iOS - Corporate Device Walkthrough (Direct Enrollment)

Updated on

Experience VMware Workspace ONE Intelligent Hub through the eyes of an employee who has been issued a corporate iOS device. In this walkthrough we will setup our iOS device with Intelligent Hub and access the sample corporate resources and features that have been configured within TestDrive.


  • Section 1: Register your iOS Device
    • Download VMware Workspace ONE Intelligent Hub
    • Install Workspace Services on your device (Direct Enrollment)
  • Section 2: Corporate Device Features
    • Workspace ONE
    • Privacy App
    • Device policies and restrictions
    • VMware Boxer (Enterprise Email)
    • App Config app (Zoom)
    • VMware Content Locker
    • VMware Browser
  • Section 3: Enterprise Wipe
    • Login to the Workspace ONE UEM Console
    • Delete your device record

Before You Begin

Before you begin this walkthrough ensure you have the following:

  • A valid account in the VMware TestDrive environment. Sign up here if you do not yet have an account
  • Activated the Workspace ONE UEM service from the My Services tab in the VMware TestDrive portal
  • Activated Dropbox and Office 365 from the My Services tab in the VMware TestDrive portal

Section 1: Registering your iOS Device

Ensure you're starting with an unenrolled iOS device. First, Navigate to the app store and download the VMware Workspace ONE Intelligent Hub.

Launch Hub

Once the app installs, launch the app and enter your TestDrive email address.

Locate your TestDrive Credentials

Your TestDrive email address follows the below format:


If you're unsure what your TestDrive email address is, you can verify this in the TestDrive portal by following the steps below:

  1. Login to portal.vmtestdrive.com with your username and password
  2. Click on the dropdown next to Workspace ONE in the Ready to Use Experiences section to view your credentials
  3. Here you will find your TestDrive email address


Enter your TestDrive email address and click Next.

Select Demo

Next, we'll select the demo we would like to perform. In this guide we're enrolling as a corporate device so select Enterprise - Corporate Owned Demo from the dropdown.

Next, enter your TestDrive username and password and click "Sign In".

Install Workspace Services

Next, the Intelligent Hub app will take you through installing Workspace Services on your device. At this point your device has been identified as a corporate issued device. In this demo scenario, the admin has selected to require corporate owned devices to be registered and fully managed in order to access corporate resources. Alternatively, in our BYOD guide you'll see the admin has allowed access to some resources without being fully managed. This corporate issued enrollment is termed 'Direct Enrollment'. Click next to proceed.

Download Workspace Services Profile

Next, you'll be directed to download the Workspace Services configuration profile. Click Allow in the browser to proceed.

Manual Profile Installation

This year, Apple has introduced a new workflow to manual profile installations. This change is a new experience for profile installations called “manual profile installation”. This change results in enrollments no longer automatically redirecting from Safari to the iOS Settings to install the MDM or configuration profile. The user must now manually navigate to system settings to install the profile. These changes are part of the iOS platform and not the Workspace ONE platform.

Hit 'Close' when you see the bottom screen. 

Device Settings Screen

Navigate to 'Settings' on your device -> 'General' -> 'Profiles'

Install Profile

Install the Workspace Services profile to your device. With this profile, additional restrictions and profiles including certificates are being installed on your device.

Launch Hub

Once the profile is installed, navigate back to the Intelligent Hub app and launch it.

Finish Enrollment

Click on 'Done' when enrollment is complete. Follow the steps to accept the Terms of Use and launch into the Intelligent Hub home screen.

App Installations

Now you'll see prompts for the apps to install. Click install to install the apps. Note: if you're using Apple's Device Enrollment Program to supervise your devices, users will not get this prompt.

Section 2: Corporate Device Features

Now that your device is registered and has the Workspace Services profile installed, we're ready to walk through the features that have been pushed down to the device. First, launch the Hub app.

Intelligent Hub Catalog

Users can access and install their enterprise applications and Web applications through the Intelligent Hub Catalog. During the app installation, a pop-up appears to let users know what is happening next.

