This walkthrough will guide you through Android enterprise device management in TestDrive as seen in a typical BYOD use case. Both Workspace ONE UEM (formerly VMware AirWatch) and Google recommend Android enterprise, formerly Android for Work, as the official Android management solution.
- Before You Begin
- Work Passcode
- Device Provisioning
- Work vs Personal
- VMware Boxer
- VMware Browser
- Application Control
- Native App Certificate Based Authentication
- VMware Workspace ONE SSO
- VMware Tunnel and per-app VPN
- Chrome Settings
- Gmail for Exchange
- Console Configuration
- App Management
- Enterprise Wipe
Before You Begin
Here's what you need:
- A TestDrive account. Sign up here.
- An active Workspace ONE UEM service in the VMware TestDrive portal.
- An active Office 365 service in the VMware TestDrive portal.
- Android device:
- Highly recommended OS level: Android 7.0+
- Minimum OS level: Android 5.0.
- If Android 6.0 or under: encrypt the device beforehand.
- Install Microsoft Excel, or other Office 365 app, from Google Play.
- No existing device record in TestDrive.
- Either the AirWatch Agent or VMware Workspace ONE (see Adaptive Management guide) from Google Play.
- Workspace ONE UEM enrollment email address: firstname.lastname@example.org
- Admin role in wsuem.vmtestdrive.com: Device Administrator at World Wide Enterprises
- Network access from your device and TCP port 443 enabled on your network
- In order to launch into the Horizon apps, TCP ports 80 and 7443 must be enabled on your network
- The platform guide for reference.
As we are all aware, either by corporate directive or user desire, personal device usage is becoming commonplace in an enterprise setting. They key to this situation is that the device contains both personal information that the enterprise neither wants nor needs to control and enterprise data that must not be compromised.
The Android solution, as of Android 5.0 (API level 21), is to create managed profiles on devices.
Android enterprise APIs are built into the Android OS and managed by Workspace ONE UEM at no extra cost.
There are two modes for Android enterprise. This walkthrough entails the work profile.
- The work profile is created on devices that have Android configured with the consumer persona, therefore it's referred to and used as BYOD.
- Corporate-owned devices with no need for a consumer persona are enrolled—after a factory reset—as a Work Managed Device. The organization has 100% control of the device and apps.
Android has two enrollment options: Work profile enrollment and Work Managed Device enrollment, each having additional enrollment options to suit an organization's needs. Work profile enrollment is the typical enrollment and is discussed in this walkthrough. Work profile enrollment is used when the device already has Android running with a consumer persona on it. Work Managed Device enrollment is used on factory reset, corporate-owned devices.
- Work profile enrollment follows a familiar process initiated with either the AirWatch Agent or VMware Workspace ONE.
- AirWatch Agent (shown in this guide)
- Workspace ONE Adaptive Management (guide here)
- Workspace ONE Direct Enrollment (coming soon...similar procedure as with the AirWatch Agent)
Download and install the AirWatch Agent from Google Play. Use your Workspace ONE UEM enrollment email to initiate enrollment.
Workspace ONE UEM enrollment email: email@example.com E.g., firstname.lastname@example.org
Choose your enrollment OG, BYOD. When an Android device is already configured with a consumer persona it receives the work profile: a work container adjacent to the personal space. Therefore, an Android device with the work profile is referred to as a BYO device.
Authenticate with your TestDrive user credentials.
After successful authentication, you'll be guided through creating the work profile on the device. If your device is less than 7.0, and it's not encrypted, you'll be walked through the device encryption process.
Continue to accept the prompts until enrollment is completed.
- The work profile is a container, protecting only work apps and data.
- For Android 7.0+ devices, Workspace ONE UEM can manage a work passcode profile, of configurable complexity, for the containerized apps.
The work passcode applies only to work apps so users don't have to enter complex passwords each time they unlock their BYO device.
After enrollment, the first thing the user is required to do is to set the work passcode.
Upon device lock, Android will lock down all work apps with the Workspace ONE UEM managed work passcode profile.
After resuming the device, the user is able to use all personal apps, but the work apps will remain locked until authenticated with the work PIN.
