VMware Hands-on Labs - HOL-1957-06-UEM


Lab Overview - HOL-1957-06-UEM - Workspace ONE UEM - Android Management

Lab Guidance


Note: It may take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

Explore the management options that Workspace ONE UEM provides with Android Enterprise and how these options impact enrolling, managing, and securing your Android devices.  Learn about the various management options available for Android and how these impact your management capabilities with Workspace ONE UEM to decide which option is optimal for your desired experience and use case.  Additionally, review how Remote Management can be used with Android devices for remote troubleshooting and assistance.

Lab Module List:

Lab Captains:

Subject Matter Experts:

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

 
 

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Introduction to Android Enterprise

Introduction



 

What is Android Enterprise?

What is Android Enterprise?

Android enterprise debuted with 5.0 Lollipop in 2014 as an optional solution manufacturers could add to their OS images in order to integrate a common set of device management and Enterprise Mobility Management (EMM) APIs. From 6.0 Marshmallow, it was no longer optional and has since been a mandatory component for all Google Mobile Service (GMS) certified manufacturers.

 

 

What does Android Enterprise Offer?

Android Enterprise offers a wide variety of rich features that cover numerous device management scenarios:

 

 

Understanding Device Management Scenarios

 

The above graphic shows the big picture differences between various device management scenarios.

Bring Your Own Device (BYOD):

Corporate Owned:

Corporate Owned Single Use (COSU):

Corporate Owned, Personally Enabled (COPE):

 

 

Different Enrollment Methods

In addition to providing different device management scenarios, there are also multiple ways in which devices can be enrolled into Android Enterprise.

 

Conclusion


Let's summarize what we have learned from the new Android Enterprise Implementation:


Module 2 - Android Enterprise - Work Profile

Introduction


Android Enterprise is developed by Google to allow organization to securely manage Android devices (running 5.0 or later). It provides several features and configurations when integrated with Workspace ONE UEM, which secures and manages devices in your organization.

Some of the features supported by Android in the enterprise are:

Workspace ONE UEM can configure both a Work Profile and a Work Managed mode. You will be going through the Work Profile mode in this lab.


Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Configuring Android Enterprise in the Console


We will be covering some of the Android basic functionality.

When running on Android 5.0 Lollipop devices, Android Enterprise is built into the operating system with no need for an additional application.

To begin using Android Enterprise inside the Workspace ONE UEM Console, you need to register your enterprise with Google. This creates your Android Enterprise admin account which connects with Workspace ONE UEM to manage your enterprise devices. Users will not be able to use Android Enterprise features from their devices until registered with Workspace ONE UEM. The Android Enterprise setup wizard simplifies the process. To simplify your experience, this initial process has been done for you.   If you are interested in learning more about this process please talk to your Workspace ONE UEM Sales Engineer or Representative.

NOTE - Once a Google Admin Account is bound to Workspace ONE UEM, you cannot reuse this Google Admin for another organization.  Due to this limitation, you would be unable to use the Google Admin Account we have already bound to Workspace ONE UEM for this lab.


 

Open Settings (FOLLOW ALONG)

 

NOTE - The following changes have already been configured for you as part of the lab!

  1. Click Groups & Settings
  2. Click All Settings

 

 

Open Android Enterprise Configuration (FOLLOW ALONG)

 

NOTE - The following changes have already been configured for you as part of the lab!

  1. Click Devices & Users
  2. Expand Android
  3. Click Android Enterprise
  4. Click Register with Google

 

 

Provide Google Admin Account (FOLLOW ALONG)

 

NOTE - The following changes have already been configured for you as part of the lab!

  1. Confirm you are logged into your Google Admin Account that you wish to associate with your Android Enterprise configuration.
    NOTE - Once you register a Google Admin Account to Android Enterprise, you cannot disassociate your Google Admin Account from that Organization.  Ensure the Google Admin Account shown is the account you wish to associate with your Organization!
  2. Click Get Started

 

 

Provide your Organization Details (FOLLOW ALONG)

 

NOTE - The following changes have already been configured for you as part of the lab!

  1. Enter your Organization Name.
  2. Check the Google Play Agreement checkbox.
  3. Click Confirm.

 

 

Complete Registration (FOLLOW ALONG)

 

NOTE - The following changes have already been configured for you as part of the lab!

Click Complete Registration to return to the Workspace ONE UEM Android Enterprise configuration

 

 

Confirm Android Enterprise Integration (FOLLOW ALONG)

 

NOTE - The following changes have already been configured for you as part of the lab!

Back in the Workspace ONE UEM Console,

  1. On the Android Enterprise Configuration page, scroll down until you see the Google Admin Console Settings and Google API Settings sections.
  2. Under Google Admin Console Settings, note that the account information you provided during the Android Enterprise configuration step is displayed here.
  3. Confirm that your Android Enterprise Registration Status is shown as Successful.
  4. Note that the Client ID and Google Service Account Email Address have been created and configured for you automatically.  No additional configurations with Android Enterprise or the Google Developers Console are required.

