This walkthrough will guide you through Android enterprise device management in TestDrive as seen in a typical BYOD use case. Both VMware AirWatch and Google recommend Android enterprise, formerly Android for Work, as the official Android management solution.
- Before You Begin
- Work Passcode
- Device Provisioning
- Work vs Personal
- VMware Boxer
- VMware Browser
- Application Control
- Native App Certificate Based Authentication
- VMware Workspace ONE SSO
- VMware Tunnel and per-app VPN
- Chrome Settings
- Gmail for Exchange
- Console Configuration
- App Management
- Enterprise Wipe
Before You Begin
Here's what you need:
- A TestDrive account. Sign up here.
- An active VMware AirWatch service in the VMware TestDrive portal.
- An active Office 365 service in the VMware TestDrive portal.
- Android device:
- Highly recommended OS level: Android 7.0+
- Minimum OS level: Android 5.0.
- If Android 6.0 or under: encrypt the device beforehand.
- Install Microsoft Excel, or other Office 365 app, from Google Play.
- No existing device record in TestDrive.
- Either the AirWatch Agent or VMware Workspace ONE (see Adaptive Management guide) from Google Play.
- AirWatch enrollment email address: email@example.com
- Admin role in airwatch.vmtestdrive.com: Device Administrator at World Wide Enterprises
- Network access from your device and TCP port 443 enabled on your network
- In order to launch into the Horizon apps, TCP ports 80 and 7443 must be enabled on your network
- The platform guide for reference.
As we are all aware, either by corporate directive or user desire, personal device usage is becoming commonplace in an enterprise setting. They key to this situation is that the device contains both personal information that the enterprise neither wants nor needs to control and enterprise data that must not be compromised.
The Android solution, as of Android 5.0 (API level 21), is to create managed profiles on devices.
Android enterprise APIs are built into the Android OS and managed by VMware AirWatch at no extra cost.
There are two modes for Android enterprise. This walkthrough entails the work profile.
- The work profile is created on devices that have Android configured with the consumer persona, therefore it's referred to and used as BYOD.
- Corporate-owned devices with no need for a consumer persona are enrolled—after a factory reset—as a Work Managed Device. The organization has 100% control of the device and apps.
Android has two enrollment options: Work profile enrollment and Work Managed Device enrollment, each having additional enrollment options to suit an organization's needs. Work profile enrollment is the typical enrollment and is discussed in this walkthrough. Work profile enrollment is used when the device already has Android running with a consumer persona on it. Work Managed Device enrollment is used on factory reset, corporate-owned devices.
- Work profile enrollment follows a familiar process initiated with either the AirWatch Agent or VMware Workspace ONE.
- AirWatch Agent (shown in this guide)
- Workspace ONE Adaptive Management (guide here)
- Workspace ONE Direct Enrollment (coming soon...similar procedure as with the AirWatch Agent)
Download and install the AirWatch Agent from Google Play. Use your AirWatch enrollment email to initiate enrollment.
AirWatch enrollment email: firstname.lastname@example.org E.g., email@example.com
Choose your enrollment OG, BYOD. When an Android device is already configured with a consumer persona it receives the work profile: a work container adjacent to the personal space. Therefore, an Android device with the work profile is referred to as a BYO device.
Authenticate with your TestDrive user credentials.
After successful authentication, you'll be guided through creating the work profile on the device. If your device is less than 7.0, and it's not encrypted, you'll be walked through the device encryption process.
Continue to accept the prompts until enrollment is completed.
- The work profile is a container, protecting only work apps and data.
- For Android 7.0+ devices, VMware AirWatch can manage a work passcode profile, of configurable complexity, for the containerized apps.
The work passcode applies only to work apps so users don't have to enter complex passwords each time they unlock their BYO device.
After enrollment, the first thing the user is required to do is to set the work passcode.
Upon device lock, Android will lock down all work apps with the VMware AirWatch managed work passcode profile.
After resuming the device, the user is able to use all personal apps, but the work apps will remain locked until authenticated with the work PIN.