- Workspace ONE UEM device profiles configured for the Android work profile only apply to the work badged apps and not affect the users personal apps or settings unless you configure profiles at the device level.
- Depending on Android API level and OEM, your view of the containerized work apps will vary. All work apps are badged with the red/white briefcase icon.
Note the apps which have been set to automatically deploy. Each, seemingly instantaneously, was installing as enrollment was completing.
Profiles setup in an instant, both securing and providing functionality to the containerized work apps.
Work vs Personal
- This managed profile, or work profile, is a separate container from the user’s personal space.
- Workspace ONE UEM restrictions profiles provide a second layer of device data protection by allowing you to specify and control how, when and where employees use their devices.
- The work profile is a secure area on the device providing native DLP. Coupling native with optional Workspace ONE UEM DLP app security, admins can provide twice the fortification of an organization’s critical data.
- DLP controls are intended to reduce accidental data loss, the leading cause of data loss.
Use Boxer to demonstrate containerization of work apps versus personal. After completing the initial Boxer configuration, which authenticates with a cert managed by Workspace ONE UEM, open an email and copy some text from its body. Demonstrate that there is text on the clipboard by pasting in another email.
Open a personal app that accepts paste, such as personal Gmail. Attempt to paste. A paste option will not be present.
- Boxer provides the holy grail of enterprise email: a great user experience + enterprise grade security.
- Bulk actions, calendar availability, predictive folders, and customizable settings are just a few of the coveted usability functions in Boxer.
- 256-bit encryption
- Built-in compliance engine allows for Workspace ONE UEM to block or wipe Boxer enterprise data.
- The VMware Browser app allows you to access important websites on your device while allowing your organization to ensure you're maximizing your productivity.
- In tandem with the VMware Tunnel, Browser securely accesses internal corporate websites.
- Browser may be configured in either restricted mode and kiosk mode.
Note the landing page is hosted on an internal server. Copy the internal URL and paste it into a personal side browser and watch it fail.
Browser is setup in restricted mode. Tap either the Facebook or Twitter link to show they are blacklisted.
- Application Control allows admins to set up certain apps as “required” apps.
- A required app cannot be uninstalled by the user.
- Because ALL app installs are, by design, admin controlled, setting up “required” apps prevents users from accidentally removing critical business apps.
Both VMware Browser and VMware Workspace ONE are setup as required apps. Attempt to uninstall either one and show the prevented uninstallation.
Native App Certificate Based Authentication (CBA)
- Provide seamless access to all enterprise apps with Workspace ONE with configurable certificate and/or username/password authentication.
- Allow only managed access to Office 365 native apps. Only the managed app is allowed to authenticate to the Office 365 instance—not Office 365 personal apps.
- Access is automatically revoked as soon the device is detected as compromised, a user becomes de-activated, or a device is enterprise wiped.
AppConfig is not currently supported by Office 365 apps. So, to initiate Office 365 access, you must enter your TestDrive Office 365 email address:
With an available managed Office 365 app (Outlook, Excel, Word, or PowerPoint), use your TestDrive Office 365 email address to initiate the app sign-in. At the certificate prompt, select the user certificate managed by Workspace ONE UEM to access the Office 365 instance.
To demonstrate managed access, attempt login to the same Office 365 app on the personal side. The app will not be allowed to authenticate.
No cert. No access.
VMware Workspace ONE SSO
- Workspace ONE provides the simple and secure access to all enterprise apps. Enterprise grade security on the backend, but consumer simple on the front end.
- You’ve already signed into Workspace ONE, so there’s no more need to sign in to your apps.
- Multi-factor authentication (MFA) is also configurable to harden your most secure apps.
Android Mobile SSO for apps is currently undergoing investigation and should be available soon.
Authenticate Workspace ONE using your TestDrive credentials.
Using the Salesforce web app, you should be authenticated with the user certificate on the device, demonstrating Workspace ONE SSO.
If using the Salesforce mobile app, which will fall back to password authentication, be advised that while Workspace ONE UEM's AppConfig setting successfully sets the Salesforce instance, the instance is not applied by the app. So, to apply it, when launching the Salesforce app, after accepting Terms, access the app's settings menu on the upper right corner > change server > apply.
