with management and settings pre-configured, enabling employees to use devices right out of the box.
      Note: Due to the requirement of accessing the zero‑touch online admin platform to set up specific device serial numbers, zero-touch is not available as a scripted demo in TestDrive.

Please reference the platform guide for more information on work managed/device owner mode.

AirWatch Relay App

Using AirWatch Relay to enroll as a device into Work Managed Device requires two Android 5.0+ devices—Samsung or Google device recommended—with NFC enabled: one admin device that runs the AirWatch Relay app and the user's device ("staging" device).  The user’s device must be factory reset.   


  • Demo is intended to show the restrictive nature of device owner mode in a corporate controlled use case. 
  • SAML is not supported by the AirWatch Relay app.

Using the Relay app, two NFC bumps put the staging device in DO mode. 

  • Bump One – Sets up Wi-Fi, encrypts device, and then downloads the agent

  • Bump Two – Enrolls the device out of box or factory reset device.

Enrollment credentials (basic account):

Server: airwatch.vmtestdrive.com Group ID: vado User: vado Password: vado

In the Relay app, configure Bump One and Bump Two:

Bump One (with Wi-Fi example):

Bump Two:

Bump One (with Wi-Fi example):

Bump Two:

If the reset device is not already encrypted, you’ll go through encryption, then the process will resume for bump 2.  

After a successful bump 2, using the above basic user credentials, the device will enroll into the “Company Owned” OG.

"Hashtag Enrollment" (DPC Identifier Device Provisioning)

  1. Reset Android 6.0+ device. Samsung or Google device recommended. 

  2. Setup Wi-Fi.

  3. At the Google ID screen, enter the AirWatch EMM DPC identifier: afw#airwatch

  4. Proceed through next screens, installing the AirWatch Agent...

  5. Enroll with service details, entering the below values for server and group ID...

  6. Enter the user credentials for the work managed device...

    Username: vado

    Password: vado

  7. Note the "setting the device owner" screen.  At this moment the DPC configuration is setting up as device owner, taking control of the entire device...

  8. Once enrolled, show the "Work Managed Device" status in the AirWatch Agent.

Work Managed Device View

Review the limited access and clean, institutional app landscape on the device.  As well, point out the silent installation of the organization's assigned native apps. 

The managed Google Play only lists the admin-approved apps for the work managed device.  There is no consumer Google Play access.  

Open VMware Browser to demonstrate secure tunneling. 

Corporate-Owned, Single-Use (COSU)

COSU, simply put, enables a device kiosk.  VMware AirWatch manages a single app mode profile that puts the chosen app, i.e., Showpad, into kiosk mode.  Once launched, the app can't be existed until the profile is admnmistratively removed by VMware AirWatch. 

To further demonstrate the abilities of device owner mode and "COSU," launch the Showpad app.  Upon launch, "lock-to-app mode" will be turned on. 

The Showpad app, itself, has a demonstration mode you can use when demoing COSU.  Click "try a demo," enter the app, and allow it to update.  Use the app to demonstrate the single-purpose kiosk.

In the AirWatch console, the COSU profile looks like this:

In the console, remove the "Android - COSU" profile and watch the device return to its pre-COSU state. 

If you need help, or have questions, please email TestDrive support.

Previous Article Multi-Factor Authentication in the Intelligent Hub
Next Article Experience Workspace ONE on macOS