Android BYO Device Management

Updated on

This walkthrough will guide you through Android enterprise device management in TestDrive as seen in a typical BYOD use case.  The work profile allows organizations to manage all business data and apps, while leaving the user's personal space untouched.

Before You Begin

Here's what you need: 

  • A TestDrive account: Getting Started with TestDrive
  • An active Workspace ONE UEM service in the VMware TestDrive portal.
  • Android device:
    • Highly recommended OS level: Android 7.0+
    • Minimum OS level: Android 5.0. 
    • If Android 6.0 or under, you must encrypt the device beforehand.
  • For email and Office 365 demos, an active Office 365 service in the VMware TestDrive portal.
  • For Android Mobile SSO demos, Office 365,  Dropbox, or Zoom services must be enabled in the TestDrive portal.
  • No existing device record in TestDrive. 
  • Admin role in Workspace ONE UEM: Device Administrator at World Wide Enterprises
  • Network access from your device and TCP port 443 enabled on your network
  • For Horizon apps: TCP ports 80, 443; and if using PCoIP, both TCP & UDP 4712
  • The platform guide for reference.


As we are all aware, either by corporate directive or user desire, personal device usage is becoming commonplace in an enterprise setting.  They key to this situation is that the device contains both personal information that the enterprise neither wants nor needs to control and enterprise data that must not be compromised.

The Android management solution, as of Android 5.0 (API level 21), is to create managed profiles on devices, which are enabled by enterprise APIs. Android enterprise APIs are built into the Android OS and managed by Workspace ONE UEM at no extra cost.

There are two modes for Android enterprise.  This walkthrough entails the work profile.

  • The work profile is created on devices that have Android configured with the consumer persona, therefore it's referred to and used as BYOD.
  • Corporate-owned devices with no need for a consumer persona are enrolled—after a factory reset—as a Work Managed Device.  The organization has 100% control of the device and apps.


Talking Points

  • Android has two enrollment options: Work profile enrollment and Work Managed Device enrollment, each having additional enrollment options to suit an organization's needs.  Work profile enrollment is the typical enrollment and is discussed in this walkthrough.   Work profile enrollment is used when the device already has Android running with a consumer persona on it.  Work Managed Device enrollment is used on factory reset, corporate-owned devices.
  • Enrollment is as simple as downloading the Workspace ONE Intelligent Hub, following a few prompts, and authenticating with your organization's credentials.

Download and install the Workspace ONE Intelligent Hub from Google Play. Enroll with your Workspace ONE enrollment email address which follows this format.

Choose the enrollment OG: Enterprise - BYOD Demo.

At the Workspace ONE sign-in, authenticate with your TestDrive user credentials.

After successful authentication, you'll soon see the privacy notification which states Workspace ONE security policy—in the user's localized language—as configured in the Workspace ONE UEM console. Also, after the privacy notice, the data policy is presented. Proceed.

Continue and set up the work profile on your device.

Android and Workspace ONE UEM will complete device configuration.  The device will enroll into  Workspace ONE UEM and provisioning will commence with profiles and apps.

One of the first signs of a successful enrollment is the work profile's passcode policy is installed.

Work Passcode

Talking Points

  • The work profile is a container, protecting only work apps and data.
  • For Android 7.0+ devices, Workspace ONE UEM can manage a work passcode profile, of configurable complexity, for the containerized apps.
  • The work passcode applies only to work apps so users don't have to enter complex pass
  • s each time they unlock their BYO device.

After enrollment, the first thing the user is required to do is to set the work passcode.

Upon device lock, Android and Workspace ONE will lock down all work apps.  After resuming the device, the user is able to use all personal apps, but the work apps will remain locked until authenticated with the work passcode.  The work passcode is unrelated to any personal passcode set up on the device.

After enrollment and provisioning has completed, your device's work profile should like this.

Workspace ONE Intelligent Hub

Talking Points

  • The Workspace ONE Intelligent Hub integrates the AirWatch Agent and Workspace ONE app into a unified workspace that drives employee engagement through a cross-platform user-focused experience.
  • The Workspace ONE Intelligent Hub is the user's single destination to securely access, discover, connect with, and take action on corporate resources, teams, and workflows wherever they are and from any device.
  • Integrated app catalog improves end user engagement and experience with a consumer-inspired store.
  • The Hub's workspace area sits on top of the agent which provides provides the critical IT management functions.

After enrollment is complete, you're greeted by the Workspace ONE Intelligent Hub's enhanced user workspace.  Each Hub section is accessible at the bottom of the Hub UI.

