Workspace ONE is a digital workspace platform that simply and securely delivers and manages any app on any device by integrating access control, application management and multi-platform endpoint management. Follow the steps below to experience Workspace ONE hands on with an iOS device.
- Section 1: Register your iOS Device
- Download the Workspace ONE Intelligent Hub
- Install workspace services on your device (direct enrollment)
- Section 2: Guided Work Experiences
- Native Apps: Boxer and Office 365
- Horizon Apps
- Citrix Apps
- SaaS Apps
- Section 3: Understanding Security Features
- Data Loss Prevention
- Conditional Access
- Policies and Profiles
- Section 4: Enterprise Wipe
- Login to the Workspace ONE UEM Console
- Issue Enterprise Wipe to your Device
Before You Begin
Before you begin this walkthrough ensure you have the following:
- A valid account in the VMware TestDrive environment, sign up here if you do not yet have an account
- Ensure you have turned on Workspace ONE UEM in the Ready to Use Experiences section as shown below
Section 1: Registering your iOS Device
Ensure you're starting with an unenrolled iOS device.
Navigate to the app store and download the VMware Workspace ONE Intelligent Hub.
After the Hub installs, launch it and initiate enrollment with your TestDrive email address.
Your TestDrive email address follows the below format:
If you're unsure what your TestDrive email address is, you can verify this in the TestDrive portal by following the steps below:
- Login to portal.vmtestdrive.com with your username and password
- Click on the dropdown next to Workspace ONE in the Ready to Use Experiences section to view your credentials
- Here you will find your TestDrive email address
Enter your TestDrive email address and click Next.
Next, enter your TestDrive username and password and click "Sign In".
In the event you receive an error stating:
Unable to login at this time. This device is already registered to a different environment. Please Contact your IT administrator.
We are unable to finish building your digital workspace at this time. Please try again or sign out. If you sign out, you will have the option to re-enter your email address or server URL.
Within the settings for iOS, find the settings for the 'Workspace' Application. Check Enable Manual App Reset. Re-load the Workspace ONE Application and tap on the logo 7 times, this will reset the application. Once that's done, try enrollment again.
Next, the Workspace ONE Intelligent Hub app will load your environment's settings.
Next, we'll select the demo we would like to perform. In this guide we're enrolling as a corporate device so select "Enterprise - EMM Demo (Corporate Owned)" from the dropdown.
At this point your device has been identified as a corporate issued device. In this demo scenario, the admin has selected to require corporate owned devices to be registered and fully managed in order to access corporate resources. This corporate issued enrollment is termed direct enrollment. Click next to proceed.
Next, you'll be directed to install the Workspace Services profile. Click Allow in the browser to proceed.
This year, Apple has introduced a new workflow to manual profile installations. This change is a new experience for profile installations called “manual profile installation”. This change results in enrollments no longer automatically redirecting from Safari to the iOS Settings to install the MDM or configuration profile. The user must now manually navigate to system settings to install the profile. These changes are part of the iOS platform and not the Workspace ONE platform.
Hit 'Close' when you see the bottom screen.
Navigate to 'Settings' on your device -> 'General' -> 'Profiles'
Install the Workspace Services profile to your device. With this profile, additional restrictions and profiles including certificates are being installed on your device.
On the Remote Management prompt, 'Trust' the profile's source to enroll your iOS device.
Once the profile is installed, navigate back to and enter the Intelligent Hub app.
At this point Workspace ONE UEM will begin installing automatically deployed native apps. These apps are also recommended apps. Other apps will be available to manually deploy.
You'll see prompts for the apps to install. Click install to install the apps. Note: if you're using Apple's Device Enrollment Program to supervise your devices, users will not get this prompt.
Our device has completed registration and you will see a Privacy app has been installed. Click to launch the privacy app.
The Privacy app reports the information which is being collected from the device by Workspace ONE UEM (formerly VMware AirWatch) and reported back to the Administrative Console. In this scenario the device is enrolled as a corporate device so the information being collected is typical of a corporate issued device. If a change is made to the privacy settings on the Workspace ONE UEM console the changes will be immediately reflected in the privacy app, so the user always knows what can or cannot be collected from their device.
Section 2: Guided Work Experiences
Now that your device is registered and has the Workspace Services profile installed, we're ready to walk through the features that have been pushed down to the device.
Launch the Workspace ONE Intelligent Hub.
You're greeted by the Workspace ONE Intelligent Hub's enhanced user workspace. Each Hub menu area is accessible at the bottom of the Hub UI.
- Apps - all mobile, web, and virtual apps
- Notifications - UEM notifications
- Home page - customizable web page configured for the TestDrive KB
- People Search - organizational contacts search
- Hub settings - agent/IT menus
The Intelligent Hub's primary Apps view is the app catalog. The Intelligent Hub aggregates all the apps your employees need whether it's a virtual app, web app or native app. Powering all of this is Workspace ONE's identity solution, Workspace ONE Access, which provides single sign on (SSO) and access policy controls to these apps regardless of what device type, enrollment status or endpoint the user is attempting to access the app from.
In this walkthrough we're using an enrolled iOS device, which the admin has allowed access to all the apps for using access policies, so throughout this walkthrough you'll be seeing the single sign on experience. Alternatively, if you were trying to sign into these apps from an unmanaged device you could see a different experience depending on what the admin has configured.
