In this walkthrough we're going to show you how to demonstrate the adaptive management features of Workspace ONE on your Android device. The demo begins with a Workspace ONE registration on an unmanaged device, where we'll review the standalone mobile application management (MAM) features. Then, we'll access a native app with restricted access, requiring Workspace ONE UEM (formerly VMware AirWatch) management.
Please ensure you have the following:
- A valid VMware TestDrive account. Sign up here.
- An active Workspace ONE UEM service in the VMware TestDrive Portal.
- Android device:
- Highly recommended OS level: Android 7.0+
- Minimum OS level: Android 5.0. If Android 6.0 or under, encrypt the device.
- Workspace ONE UEM Admin Role: Device Administrator at World Wide Enterprises
- Network access from your device and TCP port 443 enabled on your network
- In order to launch into the Horizon apps within Workspace ONE, TCP ports 80 and 7443 must be enabled on your network
- If you have questions, please send an email to this address.
With VMware Workspace ONE adaptive management, users are enabled to have access to all of their applications without enrolling their device. Upon selecting an application that requires enhanced management, the user will be prompted for installation of Workspace Services. Subsequently, enrollment into Workspace ONE UEM will occur, creating the work profile on the device.
Android Workspace ONE app Adaptive Management is supported only by Android in the enterprise (formerly, Android for Work).
Workspace ONE Registration & MAM
- Streamlined Workspace ONE user registration provides unmanaged access to all an organization's apps. Users have the same Workspace ONE experience across any platform.
- The VMware Workspace ONE catalog contains all the app resources that have been entitled to users. Users access enterprise applications that are managed in the Workspace ONE catalog based on the settings established for the application in VMware Identity Manager.
- Workspace ONE performs the following and more:
- Access to Web/Horizon/Citrix/native apps
- Single Sign On (SSO)
- Superior User Experience
- Consumer-simple on-boarding
- Spotlight Search
- Option to passcode lock
- Compromise detection (MAM case)
- Ability to categorize applications
- When an unmanaged device is out of compliance, Workspace ONE UEM quickly takes action to protect company data. When a violation is detected, all company data is removed from the Workspace ONE app, Workspace ONE UEM productivity apps (e.g., Boxer) and any custom app built using the Workspace ONE UEM SDK.
On the device, navigate to Google Play and download VMware Workspace ONE. Authenticate with your TestDrive credentials. Launch Workspace ONE and register the app to the WorkspaceONE instance your TestDrive Workspace ONE UEM enrollment email address.
Authenticate with your TestDrive credentials. Choose BYOD enrollment.
Workspace ONE will configure.
In the Workspace ONE UEM Console, using the Device Administrator at World Wide Enterprises role, show the view of the Workspace ONE registered device. Since the device does NOT have workspace services installed, note the limited amount of information gathered and lack of management functionality. Click on the profiles tab and show the absence of profiles on the device: No management...no profiles.
Back on the device, review the Workspace ONE interface. In Bookmarks, users setup links their most used virtual and web apps. From the Catalog, users add web and virtual apps to Bookmarks; as well, native app installation is initiated from the Catalog.
To further demonstrate MAM functionality, go to the Workspace ONE Catalog and scroll through. Pick a Horizon VDI app, and add it to the Bookmarks page. Launch the app and discuss the streamlined entry into the app, all managed by VMware Identity Manager.
Workspace ONE Adaptive Management
- Workspace ONE Adaptive Management empowers the user to decide if and when they want to enroll their device, based on the application they want to access.
- The Workspace ONE Adaptive Management feature ensures that apps requiring additional device security, such as multi-factor authentication, have all necessary protections without disrupting the user's workflow.
- Prior to installation of Workspace Services, the Workspace ONE app displays what will be received as well as privacy settings. Users can view the privacy settings--what their organization can and cannot see--by tapping on the “your privacy” link before enrollment.
As you just saw, some apps may not be deemed a security risk, and therefore do not require Workspace Services (device management). Other apps, like the native Boxer app, the organization's email, require device management in order to be accessed. VMware Identity Manager polices dictate what apps require management or not.
Native apps that require management are denoted by a star * badge. In order to use one of those apps, you must first "step up" security on the device by installing Workspace Services (enrolling into Workspace ONE UEM). Workspace ONE will notify the user and initiate the Workspace ONE UEM enrollment when you attempt to access the app.
