Android - BYO Device Management


This walkthrough will guide you through Android enterprise device management in TestDrive as seen in a typical BYOD use case.  The work profile allows organizations to manage all business data and apps, while leaving the user's personal space untouched.

Before You Begin

Here's what you need: 

  • A TestDrive account.  Sign up here.
  • An active Workspace ONE UEM service in the VMware TestDrive portal.
  • An active Office 365 service in the VMware TestDrive portal.
  • Android device:
    • Highly recommended OS level: Android 7.0+
    • Minimum OS level: Android 5.0. 
    • If Android 6.0 or under: encrypt the device beforehand.
  • Install Microsoft Excel, or other Office 365 app, from Google Play prior to enrollment.
  • No existing device record in TestDrive. 
  • The Workspace ONE Intelligent Hub app
  • Workspace ONE UEM enrollment email address:  [email protected]
  • Admin role in testdrive.awmdm.com: Device Administrator at World Wide Enterprises
  • Network access from your device and TCP port 443 enabled on your network
  • For Horizon apps: TCP ports 80, 443; and if using PCoIP, both TCP & UDP 4712
  • The platform guide for reference.

As we are all aware, either by corporate directive or user desire, personal device usage is becoming commonplace in an enterprise setting.  They key to this situation is that the device contains both personal information that the enterprise neither wants nor needs to control and enterprise data that must not be compromised.

The Android solution, as of Android 5.0 (API level 21), is to create managed profiles on devices.

Android enterprise APIs are built into the Android OS and managed by Workspace ONE UEM at no extra cost.

There are two modes for Android enterprise.  This walkthrough entails the work profile.

  • The work profile is created on devices that have Android configured with the consumer persona, therefore it's referred to and used as BYOD.
  • Corporate-owned devices with no need for a consumer persona are enrolled—after a factory reset—as a Work Managed Device.  The organization has 100% control of the device and apps.
Talking Points
  • Android has two enrollment options: Work profile enrollment and Work Managed Device enrollment, each having additional enrollment options to suit an organization's needs.  Work profile enrollment is the typical enrollment and is discussed in this walkthrough.   Work profile enrollment is used when the device already has Android running with a consumer persona on it.  Work Managed Device enrollment is used on factory reset, corporate-owned devices.
  • Enrollment is as simple as downloading the Workspace ONE Intelligent Hub, following a few prompts, and authenticating with your organization's credentials.

Download and install the Workspace ONE Intelligent Hub from Google Play.

Use your Workspace ONE UEM enrollment email to initiate enrollment.

Choose the enrollment OG: Enterprise - BYOD Demo.

At the Workspace ONE sign-in, authenticate with your TestDrive user credentials.

<p>       Enter your TestDrive username and password. </p>

After successful authentication, you'll soon see the privacy notification which states Workspace ONE security policy—in the user's localized language—as configured in the Workspace ONE UEM console.

Also, after the privacy notice, the data policy is presented.


Continue and set up the work profile on your device.

Android and Workspace ONE UEM will complete device configuration.  The device will enroll into  Workspace ONE UEM and provisioning will commence with profiles and apps.

One of the first signs of a successful enrollment is the work profile's passcode policy is installed.

Work Passcode
Talking Points
  • The work profile is a container, protecting only work apps and data.
  • For Android 7.0+ devices, Workspace ONE UEM can manage a work passcode profile, of configurable complexity, for the containerized apps.
  • The work passcode applies only to work apps so users don't have to enter complex passwords each time they unlock their BYO device.

After enrollment, the first thing the user is required to do is to set the work passcode.

Upon device lock, Android and Workspace ONE will lock down all work apps.  After resuming the device, the user is able to use all personal apps, but the work apps will remain locked until authenticated with the work passcode.  The work passcode is unrelated to any personal passcode set up on the device.

