Workspace ONE is a digital workspace platform that simply and securely delivers and manages any app on any device by integrating access control, application management, and multi-platform endpoint management. Follow the steps below to experience Workspace ONE on Android.
- Section 1: Register your Android device
- Download and install Workspace ONE
- Install Workspace Services on your device (Direct Enrollment)
- Section 2: Guided Work Experiences
- Native Apps: Boxer and Office 365
- SaaS Apps
- Horizon Apps
- Section 3:Understanding Security Features
- Data Loss Prevention
- Conditional Access
- Policies and Profiles
- Section 4: Enterprise Wipe
- Login to the AirWatch Console and issue an Enterprise Wipe
Before You Begin
Please ensure you have the following:
- A valid VMware TestDrive account. Sign up here.
- An active VMware AirWatch service in the VMware TestDrive Portal.
- Android device:
- Highly recommended OS level: Android 7.0+
- Minimum OS level: Android 5.0. If Android 6.0 or under, encrypt the device.
- AirWatch Admin Role: Device Administrator at World Wide Enterprises
- Network access from your device and TCP port 443 enabled on your network
- In order to launch into the Horizon apps within Workspace ONE, TCP ports 80 and 7443 must be enabled on your network
Section 1: Workspace ONE Registration
On the device, navigate to Google Play and download VMware Workspace ONE.
If you're unsure what your TestDrive email address is, you can verify this in the TestDrive portal by following the steps below:
- Login to portal.vmtestdrive.com with your username and password
- In the "Empower Digital Workspace" area, expand the VMware AirWatch section.
- Here you will find your TestDrive enrollment email address.
Launch Workspace ONE and use your enrollment email to register.
Authenticate using your TestDrive user credentials.
Workspace ONE will begin to configure.
Choose the Enterprise - EMM Demo organization group (OG).
Next, you will be guided through Workspace ONE Direct Enrollment, beginning with the creation of the Android work profile. Please proceed.
On Samsung devices (pictured), your experience will differ slightly from other Android devices now that Samsung has integrated Knox APIs into Android enterprise. Note the blue Knox branding and badging on and in the work profile.
Accept the prompts.
Your device and Workspace ONE have completed enrollment when you see the below screen.
After Direct Enrollment, Workspace ONE will then guide you through setting up your device to make it complaint and provide recommended apps. If you miss a step or exit Workspace ONE, don't worry, Workspace ONE will return to the setup.
Set your work profile PIN—only for the work profile, not your device—and install the recommended apps. PIN complexity and apps are configurable in the Workspace ONE console.
Additionally, note the Workspace ONE notifications showing up in Android's native notification area, each badged with the work profile icon.
To enter the work profile, where Workspace ONE is located, use the Workspace app. Do not use the enrollment-initiating Workspace ONE app, which will be grayed out; if you do, you'll be presented with an error.
Note the badging on the the work apps.
Re-enter Workspace ONE.
Section 2: Guided Work Experiences
Workspace ONE aggregates all the apps your employees need whether its a virtual app, web app, or native app. Underpinning it all is Workspace ONE's identity solution which provides single sign on and access policy controls to these apps regardless of what device type, enrollment status, or endpoint utilized.
In Bookmarks, users setup links their most used virtual and web apps.
In the Catalog, all the user's available apps are listed. Users can add web and virtual apps to Bookmarks; as well, native app installation is initiated from the Catalog. Review the list apps showing all of the assigned apps.
Open Boxer and demonstrate the streamlined user access. Because of Workspace ONE's hidden security processes, other than confirming one-time Android security prompts, there is no user interaction or credentials entry required. Both the app's settings and authentication certificate are configured by VMware AirWatch. VMware Identity manager provides SSO.
Open the Recruiting PowerPoint email or any other email with an Office attachment matching your installed Office 365 app. Using Workspace ONE or Boxer's "open in" function (pictured below), you can install your chosen app.
Office 365 app setup will require you to enter your Office 365 email address which follows this syntax:
When prompted, choose the Workspace ONE managed certificate. You'll then be set to use all Office 365 apps in the work profile.
Next, show SSO into another Office 365 native app. Install one of the remaining Office 365 apps. Launch it. You'll be provided unfettered access to the other native apps.
Now try a web app. In Workspace ONE, find the Office 365 web app and launch it.
Android will prompt you to allow the authentication certificate provided by Workspace ONE.
After allowing the cert just this once, you'll be able to access to your Office 365 instance.
Next, let's see the user experience when opening a Horizon app.
Go back to Workspace ONE. We have our Horizon environments divided by region. Search for the Visio app for your region from the options below:
Once you find the Visio horizon app for your region click to launch the app. It will open into either the native Horizon app if you have it downloaded or HTML access if you do not have the Horizon app downloaded.
Finally, let's launch the VMware Browser and tunnel to an internal site. You can download the VMware Browser native app from Workspace ONE.
In tandem with the VMware Tunnel (VPN), VMware Browser securely accesses internal corporate websites. The VMware Browser allows you to access important websites on your device while allowing your organization to ensure you're maximizing your productivity.
Note the landing page is hosted on an internal server.
Additionally, show VMware Browser's blacklisting. Browser is setup in restricted mode. Tap either the Facebook or Twitter link to show those sites are blacklisted.
Section 3: Understanding Security Features
Workspace ONE brings data loss prevention, conditional access, plus policies and profiles to your users and devices.
First, we'll look at data loss prevention (DLP) controls. Return to Boxer. Copy some of the text from one of the demonstration emails.
While in the work profile, show the protected clipboard's contents by pasting the copied text into another Boxer email. The clipboard will paste the contents.
Next, switch to a messaging app on the personal side of the device, not in the Android work profile. When you attempt to paste the clipboard, you will NOT have access to the clipboard'd contents from Boxer in the work profile.
Moving forward, let's review conditional access. In Workspace ONE, find and launch the Patient Records web app.
You will be denied access to the site because your device it NOT on an approved network.
Finally, let's attempt to uninstall one of the protected apps, either VMware Browser or Workspace ONE. Apps can be designated protected apps to prevent accidental removal of key productivity apps.
The protected apps are not allowed to be uninstalled.
Section 4: Enterprise Wipe
Workspace ONE can either be removed from within the Workspace ONE app by the user, or most commonly, by an enterprise wipe command issued from the console. An enterprise wipe performed by an admin can be sent either either manually or automatically by a triggered compliance policy. When the enterprise wipe happens on Android, the entire work profile and all of its contents are removed. Enterprise wipes do not touch personal data.
Log in to VMware AirWatch Console. Find your device and send the enterprise wipe command. You may need to open Workspace ONE so that it can receive the command.
After the enterprise wipe, note how not only all organizational app access is now removed, but also the work profile has been removed. Also, be sure to state that no personal data was ever touched. All that remains is the initially installed Workspace ONE app, which should be disabled (grayed out).