Intelligent Hub aggregates all the apps your employees need whether its a virtual app, web app or native app. All employee marked bookmarks now show under the new Favorites section in the app. There are two other sections viz. 'New' for the latest app additions and 'Recommended' for corporate recommended applications. Users can also search for apps based on Categories as defined by the company. On top of this, Workspace ONE's identity solution is providing single sign on and access policy controls to these apps regardless of what device type, enrollment status or endpoint the user is attempting to access the app from. In this walkthrough we're using an enrolled iOS device, which the admin has allowed access to all the apps for using access policies, so throughout this walkthrough you'll be seeing the single sign on experience. Alternatively, if you were trying to sign into these apps from an unmanaged device you could see a different experience depending on what the admin has configured.

Under our Favorites section you'll see the web and virtual apps the user has bookmarked for frequent use. If you don't yet have any favorites, you can scroll down to the All Apps Category to add some or search and favorite an item from the search results. If we launch into any of these apps you'll see the single sign on experience.

Notifications Tab

Employees can receive actionable, real-time messages, including push notifications in the Workspace ONE Intelligent Hub app if the Notifications feature is enabled in Hub Services.

Browser Tab

With the Intelligent Hub, you can also enable a browser tab in the app and set it to a URL to direct employees to. In our case, we have set our TestDrive Knowledge Base as the home page.

VMware Boxer

Since Boxer (Email) has not automatically been installed on our device, let click to download VMware Boxer from the list. We can download Boxer by finding it in the list or just search for it.

Install VMware Boxer

Search for Boxer. Click to install the app.

Successful Installation

Now, you've downloaded a native app from Workspace ONE.

Native spotlight search support

We'd also like to point out that if you use the native spotlight search on iOS, web and virtual apps that are within Intelligent Hub will also be displayed in the results. This way, end users can easily find the apps they need without needing to open a separate catalog.

Here when I search for Dropbox, I see both the native app thats installed on my device and the web app thats available in Intelligent Hub. If you're searching for an app thats only available as a virtual or web app (like a Windows 10 virtual app for example) it will appear in these same search results.

Privacy App

Next, let's take a look at the Privacy app. Click to launch the privacy app.

The Privacy app reports the information which is being collected from the device by Workspace ONE UEM and reported back to the Administrative Console. In this scenario the device is enrolled as a corporate device so the information being collected is typical of a corporate issued device. If a change is made to the privacy settings on the Workspace ONE UEM console the changes will be immediately reflected in the privacy app, so the user always knows what can or cannot be collected from their device.

Privacy App Policies

You will see for this corporate device text messages, photos, and personal email are NOT collected while other details such as GPS location, Telecom and more are collected.

Privacy App Restrictions

Also, you'll notice that our corporate device has a few restrictions that have applied:

  • Camera app has been removed from the device
  • iMessage has been removed from the device (restriction only applies to supervised devices. See guide here to supervise your device to achieve this functionality)
  • User is unable to delete apps (restriction only applies to supervised devices. See guide here to supervise your device to achieve this functionality)
  • Unable to move documents from managed applications to unmanaged applications
  • Unable to move documents from unmanaged applications to managed applications
  • Game Center and iTunes have been removed (Game Center is removed for supervised devices. See guide here to supervise your device to achieve this functionality)
  • Passcode is required; if device did not previously have passcode user will be prompted to create one

Launch VMware Boxer

Next, let's walkthrough VMware Boxer. When we installed the Workspace Services profile, a certificate was installed on our device which allows us to single sign on into our email using Boxer. In the TestDrive environments we use Office 365 as our email provider. Make sure you have turned on Office 365 from your TestDrive Portal services before attempting to access it.

Launch Boxer.

Automatic Configuration

Boxer is automatically configured with your email address and the user just clicks Get started to login (no need to enter your password thanks to certificate authentication!)

Review emails

Now the user is signed into their Office 365 email. We've populated sample emails in your inbox for demo purposes.

App Config (ACE)

Next, let's navigate back to the device home screen and launch some of the iOS applications which have been configured using App Config (ACE). App config is a community of app providers who have worked to allow UEM providers who are part of the community to push down configurations for these apps. As a result, using Workspace ONE and app config, the user no longer has to remember multiple passwords or environment parameters (such as URLs) - the experience is seamless. In TestDrive, we have configured Zoom and Dropbox using app config.