  • Favorites - Yor pinned apps
  • Explore
    • Apps - All mobile, web, and virtual apps
    • People - Organizational search of contacts
  • For You -  UEM notifications
  • Self-service - device status and Home page - customizable web page configured for the TestDrive KB
  • Hub settings (upper right, user initials icon) - agent/IT menus

Explore - Apps

The Hub's primary Apps view is the app catalog.  The catalog's sections are managed by the admin in the Workspace ONE Access console. Apps can be organized by favorites, recommended, new, and categories.

Viewing by each category provides the comprehensive app list view of all assigned apps and their statuses.

Search the entire organization's contacts from within the Workspace ONE Intelligent Hub.

The following fake co-workers are available to search. Due to GDPR, and TestDrive having real user data, fake users are set up for People Search. 

Alexander Mogilny
Diane Brown
Don Martin
Jake Tabasco
Kim Johnson
Kit Meadows
Priti Patel
Ramesh Shah
Ron Gooden
Susan Britt

In Explore, tap the People menu at the top and enter in one of the fake contacts.  

Peers view is the main landing page view in People Search.  However, it's not available in TestDrive due to the absence of a relationship with the make believe contacts and you, an actual user. 

For You

Organizational notifications appear hear.

When UEM is configured for Experience Workflows, your organization's integrated Workspace ONE services will have their actionable alerts will appear here.  

Self-Service Area

Custom Tab

The home tab, with customizable title and URL, centralizes information access by embedding intranet or a company resources portal. This tab is configured for the TestDrive KB.

Work vs Personal

Talking Points

  • This managed profile, or work profile, is a separate container from the user’s personal space.
  • Workspace ONE UEM restrictions profiles provide a second layer of device data protection by allowing you to specify and control how, when and where employees use their devices.
  • The work profile is a secure area on the device providing native DLP. Coupling native with optional Workspace ONE UEM DLP app security, admins can provide twice the fortification of an organization’s critical data.
  • DLP controls are intended to reduce accidental data loss, the leading cause of data loss.

Use Boxer to demonstrate containerization of work apps versus personal.  After completing the initial Boxer configuration, which authenticates with a certicficate managed by Workspace ONE UEM, open an email and copy some text from its body.  Demonstrate that there is text on the clipboard by pasting in another email.

Open a personal app that accepts paste, such as personal Gmail. Attempt to paste. A paste option will not be present.

VMware Boxer

Talking Points

  • Boxer provides the holy grail of enterprise email:  a great user experience + enterprise grade security.
  • Bulk actions, calendar availability, predictive folders, and customizable settings are just a few of the coveted usability functions in Boxer.
  • 256-bit encryption
  • Built-in compliance engine allows for Workspace ONE UEM to block or wipe Boxer enterprise data.
  • Access is automatically revoked as soon the device is detected as compromised, a user becomes de-activated, or a device is enterprise wiped.

MAM controls for Boxer are extensive. AppConfig sets the user's email address and authentication is set  for certificate auth, as well as watermarking the user's email address as a DLP measure.

Workspace ONE Web

Talking Points

  • The Workspace ONE Web app allows you to access important websites on your device while allowing your organization to ensure you're maximizing your productivity.
  • In tandem with the Workspace ONE Tunnel, Web securely accesses internal corporate websites.
  • Browser may be configured in either restricted mode and kiosk mode.

Note the landing page is hosted on an internal server.  Copy the internal URL and paste it into a personal side browser and watch it fail.

Browser is setup in restricted mode.  Tap either the Facebook or Twitter link to show they are blacklisted.

Application Control

Talking Points

  • Application Control allows admins to set up certain apps as “required” apps.
  • A required app cannot be uninstalled by the user. 
  • Because ALL app installs are, by design, admin controlled, setting up “required” apps prevents users from accidentally removing critical business apps.

Both Workspace ONE Tunnel and  Workspace ONE Intelligent Hub are setup as required apps.  Attempt to uninstall either one and show the prevented uninstallation.

Android Mobile SSO

Talking Points

  • Workspace ONE provides the simple and secure access to all enterprise apps.  Enterprise grade security on the backend, but consumer simple on the front end.
  • You’ve already signed into Workspace ONE, so there’s no more need to sign in to your apps.
  • Multi-factor authentication (MFA) is also configurable to harden your most secure apps.

Horizon apps also support SSO. See Horizon demo guides for more information.

A few mobile apps are set up for Android Mobile SSO:

  • Office 365 (Microsoft 365)
  • Dropbox
  • Zoom

Android Mobile SSO is a silent certificate authentication method facilitated by the VMware Tunnel app's certificate. Mobile SSO is an innovative method to facilitation client certificate authentication on Android.  The Tunnel app itself isn't performing VPN functions in Mobile SSO.

Launch either the Office 365 (Microsoft 365), Dropbox, or Zoom mobile app.  When you observe the app UI 'spin' through sign-in, that's Android Mobile SSO happening.

