VMware Hands-on Labs - VMware AirWatch: Android Management


Lab Overview - HOL-1857-07-UEM - Workspace ONE UEM - Android Management

Lab Guidance


The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

Dive deep into how to provide a separation of work and personal information and apps at the Android operating system level while maintaining the consistent native user experience.  Learn how to deploy Android apps while protecting your enterprise data with security policies.

Lab Module List:

WARNING - Module 2 requires that your Device must be in Out of Box mode after a Factory Reset.  Please DO NOT factory reset your personal device to take this lab. Refer to the the help desk to acquire a device that is already factory reset and ready to enroll into Work Managed mode. Only use devices from help desk to enroll into Work Managed mode.

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple data centers  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Android Enterprise - Work Profile (30 minutes)

Introduction


Android Enterprise, is the feature developed by Google to make Android devices (running 5.0 or later versions). It provides several features and configurations when integrated with AirWatch, which secures and manages devices in your organization.

Some of the features supported by Android in the enterprise are:

AirWatch can configure both a Work Profile and a Work managed mode. You will be going through the Work Profile mode in this lab.


Login to the AirWatch Console


To perform most of the lab you will need to login to the AirWatch Management Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the AirWatch Administration Console

 

The default home page for the browser is https://hol.awmdm.com. Enter your AirWatch Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is you email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter "VMware1!" for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the AirWatch Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the AirWatch Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter "VMware1!" in the Password Recovery Answer field.
  4. Enter "VMware1!" in the Confirm Password Recovery Answer field.
  5. Enter "1234" in the Security PIN field.
  6. Enter "1234" in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the AirWatch Console Welcome pop-up.

  1. Click on the Don't show this message again check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

TUTORIAL FOLLOW ALONG - Configuring Android Enterprise in the Console


In this Lab we will be covering some of the Android For Work basic functionality.

When running on Android 5.0 Lollipop devices, Android for Work is built into the operating system with no need for an additional application.

To begin using Android for Work inside the AirWatch Admin Console, you need to register your enterprise with Google. This creates your Android for Work admin account which connects with AirWatch to manage your enterprise devices. Users will not be able to use Android for Work features from their devices until registered with AirWatch. The Android for Work setup wizard simplifies the process. To simplify your experience, this initial process has been done for you.   If you are interested in learning more about this process please talk to your AirWatch Sales Engineer or Representative.


 

Overview

IMPORTANT - You will not be able to make the configurations shown in the following steps within your lab!

This section is designed to only walk you through the process of configuring Android for Work so you can become familiar with the administrative process behind configuring Android for Work for AirWatch. Android for Work has already been configured for you in your lab environment, so no action is required on your part for this section.

Once a Google Admin Account is bound to AirWatch, you cannot reuse this Google Admin for another organization.  Due to this limitation, you would be unable to use the Google Admin Account we have already bound to AirWatch for this lab.

 

 

AirWatch Android for Work Configuration

This section will demonstrate how to configure Android for Work within the AirWatch Console.

IMPORTANT - Remember, you will not be able to make the configurations shows in the following steps within your lab!  This is for demonstration purposes only so that you can become familiar with the process.

 

Device Enrollment with Android Enterprise (Work Profile)


In this section, we will be enrolling your device with AirWatch and get it set up with Android for Work.


 

Launching the AirWatch MDM Agent

 

Launch the AirWatch Agent app on the device.  

If you have your using your own Android device and would like to test you will need to download the agent first. Navigate to https://www.awagent.com to download the latest version of the AirWatch Agent.

 

Android Enterprise Profiles


In this section, we are going to create Android for Work profiles to ensure proper usage of devices and protection of sensitive data. Profiles serve many different purposes, from letting you enforce corporate rules and procedures to tailoring and preparing Android for Work capable devices for how they will be used.

IMPORTANT - If your device is enrolled with Android for Work, then ONLY Android for Work profiles will take effect on the device, Android device profile will NOT take effect.


 

Verify Restrictions

Restrictions profiles provide a second layer of device data protection by allowing you to specify and control how, when and where your employees use their devices. The Restrictions profiles lock down native functionality of Android for Work devices and vary based on device enrollment.

 

Approving Applications


This section is designed to walk you through the process of approving applications for integration between AirWatch and Android for Work. Applications that you push through the integration of AirWatch and Android for Work have the same functionality as their counterparts from the Google Play Store. However, you can use AirWatch features to add functionality and security to these applications.


 

Add Public Application

 

Back in the AirWatch Console:

  1. Click on Add
  2. Click on Public Application

 

 

Publish Public App

 

Click Save & Assign.

 

Verify Work Apps


In the previous section, we learned how we can approve and push an Android application from the AirWatch Console.  In this section, we will verify that Work apps installed correctly on our enrolled Android device.


 

Confirm the Published VMware Browser Application Downloaded

 

Return to your testing Android device and confirm that the VMware Browser application has downloaded and displays as a Work app.

NOTE - Depending on lab network traffic, you may need to wait several minutes for the download to complete.

Using this process, you can rapidly approve new applications and deploy them to your users.