For more information on ACE please see the AppConfig Community page.

Let's take a look at this experience using Zoom. Launch Zoom.

VMware Content Locker

Workspace ONE automatically signs the user in and App Config is pushed down through Workspace ONE UEM feeds in my Zoom environment info so I'm directed to the correct instance.

All the user had to do was accept the terms and now I'm signed in as my identity in Zoom using Workspace ONE and App Config.

Next, let's move onto the VMware Content Locker. If you don't yet have content locker installed on your device you can install it from the Workspace ONE catalog. Launch into Content Locker.

Content Overlay

Next you will see an overlay highlighting the available icons. Click anywhere on the device to close the overlay.

Content Repositories

The Repositories tab will contain all the user's content along with all shared corporate content. In the Corporate Content section you will see three network repositories for each region.  Content saved to these repositories are accessible from your Horizon VDI Desktop and Remote Applications that you launch in each region. We must do a first time log in to one of the repositories but then this information will be saved and will not have to be entered again.

Connect to Repository

Click on “AMER-SCL” to connect to the repository. 

An authentication request login page will load, enter your TestDrive credentials in the format of username and then password and click “Login”

Repository Folders

Upon successful login, the repository will populate and you will see all the available folders and files saved to this particular region. Click on the word "Repositories" at the top of the page or the "Filing Cabinet" icon on the left side bar to return to the main listing.

Finish Content Locker Setup

Click on “APAC-SCL” and ensure that the files and folders for this region populates. Repeat this step for the “EMEA-SCL” file share and ensure you are able to log in.

Now you have completed setting up Content Locker and you may use it on your iOS device or access the same files from your Horizon Desktops and Applications.

You can also select "AirWatch Content > World Wide Enterprises" to view the content shared from the Workspace ONE UEM Admin Console and demonstrate the document configurations. First, select "Unrestricted Access - Sales Training Manual".


The document will open and the user is able to swipe left and right to navigate between pages, zoom in and out by pinching, and rotate the device, and search the document for key words or phrases. Additionally, the user is able to select the export button in the top right to perform actions permitted by the administrator such as open into, view info, or print.


Now, lets switch back to to another document to demonstrate the different permissions granted to each document.

Select "Back" in the top left to return to the World Wide Enterprises content and select "Restricted Access - Financial Forecasting Training". The document will open displaying the watermark with the user's name. The user is able to zoom into the document and the watermark adjusts with the zoom size. Also, when selecting the export button in the top right you will see the user is no longer able to print or open into as they were with the unrestricted document.

VMware Workspace ONE Web

Next we will launch the VMware Workspace ONE Web app. Click on "Web" to launch it. If you don't yet have the Web app, you can download it from Intelligent Hub.

Home Page

Now you will see your homepage for your internal resources as defined in Web. Here you can see the different restrictions you may have when using Web. You can setup access into an intranet website, you can set links to public webpages, and you can restrict access to certain websites by blacklisting them.


Now you have successfully walked through the corporate device demo features.

Section 3: Enterprise Wipe

The last step we will perform is to remove the corporate info from our device similar to how an organization could remove this info if the device was lost or stolen.

First, open a web browser and navigate to https://testdrive.awmdm.com. Log in with your TestDrive username and password.

You username must adhere to this format: vmwdp.com\username

Next, ensure you're using the "Device Administrator at World Wide Enterprises" role by checking your account settings in the top right.

View Device Details

Next, navigate to "Devices > List View" in the left column. You can search for your username in the right side of the screen to find your device in the list. Click the name of your device to open the device details.

Delete Device

Now Click "More Actions > Delete Device" to both delete your device record from the console and issue an enterprise wipe or choose or "More Actions > Enterprise Wipe" to only issue an enterprise wipe to your device.

Confirm Apps and Profile removal

If we switch back to our device, you'll now see the corporate apps and profiles have been removed from the device. Any apps that remain on the device that the user may have logged into outside of management will be reset so the user can no longer access their corporate info (Example, Horizon).

Previous Article Workspace ONE Intelligent Hub Registered Only
Next Article Content - Workspace ONE for iOS (Stand-alone)