Workspace ONE is a digital workspace platform that simply and securely delivers and manages any app on any device by integrating access control, application management, and multi-platform endpoint management. Follow the steps below to experience Workspace ONE on Android.
- Section 1: Register your Android device
- Download and install Workspace ONE
- Install Workspace Services on your device (Direct Enrollment)
- Section 2: Guided Work Experiences
- Native Apps: Boxer and Office 365
- SaaS Apps
- Horizon Apps
- Section 3:Understanding Security Features
- Data Loss Prevention
- Conditional Access
- Policies and Profiles
- Section 4: Enterprise Wipe
- Login to the Workspace ONE UEM Console and issue an Enterprise Wipe
Please ensure you have the following:
- A valid VMware TestDrive account.
- Microsoft Office 365 service enabled in the TestDrive Portal.
- An active Workspace ONE UEM (formerly VMware AirWatch) service in the VMware TestDrive Portal.
- Android device:
- Highly recommended OS level: Android 7.0+
- Minimum OS level: Android 5.0. If Android 6.0 or under, encrypt the device.
- Workspace ONE UEM Admin Role: Device Administrator at World Wide Enterprises
- Network access from your device and TCP port 443 enabled on your network
- For Horizon apps: TCP ports 80, 443; and if using PCoIP, both TCP & UDP 4712
On the device, navigate to Google Play and download VMware Workspace ONE.
Your TestDrive email address follows the below format:
If you're unsure what your TestDrive email address is, you can verify this in the TestDrive portal by following the steps below:
- Login to testdrive.vmware.com with your username and password
- Click on the dropdown next to Workspace ONE in the Ready to Use Experiences section to view your credentials
- Here you will find your TestDrive email address
Launch Workspace ONE and use your enrollment email to register.
Authenticate using your TestDrive user credentials.
Workspace ONE will begin to configure.
Choose the Enterprise - Corporate Owned Demo organization group (OG).
Next, you will be guided through Workspace ONE Direct Enrollment, beginning with the creation of the Android work profile. Please proceed.
On Samsung devices (pictured), your experience will differ slightly from other Android devices now that Samsung has integrated Knox APIs into Android enterprise. Note the blue Knox branding and badging on and in the work profile.
Accept the prompts.
Your device and Workspace ONE have completed enrollment when you see the below screen.
After Direct Enrollment, Workspace ONE will then guide you through setting up your device to make it compliant and provide recommended apps. If you miss a step or exit Workspace ONE, don't worry, Workspace ONE will return to the setup.
Set your work profile PIN—only for the work profile, not your device—and install the recommended apps. PIN complexity and apps are configurable in the Workspace ONE console.
Additionally, note the Workspace ONE notifications showing up in Android's native notification area, each badged with the work profile icon.
To enter the work profile, where Workspace ONE is located, use the Workspace app. Do not use the enrollment-initiating Workspace ONE app, which will be grayed out; if you do, you'll be presented with an error.
Note the badging on the the work apps.
Re-enter Workspace ONE.
Workspace ONE aggregates all the apps your employees need whether its a virtual app, web app, or native app. Underpinning it all is Workspace ONE's identity solution which provides single sign on and access policy controls to these apps regardless of what device type, enrollment status, or endpoint utilized.
In Bookmarks, users setup links their most used virtual and web apps.
In the Catalog, all the user's available apps are listed. Users can add web and virtual apps to Bookmarks; as well, native app installation is initiated from the Catalog. Review the list apps showing all of the assigned apps.
Open Boxer and demonstrate the streamlined user access. Because of Workspace ONE's hidden security processes, other than confirming one-time Android security prompts, there is no user interaction or credentials entry required. Both the app's settings and authentication certificate are configured by Workspace ONE UEM. Workspace ONE Access provides SSO.
Open the Recruiting PowerPoint email or any other email with an Office attachment matching your installed Office 365 app. Using Workspace ONE or Boxer's "open in" function (pictured below), you can install your chosen app.
Office 365 app setup will require you to enter your Office 365 email address which follows this syntax:
When prompted, choose the Workspace ONE managed certificate. You'll then be set to use all Office 365 apps in the work profile.
Next, show SSO into another Office 365 native app. Install one of the remaining Office 365 apps. Launch it. You'll be provided unfettered access to the other native apps.
Now try a web app. In Workspace ONE, find the Office 365 web app and launch it.
Android will prompt you to allow the authentication certificate provided by Workspace ONE.
After allowing the cert just this once, you'll be able to access to your Office 365 instance.
Next, let's see the user experience when opening a Horizon app.
Go back to Workspace ONE. We have our Horizon environments divided by region. Search for the Visio 2016 Horizon app for your region from the options below:
Once you find the Visio horizon app for your region click to launch the app. It will open into either the native Horizon app if you have it downloaded or HTML access if you do not have the Horizon app downloaded.
Finally, let's launch the VMware Browser and tunnel to an internal site. You can download the VMware Browser native app from Workspace ONE.
In tandem with the VMware Tunnel (VPN), VMware Browser securely accesses internal corporate websites. The VMware Browser allows you to access important websites on your device while allowing your organization to ensure you're maximizing your productivity.
Note the landing page is hosted on an internal server.
Additionally, show VMware Browser's blacklisting. Browser is setup in restricted mode. Tap either the Facebook or Twitter link to show those sites are blacklisted.
Workspace ONE brings data loss prevention, conditional access, plus policies and profiles to your users and devices.
First, we'll look at data loss prevention (DLP) controls. Return to Boxer. Copy some of the text from one of the demonstration emails.
While in the work profile, show the protected clipboard's contents by pasting the copied text into another Boxer email. The clipboard will paste the contents.
Next, switch to a messaging app on the personal side of the device, not in the Android work profile. When you attempt to paste the clipboard, you will NOT have access to the clipboard'd contents from Boxer in the work profile.
Moving forward, let's review conditional access. In Workspace ONE, find and launch the Patient Records SaaS (web) app.
You will be denied access to the site because your device it NOT on an approved network.
Finally, let's attempt to uninstall one of the protected apps, either VMware Browser or Workspace ONE. Apps can be designated protected apps to prevent accidental removal of key productivity apps.
The protected apps are not allowed to be uninstalled.
Workspace ONE can either be removed from within the Workspace ONE app by the user, or most commonly, by an enterprise wipe command issued from the console. An enterprise wipe performed by an admin can be sent either manually or automatically by a triggered compliance policy. When the enterprise wipe happens on Android, the entire work profile and all of its contents are removed. Enterprise wipes do not touch personal data.
Log in to Workspace ONE UEM Console. Find your device and send the enterprise wipe command. You may need to open Workspace ONE so that it can receive the command.
After the enterprise wipe, note how not only all organizational app access is now removed, but also the work profile has been removed. Also, be sure to state that no personal data was ever touched. All that remains is the initially installed Workspace ONE app, which should be disabled (grayed out).