Experience Workspace ONE on Android

Workspace ONE is a digital workspace platform that simply and securely delivers and manages any app on any device by integrating access control, application management, and multi-platform endpoint management. Follow the steps below to experience Workspace ONE on Android. 

Overview


Before You Begin


Please ensure you have the following:

  • A valid VMware TestDrive account. Sign up here.
  • An active VMware AirWatch service in the VMware TestDrive Portal.
  • Android device:
    • Highly recommended OS level: Android 7.0+ 
    • Minimum OS level: Android 5.0.  If Android 6.0 or under, encrypt the device.
  • AirWatch Admin Role: Device Administrator at World Wide Enterprises
  • Network access from your device and TCP port 443 enabled on your network
  • In order to launch  into  the Horizon apps within Workspace ONE, TCP  ports  80 and 7443 must be enabled on your network

 

Section 1: Workspace ONE Registration

On the device, navigate to Google Play and download VMware Workspace ONE.  

Screenshot_20180326-124755.png

What's my TestDrive email address?

If you're unsure what your TestDrive email address is, you can verify this in the TestDrive portal by following the steps below:

  1. Login to portal.vmtestdrive.com with your username and password
  2. In the "Empower Digital Workspace" area, expand the VMware AirWatch section. 
  3. Here you will find your TestDrive enrollment email address.

Launch Workspace ONE and use your enrollment email to register.

Screenshot_20180326-130442.png

Authenticate using your TestDrive user credentials. 

Screenshot_20180327-114410.png

Workspace ONE will begin to configure.  

Screenshot_20180326-125201.png

Choose the Enterprise - EMM Demo organization group (OG).

Next, you will be guided through Workspace ONE Direct Enrollment, beginning with the creation of the Android work profile.  Please proceed.

On Samsung devices (pictured), your experience will differ slightly from other Android devices now that Samsung has integrated Knox APIs into Android enterprise.  Note the blue Knox branding and badging on and in the work profile. 

Accept the prompts. 

 

 

Your device and Workspace ONE have completed enrollment when you see the below screen.   

After Direct Enrollment, Workspace ONE will then guide you through setting up your device to make it complaint and provide recommended apps.  If you miss a step or exit Workspace ONE, don't worry, Workspace ONE will return to the setup.

Set your work profile PIN—only for the work profile, not your device—and install the recommended apps.  PIN complexity and apps are configurable in the Workspace ONE console. 

 

 

Additionally, note the Workspace ONE notifications showing up in Android's native notification area, each badged with the work profile icon.

To enter the work profile, where Workspace ONE is located, use the Workspace app.  Do not use the enrollment-initiating Workspace ONE app, which will be grayed out; if you do, you'll be presented with an error. 

Note the badging on the the work apps.  

Re-enter Workspace ONE. 

Section 2: Guided Work Experiences

Workspace ONE aggregates all the apps your employees need whether its a virtual app, web app, or native app. Underpinning it all is Workspace ONE's identity solution which provides single sign on and access policy controls to these apps regardless of what device type, enrollment status, or endpoint utilized.

In Bookmarks, users setup links their most used virtual and web apps. 

In the Catalog, all the user's available apps are listed.  Users can add web and virtual apps to Bookmarks; as well, native app installation is initiated from the Catalog.  Review the list apps showing all of the assigned apps. 

 

 

Open Boxer and demonstrate the streamlined user access.  Because of Workspace ONE's hidden security processes, other than confirming one-time Android security prompts, there is no user interaction or credentials entry required.  Both the app's settings and authentication certificate are configured by VMware AirWatch.  VMware Identity manager provides SSO. 

Screenshot_20180327-115800.png

Open the Recruiting PowerPoint email or any other email with an Office attachment matching your installed Office 365 app.  Using Workspace ONE or Boxer's "open in" function (pictured below), you can install your chosen app.  

Screenshot_20180327-121342.png

Install PowerPoint. 

Office 365 app setup will require you to enter your Office 365 email address which follows this syntax: username@vmtestdrive.com

When prompted, choose the Workspace ONE managed certificate.  You'll then be set to use all Office 365 apps in the work profile.

Screenshot_20180327-121348.png

Next, show SSO into another Office 365 native apps.  Install one of the remaining Office 365 apps.  Launch it.  You'll be provided unfettered access to the other native apps. 

Now try a web app.  In Workspace ONE, find the Office 365 web app and launch it. 

Android will prompt you to allow the authentication certificate provided by Workspace ONE.

 Screenshot_20180326-160953.png

After allowing the cert just this once, you'll be able to access to your Office 365 instance. 

Screenshot_20180326-161012.png

 Next, let's see the user experience when opening a Horizon app. 

Go back to Workspace ONE.  We have our Horizon environments divided by region. Search for the Visio app for your region from the options below:

AMER-Visio 2016
APAC-Visio 2016
EMEA-Visio 2016

Once you find the Visio horizon app for your region click to launch the app. It will open into either the native Horizon app if you have it downloaded or HTML access if you do not have the Horizon app downloaded.

Finally, let's launch the VMware Browser and tunnel to an internal site.  You can download the VMware Browser native app from Workspace ONE.

In tandem with the VMware Tunnel (VPN), VMware Browser securely accesses internal corporate websites.  The VMware Browser allows you to access important websites on your device while allowing your organization to ensure you're maximizing your productivity.

Note the landing page is hosted on an internal server. 

Additionally, show VMware Browser's blacklisting.  Browser is setup in restricted mode.  Tap either the Facebook or Twitter link to show those sites are blacklisted. 

 

Section 3: Understanding Security Features 

Workspace ONE brings data loss prevention, conditional access, plus policies and profiles to your users and devices.

First, we'll look at data loss prevention (DLP) controls.  Return to Boxer.  Copy some of the text from one of the demonstration emails.

Screenshot_20180327-150213.png

While in the work profile, show the protected clipboard's contents by pasting the copied text into another Boxer email.  The clipboard will paste the contents. 

Next, switch to a messaging app on the personal side of the device, not in the Android work profile.  When you attempt to paste the clipboard, you will NOT have access to the clipboard'd contents from Boxer in the work profile. 

Moving forward, let's review conditional access. In Workspace ONE, find and launch the Patient Records web app. 

Screenshot_20180327-143252.png

You will be denied access to the site because your device it NOT on an approved network.

Finally, let's attempt to uninstall one of the protected apps, either VMware Browser or Workspace ONE.  Apps can be designated protected apps to prevent accidental removal of key productivity apps.  

Screenshot_20180327-151251.png

The protected apps are not allowed to be uninstalled. 

Section 4: Enterprise Wipe

Workspace ONE can either be removed from within the Workspace ONE app by the user, or most commonly, by an enterprise wipe command issued from the console.  An enterprise wipe performed by an admin can be sent either either manually or automatically by a triggered compliance policy.  When the enterprise wipe happens on Android, the entire work profile and all of its contents are removed.  Enterprise wipes do not touch personal data.

Log in to VMware AirWatch Console.  Find your device and send the enterprise wipe command.  You may need to open Workspace ONE so that it can receive the command.

After the enterprise wipe, note how not only all organizational app access is now removed, but also the work profile has been removed.  Also, be sure to state that no personal data was ever touched.  All that remains is the initially installed Workspace ONE app, which should be disabled (grayed out).  

For Additional Support


Review Our Knowledge Base

Have more questions? Submit a request

Article is closed for comments.