iOS - Corporate Device Walkthrough (Direct Enrollment)

Updated on

Experience VMware Workspace ONE Intelligent Hub through the eyes of an employee who has been issued a corporate iOS device. In this walkthrough we will setup our iOS device with Intelligent Hub and access the sample corporate resources and features that have been configured within TestDrive.
  • Section 1: Register your iOS Device
    • Download VMware Workspace ONE Intelligent Hub
    • Install Workspace Services on your device (Direct Enrollment)
  • Section 2: Corporate Device Features
    • Workspace ONE
    • Privacy App
    • Device policies and restrictions
    • VMware Boxer (Enterprise Email)
    • App Config apps (Salesforce and Socialcast)
    • VMware Content Locker
    • VMware Browser
  • Section 3: Enterprise Wipe
    • Login to the Workspace ONE UEM (formerly VMware AirWatch) Console
    • Delete your device record
Before You Begin

Before you begin this walkthrough ensure you have the following:

  • A valid account in the VMware TestDrive environment, sign up here if you do not yet have an account
  • Activated the Workspace ONE UEM service from the My Services tab in the VMware TestDrive Demo Portal
  • Activated Salesforce and Office 365 from the My Services tab in the VMware TestDrive Demo Portal
Section 1: Registering your iOS Device

Ensure you're starting with an unenrolled iOS device. First, Navigate to the app store and download the VMware Workspace ONE Intelligent Hub.

Once the app installs, launch the app and enter your TestDrive email address.

Your TestDrive email address follows the below format:


If you're unsure what your TestDrive email address is, you can verify this in the TestDrive portal by following the steps below:

  1. Login to portal.vmtestdrive.com with your username and password
  2. Click on the dropdown next to Workspace ONE in the Ready to Use Experiences section to view your credentials
  3. Here you will find your TestDrive email address

Enter your TestDrive email address and click Next.

Next, we'll select the demo we would like to perform. In this guide we're enrolling as a corporate device so select Enterprise - Corporate Owned Demo from the dropdown.

Next, enter your TestDrive username and password and click "Sign In".

Next, the Intelligent Hub app will take you through installing Workspace Services on your device. At this point your device has been identified as a corporate issued device. In this demo scenario, the admin has selected to require corporate owned devices to be registered and fully managed in order to access corporate resources. Alternatively, in our BYOD guide you'll see the admin has allowed access to some resources without being fully managed. This corporate issued enrollment is termed direct enrollment. Click next to proceed.

Next, you'll be directed to download the Workspace Services configuration profile. Click Allow in the browser to proceed.

This year, Apple has introduced a new workflow to manual profile installations. This change is a new experience for profile installations called “manual profile installation”. This change results in enrollments no longer automatically redirecting from Safari to the iOS Settings to install the MDM or configuration profile. The user must now manually navigate to system settings to install the profile. These changes are part of the iOS platform and not the Workspace ONE platform.

Hit 'Close' when you see the bottom screen. 

Navigate to 'Settings' on your device -> 'General' -> 'Profiles'

Install the Workspace Services profile to your device. With this profile, additional restrictions and profiles including certificates are being installed on your device.

Once the profile is installed, navigate back to the Intelligent Hub app and launch it.

Click on 'Done' when enrollment is complete. Follow the steps to accept the Terms of Use and launch into the Intelligent Hub home screen.

Now you'll see prompts for the apps to install. Click install to install the apps. Note: if you're using Apple's Device Enrollment Program to supervise your devices, users will not get this prompt.

Section 2: Corporate Device Features

Now that your device is registered and has the Workspace Services profile installed, we're ready to walk through the features that have been pushed down to the device. First, launch the Hub app.

Users can access and install their enterprise applications and Web applications through the Intelligent Hub Catalog. During the app installation, a pop-up appears to let users know what is happening next.