Only native apps can initiate adaptive management enrollment from Workspace ONE.
Clicking on a app, e.g., a web app, that requires workspace services, will trigger a notification to enroll the device. The notification message is configurable.
To initiate installation of Workspace Services, in the Workspace ONE catalog, find Boxer (note the *) and drill into it. Tap "install." Review the "Enable Workspace Services" screen.
Step through the device's enrollment into Workspace ONE UEM (here's where an Android 7.0+ device is a huge benefit). Workspace ONE will initiate the creation of the work profile on the device. If your device is not encrypted, Android will walk your you through the encryption process (Android 7.0 devices use file based encryption resulting in no waiting for an encryption process, as with the prior utilized full disk encryption.).
Be sure to select the BOYD OG when prompted during enrollment.
After Workspace ONE UEM enrollment completes, enter the newly created, work-badged Workspace ONE app. Do not use the enrollment-initiating Workspace ONE app, which will be grayed out; if you do, you'll be presented with an error.
Back in Workspace ONE, you should be presented with the Boxer app installation's confirmation. Install it. The app will install silently, as all Android enterprise apps do.
Workspace Services Managed Device
After Boxer installs, you'll see the app badged with the Android "work" icon, along with other enterprise apps enabled in the work profile. Notice the initially-installed Workspace ONE app is now disabled (grayed out), having been replaced by Workspace ONE in the work profile.
Open Boxer and demonstrate the streamlined user access. There is no user interaction or credentials entry required. Both the app's settings and authentication certificate are configured by Workspace ONE UEM. VMware Identity manager provides SSO.
While in the Boxer app, attempt a screen shot. Show that it's been restricted. This DLP restriction is set by Workspace ONE UEM's management of the Work profile.
Go back to the Workspace ONE Catalog. Review the list apps and, since the device is enrolled, show that all apps are available.
- AppConfig is an initiative to standardize app development for easy configuration, security, and connectivity. By leveraging this standard, Workspace ONE UEM can push managed app configuration (AppConfig) in the form of key/value pairs or XML from Workspace ONE UEM directly to their apps.
- Without AppConfig's streamlined configurations, users and organizations lose time and money over support costs.
Now that the device is managed, you may additionally show AppConfig.
There are known issues actively being worked on with AppConfig in Android enterprise. Please familiarize yourself with the behavior of Salesforce1 native app.
To demonstrate, from Workspace ONE, install the Salesforce1 native app.
Launch Salesforce1 and accept the Terms. As Salesforce1 is opening, quickly access the app's settings menu on the upper right corner. Tap Change Server.
Review the server address, discuss how Workspace ONE UEM set Salesforce1's instance via AppConfig. (The app may not apply the AppConfig instance setting. You should apply this setting here.)
After the app configs, you'll be directed to the VMware Identity Manager username/password sign-in page. Enter your TestDrive username and password.
Mobile SSO is being investigated. Currently, the app is setup for username/password authentication.
Use this current setup to speak to VMware Identity Manager authentication as being configurable. In this case, users are required to authenticate, unlike other apps such as Boxer.
Back in the console, as an administrator, show the device's status change. Note the appearance of the numerous support tabs and the wealth of device information.
At this point your device has access to all OS level MAM features including app config, remote commands, compliance policies, and more. All apps will be available for download from the Workspace ONE catalog.
- Enterprise wiping a device removes all corporate data and control from the device—NO personal data is touched.
- An enterprise wipe may be either manually performed by an admin or, if allowed by policy, a user.
- An enterprise wipe may be configured to be triggered via compliance policy.
While in the Workspace ONE UEM Console, issue an enterprise wipe command. If Workspace ONE is not open you'll need to open it so that it can receive the command (Killing then opening it it may also be needed to force communication from app to console.).
Discuss how not only all organizational app access is now removed, but also the work profile has been removed. Also, be sure to state that no personal data was ever touched. All that remains is the initially installed Workspace ONE app, which should be disabled (grayed out).
After the demo, be sure to delete your device record per the following procedure:
- On the device, open Workspace ONE, go to settings, and "Remove Account."
- In the Workspace ONE UEM console, delete your device record.