Workspace ONE Intelligent Hub
Talking Points
  • The Workspace ONE Intelligent Hub integrates the AirWatch Agent and Workspace ONE app into a unified workspace that drives employee engagement through a cross-platform user-focused experience.
  • The Workspace ONE Intelligent Hub is the user's single destination to securely access, discover, connect with, and take action on corporate resources, teams, and workflows wherever they are and from any device.
  • Integrated app catalog improves end user engagement and experience with a consumer-inspired store.
  • The Hub's workspace area sits on top of the agent which provides provides the critical IT management functions.

After enrollment is complete, you're greeted by the Workspace ONE Intelligent Hub's enhanced user workspace.  Each Hub section is accessible at the bottom of the Hub UI.

  • Apps - all mobile, web, and virtual apps
  • Notifications -  UEM notifications
  • Home page - customizable web page configured for the TestDrive KB
  • People Search - organizational contacts search
  • Hub settings (upper right, user initials icon) - agent/IT menus


The Hub's primary Apps view is the app catalog.  The catalog's sections are managed by the admin in the Workspace ONE Access console. Apps can be organized by favorites, recommended, new, and categories.

Viewing by each category provides the comprehensive app list view of all assigned apps and their statuses.



Notifications improve productivity by alerting users about important events with workflows.

Home Tab

The home tab, with customizable title and URL, centralizes information access by embedding intranet or a company resources portal.

People Search

Search the entire organization's contacts from within the Workspace ONE Intelligent Hub!

Due to GDPR, and TestDrive having real user data, fake users are set up for People Search.  The following are the available contacts.

<p>Alexander Mogilny, Diane Brown, Don Martin, Jake Tabasco, Kim Johnson, Kit Meadows, Priti Patel, Ramesh Shah, Ron Gooden, and Susan Britt </p>

Peers view is the primary People Search view.  It's not seen in TestDrive. Due to the absence of a relationship with the make believe contacts and you, an actual user, there are no contacts to populate the primary peers view.  So, the main People Search view simply refers to search.

Tap the People menu at the bottom of the Hub.  On the top of the view, use the search icon begin searching for a contact from the above list.


Agent Menu

The familiar, but completely redesigned, agent menus are underneath the workspace. On the upper right corner of the catalog, tap the user icon to access the agent menus.


Exit the Hub and enter the Android workspace.  Android workspace apps are identified by their work-badged icon.

Note the apps that have been automatically deployed.  These apps began silently installing at the end of enrollment.

Device profiles also setup in an instant, both securing the device's work area and providing functionality to the containerized work apps.

Work vs Personal
Talking Points
  • This managed profile, or work profile, is a separate container from the user’s personal space.
  • Workspace ONE UEM restrictions profiles provide a second layer of device data protection by allowing you to specify and control how, when and where employees use their devices.
  • The work profile is a secure area on the device providing native DLP. Coupling native with optional Workspace ONE UEM DLP app security, admins can provide twice the fortification of an organization’s critical data.
  • DLP controls are intended to reduce accidental data loss, the leading cause of data loss.

Use Boxer to demonstrate containerization of work apps versus personal.  After completing the initial Boxer configuration, which authenticates with a cert managed by Workspace ONE UEM, open an email and copy some text from its body.  Demonstrate that there is text on the clipboard by pasting in another email.

Open a personal app that accepts paste, such as personal Gmail. Attempt to paste. A paste option will not be present.

VMware Boxer
Talking Points
  • Boxer provides the holy grail of enterprise email:  a great user experience + enterprise grade security.
  • Bulk actions, calendar availability, predictive folders, and customizable settings are just a few of the coveted usability functions in Boxer.
  • 256-bit encryption
  • Built-in compliance engine allows for Workspace ONE UEM to block or wipe Boxer enterprise data.
Workspace ONE Web
Talking Points
  • The Workspace ONE Web app allows you to access important websites on your device while allowing your organization to ensure you're maximizing your productivity.
  • In tandem with the Workspace ONE Tunnel, Web securely accesses internal corporate websites.
  • Browser may be configured in either restricted mode and kiosk mode.

