This walkthrough will show you how to enroll and begin demonstrating a corporate-liable device as a Work Managed Device (also known as Device Owner mode). A device enrolled as a Work Managed Devices is completely controlled by the organization. In other words, the device has no personal space.
Here's what you need to have and know in order to run through this walkthrough:
- A valid VMware TestDrive account. Sign up here.
- An active Workspace ONE UEM (formerly VMware AirWatch) service in the VMware TestDrive Portal. Instructions are here.
- Factory reset Android device:
- Highly recommended OS level: Android 7.0+
- Minimum OS level: Android 6.0 (for "hashtag" enrollment)
- NO EXISTING DEVICE RECORD in wsuem.vmtestdrive.com
- Admin role: Device Administrator at World Wide Enterprises
- Network access from your device and TCP port 443 enabled on your network
- Reference the platform guide for more information.
- For post-enrollment guidance, see the Android - Enterprise Management walkthrough.
- If you have questions, please send an email to this address.
A device enrolled as a Work Managed Device is designed for 100% corporate-liable devices that are used exclusively by the organization. Workspace ONE UEM admins manage the entire Work Managed Device which has levels of control suitable for the most secure organizations in the world.
- The Work Managed Device is for corporate owned device use cases, where ONLY the managed work persona will exist on the device. There is no personal space on a Work Managed Device.
- A Work Managed Device is used by organizations who need 100% control of the device's contents, either by preference or regulation.
- Line-of-business devices, such as rugged Android devices which need to be locked down or in "kiosk" mode, are Work Managed Devices.
- There are currently four (4) admin-friendly methods to enroll a Work Managed Device:
- "Hashtag enrollment" or DPC identifier device provisioning (Android 6.0+) - After a factory reset, at the 'enter Google ID' screen, users enter the unique DPC identifier which initiates Workspace ONE Intelligent Hub enrollment as a Work Managed Device.
- AirWatch Relay App - Admins NFC "bump" configure employee's new device. An admin "staging" device is required in addition to the user device being set up.
- QR code enrollment (Android 7.0+) - From a factory reset device's setup screen, QR code is scanned to put device in device owner mode.
- Zero-touch enrollment - Purchased devices can be shipped to users with management and settings pre-configured in Workspace ONE UEM. When the user turns on the device, without touching it, the device sets up as a Work Managed Device.
(Due to the requirement of accessing the zero‑touch online admin platform to set up specific device serial numbers, zero-touch is not available as a configured demo in TestDrive.)
- Factory reset the device.
- Proceed with Android device setup, configuring Wi-Fi.
- When prompted for the Google ID enter: afw#hub
- When prompted, download and install the Intelligent Hub.
- After the hub launches, enroll using your Workspace ONE UEM enrollment email. Your enrollment email address is listed in portal.vmtestdrive.com > My Products > Empower Digital Workspace tab > Workspace ONE UEM card.
- Authenticate with your TestDrive user credentials:
- Username: TestDrive username
- Password: TestDrive password
- When prompted for your group (OG), choose Enterprise - EMM Demo.
This enrollment flow is supported on Android N+ devices.
- Factory reset your device.
- Tap the Android "Welcome" screen six (6) times in the same spot to enter QR code setup.
- Scan the below QR code, which contains the server and OG information:
Enter your TestDrive user credentials when prompted.
Proceed through Android setup and Workpsace ONE UEM enrollment, accepting all prompts, completing the configuration, setting up the Work Managed Device.
While the device setup process appears, on the surface, to be the same as a work profile configuration, it is not. This step is unique to the Work Managed Device in that the Hub is the administrative app and is set up as device owner for 100% institutionally-controlled use.
Continue accepting all prompts and complete enrollment. Before the device begins provisioning with profiles and apps, note the enrollment type in the Intelligent Hub: Work Managed Device.
Work Managed Device View
- Work Managed Devices have a clean, minimal Android app landscape.
- Being institutionally-owned there's no visual cue needed to differentiate between work and personal, so apps are not badged with the red/white briefcase icon seen in the work profile.
- Google system apps can be managed and removed, if desired.
Review the limited and clean app landscape on the device. As well, point out the silent installation of the organization's assigned native apps.
VMware Workspace ONE
VMware Workspace ONE is the enterprise platform that enables organizations to deliver a digital workspace that empowers users to securely bring the technology of their choice—devices and apps—without sacrificing productivity or security at a cost the business needs.
The VMware Workspace ONE catalog contains all the app resources that have been entitled to users. Users access enterprise applications that are managed in the Workspace ONE catalog based on the settings established for the application in VMware Identity Manager.
Delivers any application from the latest mobile cloud apps to legacy enterprise apps. Simple, one-stop access to all apps: native, web, virtual, VDI, and RDS apps!
Internal web apps through a secured browser and seamless VPN tunnel
SaaS apps with SAML-based SSO and provisioning framework
Native Chrome OS apps through brokerage of public store
Single Sign-On (SSO) that federates the most complex on-premises Active Directory topologies and support for multi-factor authentication, like RSA.
Use VMware Workspace ONE to discuss app management—not Google Play for Work.
Note when opening Workspace ONE, Workspace ONE UEM will have already configured the Workspace ONE tenant using AppConfig.
Advanced Remote Management *
|Before attempting Advanced Remote Management, please review the following document: Workspace ONE UEM - Advanced Remote Management|
- Many institutions require remote management to connect to end-user devices remotely to aid in troubleshooting and maintenance in order to greatly reduce or altogether eliminate onsite support costs.
- Advanced Remote Management for Android is the best-of-breed solution for enabling device support, even over slow, inconsistent 3G networks found in remote areas.
If your tenant has RM4 enabled, and your device is supported, launch Remote Management from your device's details:
Upon first launch, on Samsung, you'll be prompted to accept the KLMS license.
Depending on Android OS level, you'll also need to accept an additional prompt or two, such as overlay permission, which you are guided through.
Once connected, review the UI remote control, tools, and "more details" functions.
Here's an Advanced Remote Management video tutorial (My Workspace ONE UEM account required).
Appendix A - Corporate-owned Enrollment with AirWatch Relay
SAML is not supported by AirWatch Relay. All scripted demos, like "Enterprise - EMM Demo," use SAML. Therefore, AirWatch Relay is not supported in any of the scripted demos. To show AirWatch Relay, please use your sandbox: set up directory services without SAML, update enrollment settings, and create a basic user.
Using AirWatch Relay requires two Android 5.0+ devices--Samsung or Google device recommended--with NFC enabled: one for the admin to run the AirWatch Relay app (admin device), and the other for the user (staging device). The admin device should have the AirWatch Relay app downloaded from Google Play. The staging device must be factory reset.
Two NFC bumps put the staging device in DO mode.
- Bump One – Sets up Wi-Fi, encrypts device (if not already encrypted), and then downloads the hub.
- Bump Two – Enrolls the device out of box or factory reset device.
If the reset device is not already encrypted, you’ll go through encryption, then the process will resume for bump 2.
After a successful bump 2, using the above basic user credentials, the device will enroll into the “Company Owned” OG.