Intelligent Hub aggregates all the apps your employees need whether its a virtual app, web app or native app. All employee marked bookmarks now show under the new Favorites section in the app. There are two other sections viz. 'New' for the latest app additions and 'Recommended' for corporate recommended applications. Users can also search for apps based on Categories as defined by the company. On top of this, Workspace ONE's identity solution is providing single sign on and access policy controls to these apps regardless of what device type, enrollment status or endpoint the user is attempting to access the app from. In this walkthrough we're using an enrolled iOS device, which the admin has allowed access to all the apps for using access policies, so throughout this walkthrough you'll be seeing the single sign on experience. Alternatively, if you were trying to sign into these apps from an unmanaged device you could see a different experience depending on what the admin has configured.

Under our Favorites section you'll see the web and virtual apps the user has bookmarked for frequent use. If you don't yet have any favorites, you can scroll down to the All Apps Category to add some or search and favorite an item from the search results. If we launch into any of these apps you'll see the single sign on experience.

Employees can receive actionable, real-time messages, including push notifications in the Workspace ONE Intelligent Hub app if the Notifications feature is enabled in Hub Services.

With the Intelligent Hub, you can also enable a browser tab in the app and set it to a URL to direct employees to. In our case, we have set our TestDrive Knowledge Base as the home page.

Since Boxer (Email) has not automatically been installed on our device, let click to download VMware Boxer from the list. We can download Boxer by finding it in the list or just search for it.

Search for Boxer. Click to install the app.

Now, you've downloaded a native app from Workspace ONE.

We'd also like to point out that if you use the native spotlight search on iOS, web and virtual apps that are within Intelligent Hub will also be displayed in the results. This way, end users can easily find the apps they need without needing to open a separate catalog.

Here when I search for Dropbox, I see both the native app thats installed on my device and the web app thats available in Intelligent Hub. If you're searching for an app thats only available as a virtual or web app (like a Windows 10 virtual app for example) it will appear in these same search results.

Next, let's take a look at the Privacy app. Click to launch the privacy app.

The Privacy app reports the information which is being collected from the device by Workspace ONE UEM and reported back to the Administrative Console. In this scenario the device is enrolled as a corporate device so the information being collected is typical of a corporate issued device. If a change is made to the privacy settings on the Workspace ONE UEM console the changes will be immediately reflected in the privacy app, so the user always knows what can or cannot be collected from their device.

You will see for this corporate device text messages, photos, and personal email are NOT collected while other details such as GPS location, Telecom and more are collected.

Also, you'll notice that our corporate device has a few restrictions that have applied:

  • Camera app has been removed from the device
  • iMessage has been removed from the device (restriction only applies to supervised devices. See guide here to supervise your device to achieve this functionality)
  • User is unable to delete apps (restriction only applies to supervised devices. See guide here to supervise your device to achieve this functionality)
  • Unable to move documents from managed applications to unmanaged applications
  • Unable to move documents from unmanaged applications to managed applications
  • Game Center and iTunes have been removed (Game Center is removed for supervised devices. See guide here to supervise your device to achieve this functionality)
  • Passcode is required; if device did not previously have passcode user will be prompted to create one

Next, let's walkthrough VMware Boxer. When we installed the Workspace Services profile, a certificate was installed on our device which allows us to single sign on into our email using Boxer. In the TestDrive environments we use Office 365 as our email provider. Make sure you have turned on Office 365 from your TestDrive Portal services before attempting to access it.

Launch Boxer.

Boxer is automatically configured with your email address and the user just clicks Get started to login (no need to enter your password thanks to certificate authentication!)

Now the user is signed into their Office 365 email. We've populated sample emails in your inbox for demo purposes.

Next, let's navigate back to the device home screen and launch some of the iOS applications which have been configured using App Config (ACE). App config is a community of app providers who have worked to allow UEM providers who are part of the community to push down configurations for these apps. As a result, using Workspace ONE and app config, the user no longer has to remember multiple passwords or environment parameters (such as URLs) - the experience is seamless. In TestDrive, we have configured Salesforce and Dropbox using app config.