Note the landing page is hosted on an internal server.  Copy the internal URL and paste it into a personal side browser and watch it fail.

Browser is setup in restricted mode.  Tap either the Facebook or Twitter link to show they are blacklisted.

Application Control
Talking Points
  • Application Control allows admins to set up certain apps as “required” apps.
  • A required app cannot be uninstalled by the user. 
  • Because ALL app installs are, by design, admin controlled, setting up “required” apps prevents users from accidentally removing critical business apps.

Both Workspace ONE Tunnel and VMware Workspace ONE are setup as required apps.  Attempt to uninstall either one and show the prevented uninstallation.

Native App Certificate Based Authentication (CBA) 
Talking Points
  • Provide seamless access to all enterprise apps with Workspace ONE with configurable certificate and/or username/password authentication.
  • Allow only managed access to Office 365 native apps.  Only the managed app is allowed to authenticate to the Office 365 instance—not Office 365 personal apps.
  • Access is automatically revoked as soon the device is detected as compromised, a user becomes de-activated, or a device is enterprise wiped.

With an available managed Office 365 app (Outlook, Excel, Word, or PowerPoint), use your TestDrive Office 365 email address to sign in.  At the certificate prompt, select the user certificate managed by Workspace ONE UEM to access the Office 365 instance.

AppConfig sets the user's email address in the Office 365 app.  To utilize the configuration (middle image below), bypass the Office 365 app's initial sign in screen (sign in later), and then sign in.

Office 365 account: [email protected]vmtestdrive.com


To demonstrate managed access, attempt login to the same Office 365 app on the personal side.  The app will not be configured with the email address or certificate thus restricting its access. 

VMware Workspace ONE SSO

Demo flow is temporarily unavailable.

Talking Points
  • Workspace ONE provides the simple and secure access to all enterprise apps.  Enterprise grade security on the backend, but consumer simple on the front end.
  • You’ve already signed into Workspace ONE, so there’s no more need to sign in to your apps.
  • Multi-factor authentication (MFA) is also configurable to harden your most secure apps.

Several app SSO methods are available for demonstration using web apps (e.g., Dropbox or Salesforce web apps), Horizon apps, and the Salesforce mobile app. Use the Salesforce mobile app to demonstrate Android Mobile SSO.

Android Mobile SSO is a silent certificate authentication method facilitated by the VMware Tunnel app's certificate. Therefore, the device needs to have both the Tunnel app and the Salesforce app set up on the Android device.

Push the Salesforce mobile app to your device.  (While it's installing, launch the automatically-deployed VMware Tunnel app and quickly verify the Tunnel is configured).

Launch the Salesforce mobile app.  Workspace ONE UEM has set the app's Salesforce cloud tenant using AppConfig settings configured in the managed Salesforce app.

When you observe the app UI 'spin' through sign-in, that's Android Mobile SSO happening!  You'll know sign-in has successfully completed when you see the Salesforce app's "Allow Access?" screen.  Screenshots are not allowed inside the Salesforce app.

Without AppConfig and Android Mobile SSO managed by Workspace ONE, users might be fumbling with account information and creating help desk tickets for Salesforce access.

Workspace ONE Tunnel and Per-App VPN
Talking Points
  • In order to keep corporate data secure and completely within the enterprise, designated apps may be configured with per-app VPN, where its data will be securely tunneled into the remote enterprise network.
  • Per-app VPN uses the VMware Tunnel and is easily setup in Workspace ONE UEM application management.

If not already performed in the Android Mobile SSO section, ensure the VMware Tunnel app's configuration has completed successfully.  Launch the Tunnel and show its configuration.

In Workspace ONE, find the HR Form website and open it with Brave.