VMware Tunnel and Per-app VPN
- In order to keep corporate data secure and completely within the enterprise, designated apps may be configured with per-app VPN, where its data will be securely tunneled into the remote enterprise network.
- Per-app VPN uses the VMware Tunnel and is easily setup in an Workspace ONE UEM app configuration.
First, ensure the VMware Tunnel app's configuration has completed successfully. Launch the Tunnel and show its configuration.
In Workspace ONE, find the HR Form website and open it with Firefox.
(HR Form's URL: http://demo-awmag-1.vmwdemo.int/form.html)
Note the VPN tunnel connection key icon on the device's status bar. Also, in the VMware Tunnel app, where VPN status is monitored, the "Enterprise Server" status will change to "connected."
You should be granted access to the internal site hosting the HR form.
To demonstrate the containerized per-app VPN, outside of the work profile, open a browser on the personal side of the device. Enter the same URL. The personal browser will not be able to connect to the HR form.
- Chrome, Android enterprises native browser, may be customized, as well as restricted, like an internal corporate browser.
- Chrome’s cookie handling, pop-ups, java script, images, password manger, history, search parameters, incognito mode, and much more can be configured by Workspace ONE UEM.
Open Chrome, go to the menu, and show incognito mode is unavailable. Also, if you browse to either facebook.com, twitter.com, or pinterest.com they will be blocked.
- Workspace ONE UEM Gmail configuration supports Microsoft EAS.
- Organizations can provide users a familiar and often-preferred email client for business use.
- Gmail replaces Google Divide, which has been deprecated.
The Gmail profile is an optional profile. Push the profile to the device. After the profile is installed the Gmail app will appear in the work profile and appears and should be configured, ready to demo.
- Modern Android enterprise management configuration is a simple setup. Google console administration is no longer required.
- If you don’t have a Google presence whatsoever, initiated from the Workspace ONE UEM console, a quick, guided creation of a new Gmail account will kick off a fully automated Google-AW registration process.
- System configuration can be completed in about one minute.
The "Device Administrator at World Wide Enterprises" role does not provide access to this system setting. To view this and other system settings, you may use your Workspace ONE UEM Sandbox which is available in the TestDrive portal under the "Sandbox Experiences" section.
During enrollment, the AirWatch Agent intelligently detects the enrollment group’s Android registration status and initiates work profile creation on the device.
- All of Google’s vetted public applications are available for Android enterprise. Same apps with the same functionality. Administrators approve apps for organizational use.
- Public apps can be approved in a couple ways:
- In Workspace ONE UEM the familiar app management flow can be followed, with the addition of a couple streamlined Google Play for Work approval steps. Admin never leaves the Workspace ONE UEM console.
- Apps can be approved directly in Google Play. After Google Play approval, in Workspace ONE UEM, the apps are imported in bulk by the admin who then completes their setup using standard Workspace ONE UEM app management.
- Internal apps, such as apps pushed to beta testers, are also managed thru Google Play, but are not available to the public. Internal apps are managed in the Google Play Developer Console using the same Android enterprise registration account.
- As of Workspace ONE UEM 9.2, with Work Managed Device enrollment for corporate-owned devices, internal apps can be pushed from Workspace ONE UEM's internal app management.
The "Device Administrator at World Wide Enterprises" role doesn't provide access to app administration. To view this and other protected areas, remember to use your sandbox with the AirWatch Administrator role.
Below is a screenshot from searching for and approving a public app within the familiar Workspace ONE UEM app flow. Note the "unapprove (approve)" and "approval preferences" functions which are the app management controls unique to Google Play for Work.
Below is the app admin view after apps are first approved in Google Play for Work. In Workspace ONE UEM, admins simply click "Import from Play" to add all the work apps. After import, apps are available for assignment.
- Enterprise wiping a device removes all corporate data and control from the device—NO personal data is touched.
- An enterprise wipe may be either manually performed by an admin or, if allowed by policy, a user.
- An enterprise wipe may be configured to be triggered via compliance policy.
Push an enterprise wipe command to the device from the console.
On the device, note the removal of ONLY the corporate data. No data or apps outside of the work profile were ever touched.