- VMware AirWatch device profiles configured for the Android work profile only apply to the work badged apps and not affect the users personal apps or settings unless you configure profiles at the device level.
- Depending on Android API level and OEM, your view of the containerized work apps will vary. All work apps are badged with the red/white briefcase icon.
Note the apps which have been set to automatically deploy. Each, seemingly instantaneously, was installing as enrollment was completing.
Profiles setup in an instant, both securing and providing functionality to the containerized work apps.
Work vs Personal
- This managed profile, or work profile, is a separate container from the user’s personal space.
- VMware AirWatch restrictions profiles provide a second layer of device data protection by allowing you to specify and control how, when and where employees use their devices.
- The work profile is a secure area on the device providing native DLP. Coupling native with optional AirWatch DLP app security, admins can provide twice the fortification of an organization’s critical data.
- DLP controls are intended to reduce accidental data loss, the leading cause of data loss.
Use Boxer to demonstrate containerization of work apps versus personal. After completing the initial Boxer configuration, which authenticates with a cert managed by VMware AirWatch, open an email and copy some text from its body. Demonstrate that there is text on the clipboard by pasting in another email.
Open a personal app that accepts paste, such as personal Gmail. Attempt to paste. A paste option will not be present.
- Boxer provides the holy grail of enterprise email: a great user experience + enterprise grade security.
- Bulk actions, calendar availability, predictive folders, and customizable settings are just a few of the coveted usability functions in Boxer.
- 256-bit encryption
- Built-in compliance engine allows for AirWatch to block or wipe Boxer enterprise data.
- The VMware Browser app allows you to access important websites on your device while allowing your organization to ensure you're maximizing your productivity.
- In tandem with the VMware AirWatch Tunnel, Browser securely accesses internal corporate websites.
- Browser may be configured in either restricted mode and kiosk mode.
Note the landing page is hosted on an internal server. Copy the internal URL and paste it into a personal side browser and watch it fail.
Browser is setup in restricted mode. Tap either the Facebook or Twitter link to show they are blacklisted.
- Application Control allows admins to set up certain apps as “required” apps.
- A required app cannot be uninstalled by the user.
- Because ALL app installs are, by design, admin controlled, setting up “required” apps prevents users from accidentally removing critical business apps.
Both VMware Browser and VMware Workspace ONE are setup as required apps. Attempt to uninstall either one and show the prevented uninstallation.
Native App Certificate Based Authentication (CBA)
- Provide seamless access to all enterprise apps with Workspace ONE with configurable certificate and/or username/password authentication.
- Allow only managed access to Office 365 native apps. Only the managed app is allowed to authenticate to the Office 365 instance—not Office 365 personal apps.
- Access is automatically revoked as soon the device is detected as compromised, a user becomes de-activated, or a device is enterprise wiped.
AppConfig is not currently supported by Office 365 apps. So, to initiate Office 365 access, you must enter your TestDrive Office 365 email address:
With an available managed Office 365 app (Outlook, Excel, Word, or PowerPoint), use your TestDrive Office 365 email address to initiate the app sign-in. At the certificate prompt, select the user certificate managed by VMware AirWatch to access the Office 365 instance.
To demonstrate managed access, attempt login to the same Office 365 app on the personal side. The app will not be allowed to authenticate.
No cert. No access.
VMware Workspace ONE SSO
- Workspace ONE provides the simple and secure access to all enterprise apps. Enterprise grade security on the backend, but consumer simple on the front end.
- You’ve already signed into Workspace ONE, so there’s no more need to sign in to your apps.
- Multi-factor authentication (MFA) is also configurable to harden your most secure apps.
Regarding native apps in Android enterprise, both AppConfig and Mobile SSO for Android are undergoing further development and testing and should be available in the near-future.
Authenticate Workspace ONE using your TestDrive credentials.
Using the Salesforce web app, you should be authenticated with the user certificate on the device, demonstrating Workspace ONE SSO.
You may also install the Salesforce native app, which in the absence of Mobile SSO, will fall back to username and password authentication.
