Android - Corporate-Owned Device Management

This walkthrough will show you how to enroll and begin demonstrating a corporate-liable device as a Work Managed Device (also known as Device Owner mode).  A device enrolled as a Work Managed Devices is completely controlled by the organization. In other words, the device has no personal space.


Here's what you need to know in order to run through this walkthrough:

  • A valid VMware TestDrive account.  Sign up here.
  • An active Workspace ONE UEM (formerly VMware AirWatch) service in the VMware TestDrive Portal.  Instructions are here.
  • Factory reset Android device:
    • Highly recommended OS level: Android 7.0+ 
    • Minimum OS level: Android 6.0 (for "hashtag" enrollment)
  • Admin role: Device Administrator at World Wide Enterprises
  • Network access from your device and TCP port 443 enabled on your network
  • Reference the platform guide for more information.
  • If you have questions, please send an email to this address.


A device enrolled as a Work Managed Device is designed for 100% corporate-liable devices that are used exclusively by the organization.  Workspace ONE UEM admins manage the entire Work Managed Device which has levels of control suitable for the most secure organizations in the world.


Talking Points

  • The Work Managed Device is for corporate owned device use cases, where ONLY the managed work persona will exist on the device.  There is no personal space on a Work Managed Device.
  • A Work Managed Device is used by organizations who need 100% control of the device's contents, either by preference or regulation.
  • Line-of-business devices, such as rugged Android devices which need to be locked down or in "kiosk" mode, are Work Managed Devices.
  • There are currently four (4) admin-friendly methods to enroll a Work Managed Device:
    • "Hashtag enrollment" or DPC identifier device provisioning (Android 6.0+) - After a factory reset, at the 'enter Google ID' screen, users enter the unique DPC identifier which initiates Workspace ONE Intelligent Hub enrollment as a Work Managed Device.
    • AirWatch Relay App - Admins NFC "bump" configure employee's new device.  An admin "staging" device is required in addition to the user device being set up.
    • QR code enrollment (Android 7.0+) - From a factory reset device's setup screen, QR code is scanned to put device in device owner mode.  
    • Zero-touch enrollment - Purchased devices can be shipped to users with management and settings pre-configured in Workspace ONE UEM.  When the user turns on the device, without touching it, the device sets up as a Work Managed Device.
      (Due to the requirement of accessing the zero‑touch online admin platform to set up specific device serial numbers, zero-touch is not available as a configured demo in TestDrive.)
DPC Identifier "Hashtag" Enrollment QR Code Enrollment
  • Factory reset the device.
  • Proceed with Android device setup, configuring Wi-Fi.
  • When prompted for the Google ID enter: afw#hub
  • When prompted, download and install the Intelligent Hub.
  • After the hub launches, enroll using your Workspace ONE UEM enrollment email. Your enrollment email address is listed in > My Products > Empower Digital Workspace tab > Workspace ONE UEM card.


  • Authenticate with your TestDrive user credentials:
    • Username: TestDrive username
    • Password: TestDrive password
  • When prompted for your group (OG), choose Enterprise - EMM Demo.

Proceed through Android setup and Workpsace ONE UEM enrollment, accepting all prompts, completing the configuration, setting up the Work Managed Device.

While the device setup process appears, on the surface, to be the same as a work profile configuration, it is not.  This step is unique to the Work Managed Device in that the Hub is the administrative app and is set up as device owner for 100% institutionally-controlled use.

Continue accepting all prompts and complete enrollment.   Before the device begins provisioning with profiles and apps, note the enrollment type in the Intelligent Hub: Work Managed Device.

Work Managed Device View

Talking Points

  • Work Managed Devices have a clean, minimal Android app landscape.
  • Being institutionally-owned there's no visual cue needed to differentiate between work and personal, so apps are not badged with the red/white briefcase icon seen in the work profile.
  • Google system apps can be managed and removed, if desired.

Review the limited and clean app landscape on the device.  As well, point out the silent installation of the organization's assigned native apps.

VMware Workspace ONE

Talking Points

  • VMware Workspace ONE is the enterprise platform that enables organizations to deliver a digital workspace that empowers users to securely bring the technology of their choice—devices and apps—without sacrificing productivity or security at a cost the business needs.
  • The VMware Workspace ONE catalog contains all the app resources that have been entitled to users. Users access enterprise applications that are managed in the Workspace ONE catalog based on the settings established for the application in VMware Identity Manager.
  • Delivers any application from the latest mobile cloud apps to legacy enterprise apps. Simple, one-stop access to all apps: native, web, virtual, VDI, and RDS apps!
    • Internal web apps through a secured browser and seamless VPN tunnel
    • SaaS apps with SAML-based SSO and provisioning framework  
    • Native Chrome OS apps through brokerage of public store 
  • Single Sign-On (SSO) that federates the most complex on-premises Active Directory topologies and support for multi-factor authentication, like RSA.

Use VMware Workspace ONE to discuss app management—not Google Play for Work.

Note when opening Workspace ONE, Workspace ONE UEM will have already configured the Workspace ONE tenant using AppConfig.

Advanced Remote Management *

      Before attempting Advanced Remote Management, please review the following document: Workspace ONE UEM - Advanced Remote Management

Talking Points

  • Many institutions require remote management to connect to end-user devices remotely to aid in troubleshooting and maintenance in order to greatly reduce or altogether eliminate onsite support costs.
  • Advanced Remote Management for Android is the best-of-breed solution for enabling device support, even over slow, inconsistent 3G networks found in remote areas.

If your tenant has RM4 enabled, and your device is supported, launch Remote Management from your device's details:

Upon first launch, on Samsung, you'll be prompted to accept the KLMS license.

Depending on Android OS level, you'll also need to accept an additional prompt or two, such as overlay permission, which you are guided through.

Once connected, review the UI remote control, tools, and "more details" functions.

Here's an Advanced Remote Management video tutorial (My Workspace ONE UEM account required).

Appendix A - Corporate-owned Enrollment with AirWatch Relay


SAML is not supported by AirWatch Relay.  All scripted demos, like "Enterprise - EMM Demo," use SAML.  Therefore, AirWatch Relay is not supported in any of the scripted demos.  To show AirWatch Relay, please use your sandbox: set up directory services without SAML, update enrollment settings, and create a basic user.

Using AirWatch Relay requires two Android 5.0+ devices--Samsung or Google device recommended--with NFC enabled: one for the admin to run the AirWatch Relay app (admin device), and the other for the user.  The admin device should have the AirWatch Relay app downloaded from Google Play.  The staging device must be factory reset.

Reset the device to be enrolled.  The process uses two NFC bumps to the admin device, which has the AirWatch Relay app configured:

  • Bump One – Sets up Wi-Fi, encrypts device (if not already encrypted), and then downloads the Intelligent Hub.
  • Bump Two – Enrolls the user's factory reset device into Workspace ONE UEM.

If the reset device is not already encrypted, you’ll go through encryption, then the process will resume for bump 2.

After a successful bump 2, using the above basic user credentials, the device will enroll.

For Additional Support

Review Our Knowledge Base

Submit a Ticket

Have more questions? Submit a request

Please sign in to leave a comment.