This walkthrough will show you how to enroll and begin demonstrating a corporate-liable device as a Work Managed Device (also known as Device Owner mode). A device enrolled as a Work Managed Device is completely controlled by the organization. In other words, the device has no personal space.
Prep
Here's what you need in order to complete this walkthrough:
- A valid VMware TestDrive account. Sign up here.
- An active Workspace ONE UEM (formerly VMware AirWatch) service in the VMware TestDrive Portal. Instructions are here.
- Factory reset Android device:
- Highly recommended OS level: Android 7.0+
- Minimum OS level: Android 6.0 (for "hashtag" enrollment)
- NO EXISTING DEVICE RECORD in testdrive.awmdm.com
- Admin role: Device Administrator at World Wide Enterprises
- Network access from your device and TCP port 443 enabled on your network
- Reference the platform guide for more information.
- If you have questions, please send an email to this address.
Introduction
A device enrolled as a Work Managed Device is designed for 100% corporate-liable devices that are used exclusively by the organization. Workspace ONE UEM admins manage the entire Work Managed Device which has levels of control suitable for the most secure organizations in the world.
Enrollment
Talking Points
- The Work Managed Device is for corporate owned device use cases, where ONLY the managed work persona will exist on the device. There is no personal space on a Work Managed Device.
- A Work Managed Device is used by organizations who need 100% control of the device's contents, either by preference or regulation.
- Line-of-business devices, such as rugged Android devices which need to be locked down or in "kiosk" mode, are Work Managed Devices.
- There are currently four (4) admin-friendly methods to enroll a Work Managed Device:
- "Hashtag enrollment" or DPC identifier device provisioning (Android 6.0+) - After a factory reset, at the 'enter Google ID' screen, users enter the unique DPC identifier which initiates Workspace ONE Intelligent Hub enrollment as a Work Managed Device.
- AirWatch Relay App - Admins NFC "bump" configure employee's new device. An admin "staging" device is required in addition to the user device being set up.
- QR code enrollment (Android 7.0+) - From a factory reset device's setup screen, QR code is scanned to put device in device owner mode.
- Zero-touch enrollment - Purchased devices can be shipped to users with management and settings pre-configured in Workspace ONE UEM. When the user turns on the device, without touching it, the device sets up as a Work Managed Device.
(Due to the requirement of accessing the zero‑touch online admin platform to set up specific device serial numbers, zero-touch is not available as a configured demo in TestDrive.)
DPC Identifier "Hashtag" Enrollment
For simple device enrollment, follow these steps:
- Factory reset the device.
- Proceed with Android device setup, configuring your local Wi-Fi.
- When prompted for the Google ID, instead of an email address, enter the Android Enterprise DPC identifier for Workspace ONE UEM:
afw#hub
- When prompted, download and install the Intelligent Hub.
- After the Hub launches, enroll using your Workspace ONE UEM enrollment email. Your enrollment email address is listed in under My Products > Empower Digital Workspace tab > Workspace ONE UEM card.
- When prompted for the group ID (OG), choose Enterprise - Corporate Owned Demo.
- At the Workspace ONE login, authenticate with your TestDrive user credentials:
- Username: TestDrive username
- Password: TestDrive password
Proceed through Android setup and Workspace ONE UEM enrollment. Accept all prompts and complete the configuration, setting up the Work Managed Device.
Work Managed Device View
Talking Points
- Work Managed Devices have a clean, minimal Android app landscape.
- Being institutionally-owned there's no visual cue needed to differentiate between work and personal, so apps are not badged with the red/white briefcase icon seen in the work profile.
- Google system apps can be managed and removed, if desired.
While the device setup process appears, on the surface, to be the same as a work profile configuration, it is not. On a Work Managed Device, the Hub is an administrative app which is set up as device owner for 100% institutionally-controlled use.
Continue accepting all prompts to complete enrollment.
VMware Workspace ONE Intelligent Hub
Review the limited and clean app landscape on the device. As well, note the silent installation of the organization's assigned native apps.
Talking Points
- The Workspace ONE Intelligent Hub integrates the AirWatch Agent and Workspace ONE app into a unified workspace that drives employee engagement through a cross-platform user-focused experience.
- The Workspace ONE Intelligent Hub is the user's single destination to securely access, discover, connect with, and take action on corporate resources, teams, and workflows wherever they are and from any device.
- Integrated app catalog improves end user engagement and experience with a consumer-inspired store.
- The Hub's workspace area sits on top of the agent which provides provides the critical IT management functions.
- Delivers any application from the latest mobile cloud apps to legacy enterprise apps. Simple, one-stop access to all apps: native, web, virtual, VDI, and RDS apps!
- Internal web apps through a secured browser and seamless VPN tunnel
- SaaS apps with SAML-based SSO and provisioning framework
- Native Chrome OS apps through brokerage of public store.
Use Intelligent Hub to review app management—not Google Play for Work.
After enrollment is complete, you're greeted by the Workspace ONE Intelligent Hub's enhanced user workspace. Each Hub section is accessible at the bottom of the Hub UI.
- Apps - all mobile, web, and virtual apps
- Notifications - UEM notifications
- Home page - customizable web page configured for the TestDrive KB
- People Search - organizational contacts search
- Hub settings (upper right, user initials icon) - agent/IT menus
Workspace ONE Assist
When prompted, set the password on the device, as configured by the Workspace ONE UEM profile.