For more information on ACE please see the AppConfig Community page:  http://www.appconfig.org/

Lets take a look at this experience using Salesforce. Launch Salesforce.

You'll see the user is prompted to accept the EULA since this is their first time using the app.

After accepting the EULA Workspace ONE automatically signs the user in and App Config pushed down through Workspace ONE UEM feeds in my Salesforce environment info so I'm directed to the correct instance.

All the user had to do was accept the terms and now I'm signed in as my identity in Salesforce using Workspace ONE and App Config.

Next, let's move onto the VMware Content Locker. If you don't yet have content locker installed on your device you can install it from the Workspace ONE catalog. Launch into Content Locker.

Next you will see an overlay highlighting the available icons. Click anywhere on the device to close the overlay.

The Repositories tab will contain all the user's content along with all shared corporate content. In the Corporate Content section you will see three network repositories for each region.  Content saved to these repositories are accessible from your Horizon VDI Desktop and Remote Applications that you launch in each region. We must do a first time log in to one of the repositories but then this information will be saved and will not have to be entered again.

Click on “AMER-SCL” to connect to the repository. 

An authentication request login page will load, enter your TestDrive credentials in the format of username and then password and click “Login”

Upon successful login, the repository will populate and you will see all the available folders and files saved to this particular region. Click on the word "Repositories" at the top of the page or the "Filing Cabinet" icon on the left side bar to return to the main listing.

Click on “APAC-SCL” and ensure that the files and folders for this region populates. Repeat this step for the “EMEA-SCL” file share and ensure you are able to log in.

Now you have completed setting up Content Locker and you may use it on your iOS device or access the same files from your Horizon Desktops and Applications.

You can also select "AirWatch Content > World Wide Enterprises" to view the content shared from the Workspace ONE UEM Admin Console and demonstrate the document configurations. First, select "Unrestricted Access - Sales Training Manual".

The document will open and the user is able to swipe left and right to navigate between pages, zoom in and out by pinching, and rotate the device, and search the document for key words or phrases. Additionally, the user is able to select the export button in the top right to perform actions permitted by the administrator such as open into, view info, or print.

Now, lets switch back to to another document to demonstrate the different permissions granted to each document.

Select "Back" in the top left to return to the World Wide Enterprises content and select "Restricted Access - Financial Forecasting Training". The document will open displaying the watermark with the user's name. The user is able to zoom into the document and the watermark adjusts with the zoom size. Also, when selecting the export button in the top right you will see the user is no longer able to print or open into as they were with the unrestricted document.

Next we will launch the VMware Workspace ONE Web app. Click on "Web" to launch it. If you don't yet have the Web app, you can download it from Intelligent Hub.

Now you will see your homepage for your internal resources as defined in Web. Here you can see the different restrictions you may have when using Web. You can setup access into an intranet website, you can set links to public webpages, and you can restrict access to certain websites by blacklisting them.

Now you have successfully walked through the corporate device demo features.

Section 3: Enterprise Wipe

The last step we will perform is to remove the corporate info from our device similar to how an organization could remove this info if the device was lost or stolen.

First, open a web browser and navigate to wsuem.vmtestdrive.com. Log in with your TestDrive username and password.

You username must adhere to this format: vmwtd.com\username

Next, ensure you're using the "Device Administrator at World Wide Enterprises" role by checking your account settings in the top right.

Next, navigate to "Devices > List View" in the left column. You can search for your username in the right side of the screen to find your device in the list. Click the name of your device to open the device details.

Now Click "More Actions > Delete Device" to both delete your device record from the console and issue an enterprise wipe or choose or "More Actions > Enterprise Wipe" to only issue an enterprise wipe to your device.

If we switch back to our device, you'll now see the corporate apps and profiles have been removed from the device. Any apps that remain on the device that the user may have logged into outside of management will be reset so the user can no longer access their corporate info (Example, Horizon).

Previous Article Experience Workspace ONE on Chromebook
Next Article Content - Workspace ONE for iOS (Stand-alone)