Launch Salesforce1 app and accept the Terms. As Salesforce1 is opening, quickly access the app's settings menu on the upper right corner. Tap Change Server.
VMware Tunnel and Per-app VPN
- In order to keep corporate data secure and completely within the enterprise, designated apps may be configured with per-app VPN, where its data will be securely tunneled into the remote enterprise network.
- Per-app VPN uses the VMware Tunnel and is easily setup in an AirWatch app configuration.
First, ensure the VMware Tunnel app's configuration has completed successfully. Launch the Tunnel and show its configuration.
In Workspace ONE, find the HR Form website and open it with Firefox.
(HR Form's URL: http://demo-awmag-1.vmwdemo.int/form.html)
Note the VPN tunnel connection key icon on the device's status bar. Also, in the VMware Tunnel app, where VPN status is monitored, the "Enterprise Server" status will change to "connected."
You should be granted access to the internal site hosting the HR form.
To demonstrate the containerized per-app VPN, outside of the work profile, open a browser on the personal side of the device. Enter the same URL. The personal browser will not be able to connect to the HR form.
- Chrome, Android enterprises native browser, may be customized, as well as restricted, like an internal corporate browser.
- Chrome’s cookie handling, pop-ups, java script, images, password manger, history, search parameters, incognito mode, and much more can be configured by VMware AirWatch.
Open Chrome, go to the menu, and show incognito mode is unavailable. Also, if you browse to either facebook.com, twitter.com, or pinterest.com they will be blocked.
- VMware AirWatch Gmail configuration supports Microsoft EAS.
- Organizations can provide users a familiar and often-preferred email client for business use.
- Gmail replaces Google Divide, which has been deprecated.
The Gmail profile is an optional profile. Push the profile to the device. After the profile is installed the Gmail app will appear in the work profile and appears and should be configured, ready to demo.
- Modern Android enterprise management configuration is a simple setup. Google console administration is no longer required.
- If you don’t have a Google presence whatsoever, initiated from the AirWatch console, a quick, guided creation of a new Gmail account will kick off a fully automated Google-AW registration process.
- System configuration can be completed in about one minute.
The "Device Administrator at World Wide Enterprises" role does not provide access to this system setting. To view this and other system settings, remember to use your sandbox with the AirWatch Administrator role.
During enrollment, the AirWatch Agent intelligently detects the enrollment group’s Android registration status and initiates work profile creation on the device.
- All of Google’s vetted public applications are available for Android enterprise. Same apps with the same functionality. Administrators approve apps for organizational use.
- Public apps can be approved in a couple ways:
- In AirWatch the familiar app management flow can be followed, with the addition of a couple streamlined Google Play for Work approval steps. Admin never leaves the AirWatch console.
- Apps can be approved directly in Google Play. After Google Play approval, in VMware AirWatch, the apps are imported in bulk by the admin who then completes their setup using standard AirWatch app management.
- Internal apps, such as apps pushed to beta testers, are also managed thru Google Play, but are not available to the public. Internal apps are managed in the Google Play Developer Console using the same Android enterprise registration account.
- As of VMware AirWatch 9.2, with Work Managed Device enrollment for corporate-owned devices, internal apps can be pushed from VMware AirWatch's internal app management.
The "Device Administrator at World Wide Enterprises" role doesn't provide access to app administration. To view this and other protected areas, remember to use your sandbox with the AirWatch Administrator role.
Below is a screenshot from searching for and approving a public app within the familiar AirWatch app flow. Note the "unapprove (approve)" and "approval preferences" functions which are the app management controls unique to Google Play for Work.
Below is the app admin view after apps are first approved in Google Play for Work. In AirWatch, admins simply click "Import from Play" to add all the work apps. After import, apps are available for assignment.
- Enterprise wiping a device removes all corporate data and control from the device—NO personal data is touched.
- An enterprise wipe may be either manually performed by an admin or, if allowed by policy, a user.
- An enterprise wipe may be configured to be triggered via compliance policy.
Push an enterprise wipe command to the device from the console.
On the device, note the removal of ONLY the corporate data. No data or apps outside of the work profile were ever touched.