Your Organization Group is now successfully configured with Android Enterprise!

 

Device Enrollment with Android Enterprise (Work Profile)


In this section, we will be enrolling your device with Workspace ONE UEM and get it set up with Android Enterprise.

NOTE - The screenshots in this article will differ depending on the make and model of the Android device you are using.


 

Download the Workspace ONE Intelligent Hub (IF NEEDED)

 

If you do not have the Workspace ONE Intelligent Hub app on your device, you will need to download it the app before continuing.

To install the Workspace ONE Intelligent Hub app, you can open the Google Play Store app and download the free Workspace ONE Intelligent Hub app or navigate to https://www.getwsone.com in your device browser and follow the Get it on Google Play link to the Workspace ONE Intelligent Hub page in the Google Play Store.

 

 

Launching the Workspace ONE Intelligent Hub App

 

Launch the Hub app on the device.  

 

Android Enterprise Profiles


In this section, we are going to create Android Enterprise profiles to modify devices restrictions and to assist in protecting sensitive data. Profiles serve many different purposes, from letting you enforce corporate rules and procedures to tailoring and preparing Android Enterprise capable devices for how they will be used.

IMPORTANT - If your device is enrolled with Android Enterprise, then ONLY Android Enterprise profiles will take effect on the device, Android device profile will NOT take effect.


 

Verify Restrictions

Restrictions profiles provide a second layer of device data protection by allowing you to specify and control how, when and where your employees use their devices. The Restrictions profiles lock down native functionality of Android Enterprise devices and vary based on device enrollment.

 

 

Create a New Profile

 

In the Workspace ONE UEM Console,

  1. Click Add
  2. Click Profile

 

 

Verify the Android Enterprise Camera Restrictions

 

On your device, notice that after we push the profile your device will no longer have the badged camera application available but your personal side (unbadged) camera will still be available for usage. This shows the camera restriction that we applied on the AirWatch profile created previously.

NOTE - Due to lab network limitations, it may take a few minutes for the badged Camera application to be removed.  If you still see it on your device, please wait until the application is successfully removed.

 

 

Screenshot in a non-badged app

 

  1. Open your non-badged Contacts apps.
  2. Take a screen shot (Power button and volume down / Power Button + Home Button at the same time for 2 seconds).

NOTE - The shortcut to change screenshot may vary depending on your device model. Please see a lab assistant in case assistance is required.

Notice that the screen shot was successful.

 

 

Verify the Android Enterprise Screenshot Restriction

 

  1. Open the badged Contacts app.
  2. Attempt taking a screen shot within the app and notice that it is not allowing you to take the screenshot and flashing a toast message depending on the device model and OS version.

This shows the screenshot restriction that we applied on the AirWatch profile created previously.

 

Approving Applications


This section is designed to walk you through the process of approving applications for integration between Workspace ONE UEM and Android Enterprise. Applications that you push through the integration of Workspace ONE UEM and Android Enterprise have the same functionality as their counterparts from the Google Play Store. However, you can use Workspace ONE UEM features to add functionality and security to these applications.


 

Add Public Application

 

In the Workspace ONE UEM Console,

  1. Select Add.
  2. Select Public Application.

 

 

Publish Public App

 

Click Save & Assign.

 

Verify Work Apps


In the previous section, we learned how we can approve and push an Android application from the Workspace ONE UEM Console.  In this section, we will verify that Work apps installed correctly on our enrolled Android device.


 

Confirm the Published VMware Browser Application Downloaded

 

Return to your testing Android device and confirm that the VMware Browser application has downloaded and displays as a Work app.

NOTE - Depending on lab network traffic, you may need to wait several minutes for the download to complete.

Using this process, you can rapidly approve new applications and deploy them to your users.

 

 

Open the Badged Android Enterprise Play Store App

 

Open your Work Play Store application on your Android device.

NOTE - The screenshot may differ depending on device model and OS.

 

 

Accept Google Play Terms of Service (IF NEEDED)

 

If you are prompted with the Google Play Terms of Service, tap Accept. Otherwise, continue to the next step.

 

 

Open Play Store Menu

 

Tap the Menu button in the top-left corner.

NOTE - The screenshot may differ depending on device model and OS.

 

 

View Play Store Work Apps

 

Tap My Work Apps from the menu.

NOTE - The screenshot may differ depending on device model and OS.

 

 

Verify VMware Browser Is Available As A Work App

 

  1. Tap Installed.
  2. Confirm that the VMware Browser application is in your list of Work applications.  You may need to scroll down to find the application.

NOTE - The screenshot may differ depending on device model and OS.