Note the VPN tunnel connection key icon on the device's status bar.  Also, in the VMware Tunnel app, where VPN status is monitored, the "Enterprise Server" status will change to "connected."

You should be granted access to the internal site hosting the HR form.

To demonstrate the containerized per-app VPN, outside of the work profile, open a browser on the personal side of the device. Enter the same URL.  The personal browser will not be able to connect to the HR form.

Chrome Settings
Talking Points
  • Chrome, Android enterprises native browser, may be customized, as well as restricted, like an internal corporate browser.
  • Chrome’s cookie handling, pop-ups, java script, images, password manger, history, search parameters, incognito mode, and much more can be configured by Workspace ONE UEM.

Open Chrome, go to the menu, and show incognito mode is unavailable.  Also, if you browse to either facebook.com, twitter.com, or pinterest.com they will be blocked.

Talking Points 
  • Workspace ONE UEM Gmail configuration supports Microsoft EAS.
  • Organizations can provide users a familiar and often-preferred email client for business use.
  • Gmail replaces Google Divide, which has been deprecated. 

The Gmail profile is an optional profile.  Push the profile to the device.  After the profile is installed the Gmail app will appear in the work profile and  appears and should be configured, ready to demo.

Console Configuration
Talking Points
  • Modern Android enterprise management configuration is a simple setup. Google console administration is no longer required.
  • If you don’t have a Google presence whatsoever, initiated from the Workspace ONE UEM console, a quick, guided creation of a new Gmail account will kick off a fully automated Google-AW registration process.
  • System configuration can be completed in about one minute.

The "Device Administrator at World Wide Enterprises" role does not provide access to this system setting.  To view this and other system settings, you may use your Workspace ONE UEM Sandbox which is available in the TestDrive portal under the "Sandbox Experiences" section.

During enrollment, the Intelligent Hub intelligently detects the enrollment group’s Android registration status and initiates work profile creation on the device.

App Management 
Talking Points
  • All of Google’s vetted public applications are available for Android enterprise.  Same apps with the same functionality.  Administrators approve apps for organizational use.
  • Public apps can be approved in a couple ways:
    • In Workspace ONE UEM the familiar app management flow can be followed, with the addition of a couple streamlined Google Play for Work approval steps.  Admin never leaves the Workspace ONE UEM console.
    • Apps can be approved directly in Google Play.  After Google Play approval, in Workspace ONE UEM, the apps are imported in bulk by the admin who then completes their setup using standard Workspace ONE UEM app management.
  • Internal apps, such as apps pushed to beta testers, are also managed thru Google Play, but are not available to the public.  Internal apps are managed in the Google Play Developer Console using the same Android enterprise registration account.
  • As of Workspace ONE UEM 9.2, with Work Managed Device enrollment for corporate-owned devices, internal apps can be pushed from Workspace ONE UEM's internal app management.

The "Device Administrator at World Wide Enterprises" role doesn't provide access to app administration.  To view this and other protected areas, remember to use your sandbox with the AirWatch Administrator role.

Below is a screenshot from searching for and approving a public app within the familiar Workspace ONE UEM app flow.  Note the "unapprove (approve)" and "approval preferences" functions which are the app management controls unique to   Google Play for Work.

Below is the app admin view after apps are first approved in   Google Play for Work. In Workspace ONE UEM, admins simply click "Import from Play" to add all the work apps. After import, apps are available for assignment.

Enterprise Wipe
Talking Points
  • Enterprise wiping a device removes all corporate data and control from the device—NO personal data is touched.
  • An enterprise wipe may be either manually performed by an admin or, if allowed by policy, a user.
  • An enterprise wipe may be configured to be triggered via compliance policy.

Push an enterprise wipe command to the device from the console.

On the device, note the removal of ONLY the corporate data. No data or apps outside of the work profile were ever touched.

Previous Article Workspace ONE Access Sandbox Walkthrough
Next Article DWPG Notes for VMware Employees