 

 

Open the Badged Android for Work Play Store App

 

Open your Work Play Store application on your Android device.

NOTE - The screenshot may differ depending on device model and OS.

 

 

Accept Google Play Terms of Service (IF NEEDED)

 

If you are prompted with the Google Play Terms of Service, tap Accept. Otherwise, continue to the next step.

 

 

Open Play Store Menu

 

Tap the Menu button in the top-left corner.

NOTE - The screenshot may differ depending on device model and OS.

 

 

View Play Store Work Apps

 

Tap My Work Apps from the menu.

NOTE - The screenshot may differ depending on device model and OS.

 

 

Verify VMware Browser Is Available As A Work App

 

  1. Tap Installed.
  2. Confirm that the VMware Browser application is in your list of Work applications.  You may need to scroll down to find the application.

NOTE - The screenshot may differ depending on device model and OS.

The VMware Browser app is listed as a Work app because it was approved as a Work app through the AirWatch Console while adding and assigning the application to your users.  This streamlines and rapidly improves the process of approving and deploying Work apps to your Android devices!

 

Un-enrolling Your Android Device


You are now going to un-enroll the Android device from AirWatch.

NOTE - The term Enterprise Wipe does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch MDM Agent application from the device as this was downloaded manually before AirWatch had control of the device.


 

Enterprise Wipe (un-enroll) your Android device

 

Enterprise Wipe will remove all the settings and content  that were pushed to the device when it was enrolled.   It will not affect anything that was on the device prior to enrollment.

  1. Click Devices
  2. Expand List View
  3. Click on the checkbox next to the testuser device to select the device.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click the More Actions drop down.
  2. Click Enterprise Wipe under the Management menu.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console.   Note, on the screen you will see a check box to Prevent Re-Enrollment. Do NOT check this check box.

Enter your PIN ("1234") in the boxes. You will not need to press enter or continue, the console will confirm your PIN showing Successful and then pop up the window showing that an Enterprise Wipe has been requested.

Your Android device has now been successfully un-enrolled from AirWatch.

 

Learn More about Android Enterprise


This is just a sampling of the functionality you will see with Android Enterprise integrated with AirWatch. To learn more about features and functions please contact your AirWatch representative or visit our website at https://www.air-watch.com or the website for Android Enterprise at https://www.android.com/enterprise.


Conclusion


The work profile is designed specifically for personal (BYOD) devices. Using Android in the enterprise, AirWatch creates a "Work profile", a container which separates the personal space and the corporate space in a device. AirWatch can fully control the work profile but has zero control over the personal profile.


Module 2 - Android Enterprise Work Managed Enrollment (30 minutes)

PLEASE READ - DISCLAIMER BEFORE TAKING THIS MODULE


Work Managed mode requires the following software and hardware:

  1. Android device 5.0 or higher.
  2. Device must be factory reset in out of the box mode.

Please read the warning from the next step.

WARNING - Please DO NOT factory reset your personal device to take this lab. Refer to the the help desk to acquire a device that is already factory reset and ready to enroll into Work Managed mode. Only use devices from help desk to take this module.


Introduction


Android Enterprise, is the feature developed by Google to make Android devices(running 5.0 or later versions). It provides several features and configurations when integrated with AirWatch, which secures and manages devices in your organization.

Some of the features supported by Android in the enterprise are:

AirWatch can configure both a Work profile and a Work managed mode. You will be going through the Work managed mode in this lab.


Work Managed Enrollment Methods


Work Managed Device mode gives AirWatch control of the entire device.

There are several ways to enroll Work Managed devices: using AirWatch Relay to perform NFC bump, using an AirWatch Identifier or token code, or scanning a QR code. Your business requirements determine which enrollment methods you will want to use.


 

AirWatch Relay

AirWatch Relay is an application that passes information from parent devices to all child devices being enrolled into Android for Work. This process is done through and NFC bump and provisions child devices to:

AirWatch Relay allows you to bulk enroll all child devices at the same time before deploying them to end users and eliminates end users from having to enroll their own devices. All child devices must be in factory reset mode and have NFC enabled by default in order to be enrolled as Work Managed Device for Android for Work. This helps ensure that devices are not set up for personal use.

 

 

AirWatch Identifier

The AirWatch Identifier enrollment method is a simplified approach to enrolling Work Managed devices. You will enter a simple identifier, or hash value, on a factory reset device. After the identifier is entered, the enrollment is automated pushing down the AirWatch Agent. The user only has to enter server details, username and password.

Along with the identifier, you can also enroll on behalf of the end user by doing Single-User Device Staging. This method is particularly useful for administrators who set up multiple devices for an entire team or single members of a team. Such a method saves the end users the time and effort of enrolling their own devices.

 

 

QR Code

Devices such as tablets do not support NFC, so these devices cannot use the AirWatch Relay enrollment method which requires NFC bump.