The VMware Browser app is listed as a Work app because it was approved as a Work app through the Workspace ONE UEM Console while adding and assigning the application to your users.  This streamlines and rapidly improves the process of approving and deploying Work apps to your Android devices!

 

Un-enrolling Your Android Device


You are now going to un-enroll the Android device from Workspace ONE UEM.

NOTE - The term Enterprise Wipe does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch MDM Agent application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.


 

Enterprise Wipe (un-enroll) your iOS device

 

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device you will first bring up the Workspace ONE UEM Console in a web browser. You may need to re-authenticate with your credentials (your VLP registered email address and VMware1! as the password).

  1. Click Devices on the left column.
  2. Click List View.
  3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click More Actions.
    NOTE - If you do not see this option, ensure you have a device selected by clicking the checkbox next to the device.
  2. Click Enterprise Wipe under Management.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234).

  1. Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  

    NOTE - If 1234 does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console.  Use the value you specified for your Security PIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

  1. On your device, open the AirWatch Agent application.
  2. Tap the Device section (under Status) in the middle of the screen.
  3. Tap Send Data near the top of the screen.  If this does not make the device check in and immediately un-enroll, continue to Step #4.
  4. If the above doesn't make it immediately un-enroll, then tap Connectivity [Status] under Diagnostics.
  5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

 

Learn More about Android Enterprise


This is just a sampling of the functionality you will see with Android Enterprise integrated with Workspace ONE UEM. To learn more about features and functions please contact your VMware End User Computing representative or visit our website at http://www.workspaceone.com/ or the website for Android Enterprise at https://www.android.com/enterprise.


Conclusion


The work profile is designed specifically for personal (BYOD) devices. Using Android in the enterprise, Workspace ONE UEM creates a "Work profile", a container which separates the personal space and the corporate space in a device. Workspace ONE UEM can fully control the work profile but has zero control over the personal profile.


Module 3 - Android Enterprise Work Managed Enrollment

PLEASE READ - DISCLAIMER BEFORE TAKING THIS MODULE


Work Managed mode requires the following software and hardware:

  1. Android device 5.0 or higher.
  2. Device must be factory reset in out of the box mode.

Please read the warning from the next step.

WARNING - Please DO NOT factory reset your personal device to take this lab. Refer to the the help desk to acquire a device that is already factory reset and ready to enroll into Work Managed mode. Only use devices from help desk to take this module.


Introduction


Android Enterprise is developed by Google to allow organization to securely manage Android devices (running 5.0 or later versions). It provides several features and configurations when integrated with Workspace ONE UEM, which secures and manages devices in your organization.

Some of the features supported by Android in the enterprise are:

Workspace ONE UEM can configure both a Work profile and a Work managed mode. You will be going through the Work managed mode in this lab.


Work Managed Enrollment Methods


Work Managed Device mode gives AirWatch control of the entire device.

There are several ways to enroll Work Managed devices: using AirWatch Relay to perform NFC bump, using an AirWatch Identifier or token code, or scanning a QR code. Your business requirements determine which enrollment methods you will want to use.


 

AirWatch Relay

AirWatch Relay is an application that passes information from parent devices to all child devices being enrolled into Android for Work. This process is done through and NFC bump and provisions child devices to:

AirWatch Relay allows you to bulk enroll all child devices at the same time before deploying them to end users and eliminates end users from having to enroll their own devices. All child devices must be in factory reset mode and have NFC enabled by default in order to be enrolled as Work Managed Device for Android for Work. This helps ensure that devices are not set up for personal use.

 

 

AirWatch Identifier

The AirWatch Identifier enrollment method is a simplified approach to enrolling Work Managed devices. You will enter a simple identifier, or hash value, on a factory reset device. After the identifier is entered, the enrollment is automated pushing down the AirWatch Agent. The user only has to enter server details, username and password.

Along with the identifier, you can also enroll on behalf of the end user by doing Single-User Device Staging. This method is particularly useful for administrators who set up multiple devices for an entire team or single members of a team. Such a method saves the end users the time and effort of enrolling their own devices.

 

 

QR Code

Devices such as tablets do not support NFC, so these devices cannot use the AirWatch Relay enrollment method which requires NFC bump.

QR code provisioning is an easy way to enroll a fleet of devices that do not support NFC. The QR code contains a payload of key-value pairs with all the information that is needed for the device to be enrolled. QR Code enrollment does not require a managed Google domain or a Google account. You should create the QR code before starting enrollment. You can use any online QR Code generator, such as Web Toolkit Online, to create your unique QR code. The QR code should include the Server URL and Group ID information. You can also include the username and password or the user will have to enter their credentials.

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Configuring Android Enterprise in the Console


We will be covering some of the Android basic functionality.

