This walkthrough describes Workspace ONE UEM (formerly VMware AirWatch) Check-In Check-Out functionality, commonly known as the multi-user shared device use case, typically found in financial services organizations.
In the typical check-in/check-out scenario, a device is staged for sharing in a locked down state. To use the device, a user authenticates, and then the device provisions with the designated apps, profiles, content, etc. needed by the user. When the user is done with the shared device, he checks it back in, and the device returns to its locked down state, checked-in, until another user authenticates.
Here's what you need in order to complete this demo:
- A supervised iOS device (iPad recommended) with a reliable data connection. iOS device supervision instructions are here.
- An active VMware TestDrive account. Sign up here if you don't have one.
- An active Workspace ONE UEM service in the TestDrive portal.
- A screen sharing method:
- Mac: Tether iOS device and use Quicktime.
- Windows: External camera is recommended.
- Demo users and OG (quick reference):
Enrollment & Staging
On the iPad, open the App Store and download the AirWatch Agent to your device.
Launch the AirWatch Agent and initiate enrollment. Enroll using the Email Address option from within the AirWatch agent.
Enter the TestDrive email address for the staging user:
Next, at the drop-down screen, choose the group:
Finance - Corporate Owned Demo
Next, at the VMware Identity Manager prompt, enter the staging user's credentials:
You'll be walked through the enrollment screens. Proceed until enrollment is complete. Accept ALL prompts.
After the device has completed enrollment, it will provision with the shared device profile causing the agent to lockdown the device.
If you don't have a passcode on the device already, a profile will prompt you to set a simple passcode.
The device is now ready to be checked out.
From the AirWatch Agent, login with the banker account:
The device will be provisioned with apps and profiles specific to a banker (or "trader") user case.
Launch Workspace ONE and authenticate with banker. Discuss the Bookmarks view and its purpose to provide quick access to web apps, Horizon apps (RDSH, thin, and VDI). Segue to the Catalog...
Review the Catalog and discuss how this comprehensive app view is where all the user's apps are made available. Native apps, which don't show up in Bookmarks, are available for installation.
While mentioning the types of apps available, be sure to state the configurable deployment methods for native apps, either manual or automatic. Automatically deployed native apps should either already have installed or are still installing. Push one of the native apps setup for manual deployment, such as J.P Morgan Execute or E*TRADE Mobile.
Discuss how Workspace ONE provides access to ALL apps: RDSH, thin apps, VDI, native apps, and web apps.
Quickly tab back to Workspace ONE's Catalog and launch the RDSH app Interactive Broker's Trader Workstation.
Trader Desktop is provisioned for demonstration purposes only, i.e., there's no demo account.
Exit Workspace ONE and return to the home screen. After banker is done using the device, he needs to check it back in to secure the device and remove all content.
To check-in the device, launch the AirWatch Agent. From the Shared Device menu, tap Log out.
After logging out, the device will resume the locked down state.
Please note, device lockdown is dependent on the profile re-pushing and subsequent agent configuration. Depending on network conditions, the lockdown may take a few moments.
Check-out the device as teller. This user's access will be limited to the apps his job requires.
Note the provisioning and access differences between teller and banker. Same device. Completely different access. Mention that there's no more access to regulated apps such as Interactive Broker's Trader desktop.
Launch T-Mobile by Temenos to access the sole financial services app provisioned.
T-Mobile by Temenos is provisioned for demonstration purposes only. There's no demo account.
The Workspace ONE UEM console provides access to a myriad of administrative functions. Briefly review searching for devices.
Go to your device list, Devices > List View. If necessary, filter out the view with search criteria, such as the user name banker.
Drill into the device and briefly discuss the tabs.
In a shared device scenario, devices may either accidentally or not-so-accidentally "walk off." VWorkspace ONE UEM compliance policies can be used to trigger and enterprise wipe which removes organizational data if a device if it leaves, say, a managed network.
From the admin console, navigate to the devices details for your device. Please take care not to wipe the wrong device.
Manually send an enterprise wipe from the console. The device will have all sensitive data and user account access removed.