Shared Multi-User iOS Devices in Financial Services


This walkthrough describes Workspace ONE UEM (formerly VMware AirWatch) Check-In Check-Out functionality, commonly known as the multi-user shared device use case,  typically found in financial services organizations.

In the typical multi-user shared device scenario, also called check-in/check-out, a device is staged for sharing in a locked down state.  To use the device, a user authenticates, and then the device provisions with the designated apps, profiles, content, etc. needed by the user.  When the user is done with the shared device, he checks it back in, and the device returns to its locked down state, checked-in, until another user authenticates.


Here's what you need in order to complete this demo:

  • A supervised iOS device (iPad recommended) with a reliable data connection.  iOS device supervision instructions are here.
  • An active VMware TestDrive account.  Sign up here if you don't have one.
  • An active Workspace ONE UEM service in the TestDrive portal.
  • A screen sharing method:
    • Mac: Tether iOS device and use Quicktime.
    • Windows: External camera is recommended.
  • Demo users and OG (quick reference):
    • Staging (Checked-in) user: fsstage   pw: Stage123!
      [email protected]
    • Enrollment/Staging OG: Finance - Corporate Owned Demo 
    • Check-out user1: banker   pw: Banker123!
    • Check-out user2: teller   pw: Teller123!
Enrollment & Staging

On the iPad, open the App Store and download the Workspace ONE Hub to your device.

Launch the Hub and initiate enrollment.  Enroll using the Email Address.

Enter the TestDrive email address for the staging user:

<p>[email protected]</p>

Next, at the Organization Group drop-down screen, choose the group:

Finance - Corporate Owned Demo

Next, at the Workspace ONE login (powered by Workspace ONE Access), enter the staging user's credentials:

<p>Username: fsstage Password: Stage123!</p>

You'll be walked through the enrollment screens. Proceed until enrollment is complete.   Accept ALL prompts.

You must (and you will be guided through the process):

  • Install the Workspace Services profile in iOS device settings.
  • Allow/Trust Remote Management in iOS device Settings.

When complete, keep accepting the prompts.  Open the Hub.

Now that the device has completed enrollment, it will provision with the shared device profile causing the device to lockdown with the Hub.

A Workspace ONE profile will prompt you to set a simple passcode.

The device is now ready to be checked out.  


Checked in, the Hub will present the Workspace ONE login screen. This login screen can be branded for the institution.

CheckLog in with the banker account:

<p>Username: banker Password: Banker123!</p>

The device will be provisioned with apps and profiles specific to a 'banker' or 'trader' use case.

The Hub will provide access to all of the apps required by the specific banker user.

Discuss the Favorites view and its purpose to provide quick access to web apps, Horizon apps (RDSH, thin, and VDI).  Segue to the Catalog...

Review the Apps section and discuss how this comprehensive app view is where all the user's apps are made available.

While mentioning the types of apps available, be sure to state the configurable deployment methods for native apps, either manual or automatic.  Automatically deployed native apps should either already have installed or are still installing.  Install one of the native apps setup for manual deployment, such as J.P Morgan Execute or E*TRADE Mobile.

Discuss how Workspace ONE Hub provides access to ALL apps: RDSH, thin apps, VDI, native apps, and web apps.

Quickly tab back to Workspace ONE's Catalog and launch the RDSH app Interactive Broker's  Trader Workstation.  

Trader Desktop is provisioned for demonstration purposes only, i.e., there's no demo account.

Return to the Hub.  After banker has completed his tasks, he needs to check the device back in to secure it and remove all sensitive content.

To check-in the device, in the upper-right of the Hub, tap the 'user' icon.

On the next screen, tap Log out.

After logging out, the device will resume the locked down state.

Please note, device lockdown is dependent on the profile re-pushing and subsequent Hub configuration.  Depending on network conditions, the lockdown may take a few moments.

Check-out the device as teller.  This user's access will be limited to the apps his job requires.

<p>Username: teller Password: Teller123!</p>

Note the provisioning and access differences between teller and banker.  Same device.  Completely different access for the completely different user, teller.

Access to regulated apps—such as Interactive Broker Trader—has been removed.

Launch T-Mobile by Temenos to access the sole financial services app provisioned.
T-Mobile by Temenos is provisioned for demonstration purposes only—it does not have a demo account.

Admin Console

The Workspace ONE UEM console provides access to a myriad of administrative functions.  Briefly review searching for devices.

Go to your device list, Devices > List View.  If necessary, filter out the view with search criteria, such as the user name banker.

Drill into the device and briefly discuss the tabs.

Enterprise Wipe

In a shared device scenario, devices may either accidentally or not-so-accidentally "walk off."  VWorkspace ONE UEM compliance policies can be used to trigger and enterprise wipe which removes organizational data if a device if it leaves, say, a managed network.

From the admin console, navigate to the devices details for your device.  Please take care not to wipe the wrong device.

Manually send an enterprise wipe from the console.  The device will have all sensitive data and user account access removed.

Previous Article Android - Knox Walkthrough (Samsung Internal)
Next Article iOS - Financial Services Customer Kiosk