Android - Corporate-Owned Devices

This walkthrough will show you how to enroll and begin demonstrating a corporate-liable device as a Work Managed Device (also known as Device Owner mode).  A device enrolled as a Work Managed Devices is completely controlled by the organization. In other words, the device has no personal space.  

Prep

Here's what you need to have and know in order to run through this walkthrough:

  • A valid VMware TestDrive account.  Sign up here.
  • An active VMware AirWatch service in the VMware TestDrive Portal.  Instructions are here.
  • Factory reset Android device:
    • Highly recommended OS level: Android 7.0+ 
    • Minimum OS level: Android 6.0 (for "hashtag" enrollment)
  • NO EXISTING DEVICE RECORD in airwatch.vmtestdrive.com
  • Admin role: Device Administrator at World Wide Enterprises
  • Network access from your device and TCP port 443 enabled on your network
  • Reference the platform guide for more information.
  • For post-enrollment guidance, see the Android - Enterprise Management walkthrough.
  • If you have questions, please send an email to this address.  

Introduction

A device enrolled as a Work Managed Device is designed for 100% corporate-liable devices that are used exclusively by the organization.  VMware AirWatch admins manage the entire Work Managed Device which has levels of control suitable for the most secure organizations in the world. 

Enrollment

Talking Points

  • The Work Managed Device is for corporate owned device use cases, where ONLY the managed work persona will exist on the device.  There is no personal space on a Work Managed Device.
  • A Work Managed Device is used by organizations who need 100% control of the device's contents, either by preference or regulation.
  • Line-of-business devices, such as rugged Android devices which need to be locked down or in "kiosk" mode, are Work Managed Devices.
  • There are currently four (4) admin-friendly methods to enroll a Work Managed Device:
    • "Hashtag enrollment" or DPC identifier device provisioning (Android 6.0+) - After a factory reset, at the 'enter Google ID' screen, users enter the unique "afw#airwatch" DPC identifier which initiates AirWatch agent enrollment as a Work Managed Device.
    • AirWatch Relay App - Admins NFC "bump" configure employee's new device.  An admin "staging" device is required in addition to the user device being set up.
    • QR code enrollment (Android 7.0+) - From a factory reset device's setup screen, QR code is scanned to put device in device owner mode.  
    • Zero-touch enrollment - Purchased devices can be shipped to users with management and settings pre-configured in AirWatch.  When the user turns on the device, without touching it, the device sets up as a Work Managed Device.
      (Due to the requirement of accessing the zero‑touch online admin platform to set up specific device serial numbers, zero-touch is not available as a scripted demo in TestDrive.)

DPC Identifier Device Provisioning (Hashtag Enrollment)

First, factory reset your device.

Proceed with Android device setup.  Configure Wi-Fi.

When prompted for a Google ID, enter: 

afw#airwatch

Android will prompt you to download and install the agent.  Download and install the AirWatch Agent. 

When the agent launches, enroll using your VMware AirWatch enrollment email.  Your enrollment email is displayed in portal.vmtestdrive.com services.

Next, authenticate with your TestDrive user credentials:

Username: TestDrive username 
Password: TestDrive password

When prompted for your group (OG), choose Enterprise - EMM Demo.

Android will guide you through the encryption process.  

Choose "fast encryption".

After encryption, follow the prompts to complete the "device owner" configuration, setting up the Work Managed Device.  

While this process appears, on the surface, to be the same as a work profile configuration, it is not.  This step is unique to the Work Managed Device in that the agent is setting up as "device owner" for 100% institutionally-controlled use. 

Continue accepting all prompts and complete enrollment.   Before the device begins provisioning with profiles and apps, note the enrollment type in the AirWatch Agent: Work Managed Device.

Work Managed Device View

Talking Points

  • Work Managed Devices have a clean, minimal Android app landscape.
  • Being institutionally-owned there's no visual cue needed to differentiate between work and personal, so apps are not badged with the red/white briefcase icon seen in the work profile. 
  • Google system apps can be managed and removed, if desired.

Review the limited and clean app landscape on the device.  As well, point out the silent installation of the organization's assigned native apps.  

VMware Workspace ONE

Talking Points

  • VMware Workspace ONE is the enterprise platform that enables organizations to deliver a digital workspace that empowers users to securely bring the technology of their choice—devices and apps—without sacrificing productivity or security at a cost the business needs. 
  • The VMware Workspace ONE catalog contains all the app resources that have been entitled to users. Users access enterprise applications that are managed in the Workspace ONE catalog based on the settings established for the application in VMware Identity Manager.
  • Delivers any application from the latest mobile cloud apps to legacy enterprise apps. Simple, one-stop access to all apps: native, web, virtual, VDI, and RDS apps!  
    • Internal web apps through a secured browser and seamless VPN tunnel 
    • SaaS apps with SAML-based SSO and provisioning framework  
    • Native Chrome OS apps through brokerage of public store 
  • Single Sign-On (SSO) that federates the most complex on-premises Active Directory topologies and support for multi-factor authentication, like RSA.   

Use VMware Workspace ONE to discuss app management—not Google Play for Work.

Note when opening Workspace ONE, VMware AirWatch will have already configured the Workspace ONE tenant using AppConfig.

Advanced Remote Management *

      Before attempting Advanced Remote Management, please review the following document: Advanced Remote Management - Getting Started.

Talking Points

  • Many institutions require remote management to connect to end-user devices remotely to aid in troubleshooting and maintenance in order to greatly reduce or altogether eliminate onsite support costs.
  • Advanced Remote Management for Android is the best-of-breed solution for enabling device support, even over slow, inconsistent 3G networks found in remote areas.   

If your tenant has RM4 enabled, and your device is supported, launch Remote Management from your device's details:

Upon first launch, on Samsung, you'll be prompted to accept the KLMS license.  

Depending on Android OS level, you'll also need to accept an additional prompt or two, such as overlay permission, which you are guided through.

Once connected, review the UI remote control, tools, and "more details" functions.   

Here's an Advanced Remote Management video tutorial (My AirWatch account required).

Appendix A - Corporate-owned Enrollment with AirWatch Relay

Note

SAML is not supported by AirWatch Relay.  All scripted demos, like "Enterprise - EMM Demo," use SAML.  Therefore, AirWatch Relay is not supported in any of the scripted demos.  To show AirWatch Relay, please use your sandbox: set up directory services without SAML, update enrollment settings, and create a basic user.

Using AirWatch Relay requires two Android 5.0+ devices--Samsung or Google device recommended--with NFC enabled: one for the admin to run the AirWatch Relay app (admin device), and the other for the user (staging device).  The admin device should have the AirWatch Relay app downloaded from Google Play.  The staging device must be factory reset.  

Two NFC bumps put the staging device in DO mode. 

  • Bump One – Sets up Wi-Fi, encrypts device (if not already encrypted), and then downloads the agent
  • Bump Two – Enrolls the device out of box or factory reset device.

If the reset device is not already encrypted, you’ll go through encryption, then the process will resume for bump 2.  

After a successful bump 2, using the above basic user credentials, the device will enroll into the “Company Owned” OG.

For Additional Support


Review Our Knowledge Base

Submit a Ticket

Have more questions? Submit a request

Please sign in to leave a comment.