The user can add an app to their favorites, open the app, or install any native apps they have not yet installed. You'll notice all app types are aggregated into this single catalog. Since Boxer (VMware's Email client) has not automatically been installed on our device by the IT admin, let click to download VMware Boxer from the list. We can download Boxer by finding it in the list or just searching for it.
Search for Boxer. Click to install the app.
Let's also download Microsoft Word from the Intelligent Hub. Search for the native iOS app and click to install.
Thus, you've downloaded native apps from Workspace ONE.
We'd also like to point out that if you use the native spotlight search on iOS, web and virtual apps that are within Workspace ONE Intelligent Hub will also be displayed in the results. This way, end users can easily find the apps they need without needing to open a separate catalog.
Here when I search for Socialcast, I see both the native app thats installed on my device and the web app thats available in the Intelligent Hub. If you're searching for an app thats only available as a virtual or web app (like a Windows 10 virtual app for example) it will appear in these same search results.
Next, lets walkthrough VMware Boxer. When we installed the Workspace Services profile, a certificate was installed on our device which allows us to single sign on into our email using Boxer. In the TestDrive environments we use Office 365 as our email provider. Note: please make sure you have enabled Office 365 for your Testdrive account before installing VMware Boxer.
Click to launch VMware Boxer.
Boxer is automatically configured with your email address and the user just clicks Get started to login (no need to enter your password thanks to certificate authentication!)
Now the user is signed into their Office 365 email. We've populated sample emails in your inbox.
Choose an email with an attachment and we can demonstrate opening a document from Boxer to an app such as Powerpoint, Excel, or Word.
Next, lets return to the Intelligent Hub and see the user experience when opening a Horizon app. Open Workspace ONE and search for Visio 2016.
Once you find the Visio 2016 horizon app, launch the app. It will open into either the native Horizon app if you have it downloaded or HTML access if you do not have the Horizon app downloaded.
Next, let see the experience when launching into a SaaS app from the Intelligent Hub. Search for Office 365.
Click to single sign on into Office 365. You'll see safari open and load the Workspace ONE Access sign-in page.
Next, you'll be signed into your identity in Office 365.
Next, let's navigate back to the device home screen and launch some of the iOS applications which have been configured using App Config. App Config is a community of app providers who have worked to allow EMM providers who are part of the community to push down configurations for these apps. As a result, using Workspace ONE and app config, the user no longer has to remember multiple passwords or environment parameters (such as URLs) - the experience is seamless. In TestDrive, we have configured Blue Jeans, Salesforce, and Dropbox using app config.
For more information on ACE please see the AppConfig Community page: http://www.appconfig.org/
Let's take a look at this experience using Salesforce. Launch Salesforce.
You'll see the user is prompted to accept the EULA since this is their first time using the app.
After accepting the EULA Workspace ONE automatically signs the user in and App Config pushed down through Workspace ONE UEM feeds in my Salesforce environment info so I'm directed to the correct instance.
All the user had to do was accept the terms and now I'm signed in as my identity in Salesforce using Workspace ONE and App Config.
Next we will launch the Workspace ONE Web app. Click on "Web" to launch it. If you don't yet have Workspace ONE Web, you can download it from the Intelligent Hub.
Now you will see your homepage for your internal resources as defined in Workspace ONE Web. Here you can see the different restrictions you may have when using Workspace ONE Web. You can setup access into an intranet website, you can set links to public webpages, and you can restrict access to certain websites by blacklisting them.
Section 3: Understanding Security Features
Next, let's review a few of the security features of Workspace ONE and its apps and services. Return to your email by opening VMware Boxer. Next, copy some of the text from a sample email.
Once the text is copied we can navigate to an unmanaged app such as the native email client on the device. If we attempt to compose an email with our personal email that is configured on the native email app and paste the content from our copied clipboard, no data can be pasted.
We can also observe conditional access through Workspace ONE. In this case, we will open Workspace ONE Intelligent Hub, find and attempt to open an app titled "Patient Records".
You'll see that access has been denied because I am located out of the required location.
You'll also notice that the corporate device has a few restrictions that have applied:
- Camera app and iTunes have been removed from the device
- Passcode is required; if device did not previously have passcode user will be prompted to create one
Section 4: Enterprise Wipe
The last step we will perform is to remove the corporate info from our device similar to how an organization could remove this info if the device was lost or stolen.
First, open a web browser and navigate to wsuem.vmtestdrive.com. Log in with your TestDrive username and password.
Note: Make sure your username follows this syntax: vmwtd.com\username
Next, ensure you're using the "Device Administrator at World Wide Enterprises" role by checking your account settings in the top right.
Next, navigate to "Devices > List View" in the left column. You can search for your username in the right side of the screen to find your device in the list. Click the name of your device to open the device details.
Now Click "More Actions > Delete Device" to both delete your device record from the console and issue an enterprise wipe or choose "More Actions > Enterprise Wipe" to only issue an enterprise wipe to your device.
If we switch back to our device, you'll now see the corporate apps and profiles have been removed from the device. Any apps that remain on the device that the user may have logged into outside of management will be reset so the user can no longer access their corporate info (Example, Boxer).