This walkthrough will show you how to enroll and begin demonstrating a corporate-liable device as a Work Managed Device (also known as Device Owner mode). A device enrolled as a Work Managed Devices is completely controlled by the organization. In other words, the device has no personal space.
Here's what you need to know in order to run through this walkthrough:
- A valid VMware TestDrive account. Sign up here.
- An active Workspace ONE UEM (formerly VMware AirWatch) service in the VMware TestDrive Portal. Instructions are here.
- Factory reset Android device:
- Highly recommended OS level: Android 7.0+
- Minimum OS level: Android 6.0 (for "hashtag" enrollment)
- NO EXISTING DEVICE RECORD in testdrive.awmdm.com
- Admin role: Device Administrator at World Wide Enterprises
- Network access from your device and TCP port 443 enabled on your network
- Reference the platform guide for more information.
- If you have questions, please send an email to this address.
A device enrolled as a Work Managed Device is designed for 100% corporate-liable devices that are used exclusively by the organization. Workspace ONE UEM admins manage the entire Work Managed Device which has levels of control suitable for the most secure organizations in the world.
- The Work Managed Device is for corporate owned device use cases, where ONLY the managed work persona will exist on the device. There is no personal space on a Work Managed Device.
- A Work Managed Device is used by organizations who need 100% control of the device's contents, either by preference or regulation.
- Line-of-business devices, such as rugged Android devices which need to be locked down or in "kiosk" mode, are Work Managed Devices.
- There are currently four (4) admin-friendly methods to enroll a Work Managed Device:
- "Hashtag enrollment" or DPC identifier device provisioning (Android 6.0+) - After a factory reset, at the 'enter Google ID' screen, users enter the unique DPC identifier which initiates Workspace ONE Intelligent Hub enrollment as a Work Managed Device.
- AirWatch Relay App - Admins NFC "bump" configure employee's new device. An admin "staging" device is required in addition to the user device being set up.
- QR code enrollment (Android 7.0+) - From a factory reset device's setup screen, QR code is scanned to put device in device owner mode.
- Zero-touch enrollment - Purchased devices can be shipped to users with management and settings pre-configured in Workspace ONE UEM. When the user turns on the device, without touching it, the device sets up as a Work Managed Device.
(Due to the requirement of accessing the zero‑touch online admin platform to set up specific device serial numbers, zero-touch is not available as a configured demo in TestDrive.)
DPC Identifier "Hashtag" Enrollment
For simple device enrollment, follow these steps:
- Factory reset the device.
- Proceed with Android device setup, configuring your local Wi-Fi.
- When prompted for the Google ID, instead of an email address, enter the Android Enterprise DPC identifier for Workspace ONE UEM:
- When prompted, download and install the Intelligent Hub.
- After the Hub launches, enroll using your Workspace ONE UEM enrollment email. Your enrollment email address is listed in portal.vmtestdrive.com > My Products > Empower Digital Workspace tab > Workspace ONE UEM card.
- When prompted for the group ID (OG), choose Enterprise - EMM Demo.
- At the Workspace ONE login, authenticate with your TestDrive user credentials:
- Username: TestDrive username
- Password: TestDrive password
Proceed through Android setup and Workspace ONE UEM enrollment. Accept all prompts and complete the configuration, setting up the Work Managed Device.
While the device setup process appears, on the surface, to be the same as a work profile configuration, it is not. On a Work Managed Device, the Hub is an administrative app which is set up as device owner for 100% institutionally-controlled use.
Continue accepting all prompts to complete enrollment.
Bring attention to the Privacy and Data Sharing statements presented by the Intelligent Hub.
Set up the password on the device, as configured by the Workspace ONE UEM profile.
Work Managed Device View
- Work Managed Devices have a clean, minimal Android app landscape.
- Being institutionally-owned there's no visual cue needed to differentiate between work and personal, so apps are not badged with the red/white briefcase icon seen in the work profile.
- Google system apps can be managed and removed, if desired.
Review the limited and clean app landscape on the device. As well, point out the silent installation of the organization's assigned native apps.
VMware Workspace ONE Intelligent Hub
- The Workspace ONE Intelligent Hub integrates the AirWatch Agent and Workspace ONE app into a unified workspace that drives employee engagement through a cross-platform user-focused experience.
- The Workspace ONE Intelligent Hub is the user's single destination to securely access, discover, connect with, and take action on corporate resources, teams, and workflows wherever they are and from any device.
- Integrated app catalog improves end user engagement and experience with a consumer-inspired store.
- The Hub's workspace area sits on top of the agent which provides provides the critical IT management functions.
- Delivers any application from the latest mobile cloud apps to legacy enterprise apps. Simple, one-stop access to all apps: native, web, virtual, VDI, and RDS apps!
Internal web apps through a secured browser and seamless VPN tunnel
SaaS apps with SAML-based SSO and provisioning framework
Native Chrome OS apps through brokerage of public store.
Use Intelligent Hub to discuss app management—not Google Play for Work.
After enrollment is complete, you're greeted by the Workspace ONE Intelligent Hub's enhanced user workspace. Each Hub section is accessible at the bottom of the Hub UI.
- Apps - all mobile, web, and virtual apps
- Notifications - UEM notifications
- Home page - customizable web page configured for the TestDrive KB
- People Search - organizational contacts search
- Hub settings (upper right, user initials icon) - agent/IT menus
Workspace ONE Assist *
|Before attempting Workspace ONE Assist, please review the following document: Workspace ONE Assist in TestDrive|
- Many institutions require remote management to connect to end-user devices remotely to aid in troubleshooting and maintenance in order to greatly reduce or altogether eliminate onsite support costs.
- Workspace ONE Assist for Android is the best-of-breed solution for enabling device support, even over slow, inconsistent 3G networks found in remote areas.
Find your device in testdrive.awmdm.com, drill into device details, and launch Remote Management from the More Actions - Support menu.
Upon first launch, on Samsung, you'll be prompted to accept the KLMS license.
Depending on Android OS level, you'll also need to accept an additional prompt or two, such as overlay permission, which you are guided through.
Once connected, review the UI remote control, tools, and "more details" functions.
Here's a Workspace ONE Assist video tutorial (My Workspace ONE UEM account required).
Appendix A - Corporate-owned Enrollment with AirWatch Relay
SAML is not supported by AirWatch Relay. All scripted demos, like "Enterprise - EMM Demo," use SAML. Therefore, AirWatch Relay is not supported in any of the scripted demos. To show AirWatch Relay, please use your sandbox: set up directory services without SAML, update enrollment settings, and create a basic user.
Using AirWatch Relay requires two Android 5.0+ devices--Samsung or Google device recommended--with NFC enabled: one for the admin to run the AirWatch Relay app (admin device), and the other for the user. The admin device should have the AirWatch Relay app downloaded from Google Play. The staging device must be factory reset.
Reset the device to be enrolled. The process uses two NFC bumps to the admin device, which has the AirWatch Relay app configured:
- Bump One – Sets up Wi-Fi, encrypts device (if not already encrypted), and then downloads the Intelligent Hub.
- Bump Two – Enrolls the user's factory reset device into Workspace ONE UEM.
If the reset device is not already encrypted, you’ll go through encryption, then the process will resume for bump 2.
After a successful bump 2, using the above basic user credentials, the device will enroll.