QR code provisioning is an easy way to enroll a fleet of devices that do not support NFC. The QR code contains a payload of key-value pairs with all the information that is needed for the device to be enrolled. QR Code enrollment does not require a managed Google domain or a Google account. You should create the QR code before starting enrollment. You can use any online QR Code generator, such as Web Toolkit Online, to create your unique QR code. The QR code should include the Server URL and Group ID information. You can also include the username and password or the user will have to enter their credentials.

 

Login to the AirWatch Console


To perform most of the lab you will need to login to the AirWatch Management Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the AirWatch Administration Console

 

The default home page for the browser is https://hol.awmdm.com. Enter your AirWatch Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is you email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter "VMware1!" for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the AirWatch Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the AirWatch Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter "VMware1!" in the Password Recovery Answer field.
  4. Enter "VMware1!" in the Confirm Password Recovery Answer field.
  5. Enter "1234" in the Security PIN field.
  6. Enter "1234" in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the AirWatch Console Welcome pop-up.

  1. Click on the Don't show this message again check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

TUTORIAL FOLLOW ALONG - Configuring Android Enterprise in the Console


In this Lab we will be covering some of the Android For Work basic functionality.

When running on Android 5.0 Lollipop devices, Android for Work is built into the operating system with no need for an additional application.

To begin using Android for Work inside the AirWatch Admin Console, you need to register your enterprise with Google. This creates your Android for Work admin account which connects with AirWatch to manage your enterprise devices. Users will not be able to use Android for Work features from their devices until registered with AirWatch. The Android for Work setup wizard simplifies the process. To simplify your experience, this initial process has been done for you.   If you are interested in learning more about this process please talk to your AirWatch Sales Engineer or Representative.


 

Overview

IMPORTANT - You will not be able to make the configurations shown in the following steps within your lab!

This section is designed to only walk you through the process of configuring Android for Work so you can become familiar with the administrative process behind configuring Android for Work for AirWatch. Android for Work has already been configured for you in your lab environment, so no action is required on your part for this section.

Once a Google Admin Account is bound to AirWatch, you cannot reuse this Google Admin for another organization.  Due to this limitation, you would be unable to use the Google Admin Account we have already bound to AirWatch for this lab.

 

 

AirWatch Android for Work Configuration

This section will demonstrate how to configure Android for Work within the AirWatch Console.

IMPORTANT - Remember, you will not be able to make the configurations shows in the following steps within your lab!  This is for demonstration purposes only so that you can become familiar with the process.

 

Device Enrollment with Android Enterprise (Work Managed) Identifier Enrollment


In this section, we will be enrolling your device with AirWatch and get it set up with Android for Work on the Work Managed mode.

The AirWatch Identifier enrollment method is a simplified approach to enrolling Work Managed devices. You will enter a simple identifier, or hash value, on a factory reset device. After the identifier is entered, the enrollment is automated pushing down the AirWatch Agent.


 

Find your Group ID from AirWatch Console

 

The first step is to make sure you know what your Organization Group ID is.  

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

NOTE - The Group ID is required when enrolling your device in the following steps.

 

 

Please Read - Before you proceed with Work Managed Identifier Enrollment

WARNING - Module 2 requires that your Device must be in Out of Box mode after a Factory Reset.  Please DO NOT factory reset your personal device to take this lab. Refer to the the help desk to acquire a device that is already factory reset and ready to enroll into Work Managed mode. Only use devices from help desk to enroll into Work Managed mode.

NOTE - Screenshots may differ due to differences in device models and operating system versions.

 

 

Out of Box Enrollment

 

Turn on your device from a factory reset state and tap Start.

 

 

Enter AirWatch Server Details for Enrollment

 

Once the Agent has launched you can enroll the device.  To do so, you must first select the AirWatch authentication method.

Tap Server Details

 

 

Encrypt Device

 

Tap Encrypt.

 

 

Complete Enrollment

 

Once the device restarts, you should see the Terms and Conditions for Android for Work.

Tap Agree.

 

Un-enrolling Your Android Device


You are now going to un-enroll the Android device from AirWatch.

NOTE - The term Enterprise Wipe does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch MDM Agent application from the device as this was downloaded manually before AirWatch had control of the device.


 

Enterprise Wipe (un-enroll) your Android device

 

Enterprise Wipe will remove all the settings and content  that were pushed to the device when it was enrolled.   It will not affect anything that was on the device prior to enrollment.

  1. Click Devices
  2. Expand List View
  3. Click on the checkbox next to the testuser device to select the device.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click the More Actions drop down.
  2. Click Enterprise Wipe under the Management menu.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console.   Note, on the screen you will see a check box to Prevent Re-Enrollment. Do NOT check this check box.

Enter your PIN ("1234") in the boxes. You will not need to press enter or continue, the console will confirm your PIN showing Successful and then pop up the window showing that an Enterprise Wipe has been requested.

Your Android device has now been successfully un-enrolled from AirWatch.

 

Conclusion


The Work managed profile is designed specifically for corporate owned devices. AirWatch provisions the devices as Device Owner ensuring the organization has full control of the device as it "owns the device" and provides more features to ensure the device and the confidential data in the device are secure. Device Owner supports all the Profile Owner-supported features as well as additional features.


Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1857-07-UEM

Version: 20180323-184049