Without AppConfig and Android Mobile SSO managed by Workspace ONE, users might be fumbling with account information and creating help desk tickets for login troubles.

To demonstrate managed access, attempt login to your to the Office 365 app on the personal side. On the personal side the app will not be configured with the email address or Mobile SSO, thus restricting its access. 

Workspace ONE Tunnel and Per-App VPN

Talking Points

  • In order to keep corporate data secure and completely within the enterprise, designated apps may be configured with per-app VPN, where its data will be securely tunneled into the remote enterprise network.
  • Per-app VPN uses the VMware Tunnel and is easily setup in Workspace ONE UEM application management.

If not already performed in the above Android Mobile SSO section, ensure the VMware Tunnel app's configuration has completed successfully.  Launch the Tunnel and show its configuration.

In either the Hub web apps, find the HR Form website and open it using Brave.

In the VMware Tunnel app, where VPN status is monitored, the app will show it's now connected. You should be granted access to the internal site hosting the HR form.

To demonstrate the containerized per-app VPN, outside of the work profile, open a browser on the personal side of the device. Enter the same URL. The personal browser will not be able to connect to the HR form.

Chrome Settings

Talking Points

  • Chrome, Android enterprises native browser, may be customized, as well as restricted, like an internal corporate browser.
  • Chrome’s cookie handling, pop-ups, java script, images, password manger, history, search parameters, incognito mode, and much more can be configured by Workspace ONE UEM.

Open Chrome, go to the menu, and show incognito mode is unavailable.  Also, if you browse to either facebook.com, twitter.com, or pinterest.com they will be blocked using Chrome restrictions.


Talking Points

  • Workspace ONE UEM Gmail configuration supports Microsoft EAS.
  • Organizations can provide users a familiar and often-preferred email client for business use.
  • Gmail replaces Google Divide, which has been deprecated. 

The Gmail profile is an optional profile.  Push the profile to the device.  After the profile is installed the Gmail app will appear in the work profile and  appears and should be configured, ready to demo.

Console Configuration

Talking Points

  • Modern Android enterprise management configuration is a simple setup. Google console administration is no longer required.
  • If you don’t have a Google presence whatsoever, initiated from the Workspace ONE UEM console, a quick, guided creation of a new Gmail account will kick off a fully automated Google-AW registration process.
  • System configuration can be completed in about one minute.

The "Device Administrator at World Wide Enterprises" role does not provide access to this system setting.  To view this and other system settings, you may use your Workspace ONE UEM Sandbox which is available in the TestDrive portal under the "Sandbox Experiences" section.

During enrollment, the Intelligent Hub intelligently detects the enrollment group’s Android registration status and initiates work profile creation on the device.

App Management 

Talking Points

  • All of Google’s vetted public applications are available for Android enterprise.  Same apps with the same functionality.  Administrators approve apps for organizational use.
  • Public apps can be approved in a couple ways:
    • In Workspace ONE UEM the familiar app management flow can be followed, with the addition of a couple streamlined Google Play for Work approval steps.  Admin never leaves the Workspace ONE UEM console.
    • Apps can be approved directly in Google Play.  After Google Play approval, in Workspace ONE UEM, the apps are imported in bulk by the admin who then completes their setup using standard Workspace ONE UEM app management.
  • Internal apps, such as apps pushed to beta testers, are also managed thru Google Play, but are not available to the public.  Internal apps are managed in the Google Play Developer Console using the same Android enterprise registration account.
  • As of Workspace ONE UEM 9.2, with Work Managed Device enrollment for corporate-owned devices, internal apps can be pushed from Workspace ONE UEM's internal app management.

The "Device Administrator at World Wide Enterprises" role doesn't provide access to app administration.  To view this and other protected areas, remember to use your sandbox with the AirWatch Administrator role.

Below is a screenshot from searching for and approving a public app within the familiar Workspace ONE UEM app flow.  Note the "unapprove (approve)" and "approval preferences" functions which are the app management controls unique to   Google Play for Work.

Below is the app admin view after apps are first approved in   Google Play for Work. In Workspace ONE UEM, admins simply click "Import from Play" to add all the work apps. After import, apps are available for assignment.

Enterprise Wipe

Talking Points

  • Enterprise wiping a device removes all corporate data and control from the device—NO personal data is touched.
  • An enterprise wipe may be either manually performed by an admin or, if allowed by policy, a user.
  • An enterprise wipe may be configured to be triggered via compliance policy.

Push an enterprise wipe command to the device from the console.

On the device, note the removal of ONLY the corporate data. No data or apps outside of the work profile were ever touched.

Previous Article Workspace ONE Access Sandbox Walkthrough
Next Article Experience Workspace ONE on Android