When running on Android 5.0 Lollipop devices, Android Enterprise is built into the operating system with no need for an additional application.

To begin using Android Enterprise inside the Workspace ONE UEM Console, you need to register your enterprise with Google. This creates your Android Enterprise admin account which connects with Workspace ONE UEM to manage your enterprise devices. Users will not be able to use Android Enterprise features from their devices until registered with Workspace ONE UEM. The Android Enterprise setup wizard simplifies the process. To simplify your experience, this initial process has been done for you.   If you are interested in learning more about this process please talk to your Workspace ONE UEM Sales Engineer or Representative.

NOTE - Once a Google Admin Account is bound to Workspace ONE UEM, you cannot reuse this Google Admin for another organization.  Due to this limitation, you would be unable to use the Google Admin Account we have already bound to Workspace ONE UEM for this lab.


 

Open Settings (FOLLOW ALONG)

 

NOTE - The following changes have already been configured for you as part of the lab!

  1. Click Groups & Settings
  2. Click All Settings

 

 

Open Android Enterprise Configuration (FOLLOW ALONG)

 

NOTE - The following changes have already been configured for you as part of the lab!

  1. Click Devices & Users
  2. Expand Android
  3. Click Android Enterprise
  4. Click Register with Google

 

 

Provide Google Admin Account (FOLLOW ALONG)

 

NOTE - The following changes have already been configured for you as part of the lab!

  1. Confirm you are logged into your Google Admin Account that you wish to associate with your Android Enterprise configuration.
    NOTE - Once you register a Google Admin Account to Android Enterprise, you cannot disassociate your Google Admin Account from that Organization.  Ensure the Google Admin Account shown is the account you wish to associate with your Organization!
  2. Click Get Started

 

 

Provide your Organization Details (FOLLOW ALONG)

 

NOTE - The following changes have already been configured for you as part of the lab!

  1. Enter your Organization Name.
  2. Check the Google Play Agreement checkbox.
  3. Click Confirm.

 

 

Complete Registration (FOLLOW ALONG)

 

NOTE - The following changes have already been configured for you as part of the lab!

Click Complete Registration to return to the Workspace ONE UEM Android Enterprise configuration

 

 

Confirm Android Enterprise Integration (FOLLOW ALONG)

 

NOTE - The following changes have already been configured for you as part of the lab!

Back in the Workspace ONE UEM Console,

  1. On the Android Enterprise Configuration page, scroll down until you see the Google Admin Console Settings and Google API Settings sections.
  2. Under Google Admin Console Settings, note that the account information you provided during the Android Enterprise configuration step is displayed here.
  3. Confirm that your Android Enterprise Registration Status is shown as Successful.
  4. Note that the Client ID and Google Service Account Email Address have been created and configured for you automatically.  No additional configurations with Android Enterprise or the Google Developers Console are required.

Your Organization Group is now successfully configured with Android Enterprise!

 

Device Enrollment with Android Enterprise (Work Managed) Identifier Enrollment


In this section, we will be enrolling your device with Workspace ONE UEM and get it set up with Android Enterprise on the Work Managed mode.

The Workspace ONE UEM Identifier enrollment method is a simplified approach to enrolling Work Managed devices. You will enter a simple identifier, or hash value, on a factory reset device. After the identifier is entered, the enrollment is automated by pushing down the Workspace ONE Intelligent Hub.


 

Find your Group ID from Workspace ONE UEM Console

 

The first step is to make sure you know what your Organization Group ID is.  

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

NOTE - The Group ID is required when enrolling your device in the following steps.

 

 

Please Read - Before you proceed with Work Managed Identifier Enrollment

WARNING - Module 2 requires that your Device must be in Out of Box mode after a Factory Reset.  Please DO NOT factory reset your personal device to take this lab. Refer to the the help desk to acquire a device that is already factory reset and ready to enroll into Work Managed mode. Only use devices from help desk to enroll into Work Managed mode.

NOTE - Screenshots may differ due to differences in device models and operating system versions.

 

 

Out of Box Enrollment

 

Turn on your device from a factory reset state and tap Start.

 

Un-enrolling Your Android Device


You are now going to un-enroll the Android device from Workspace ONE UEM.

NOTE - The term Enterprise Wipe does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch MDM Agent application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.


 

Enterprise Wipe (un-enroll) your iOS device

 

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device you will first bring up the Workspace ONE UEM Console in a web browser. You may need to re-authenticate with your credentials (your VLP registered email address and VMware1! as the password).

  1. Click Devices on the left column.
  2. Click List View.
  3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click More Actions.
    NOTE - If you do not see this option, ensure you have a device selected by clicking the checkbox next to the device.
  2. Click Enterprise Wipe under Management.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234).

  1. Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  

    NOTE - If 1234 does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console.  Use the value you specified for your Security PIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

  1. On your device, open the AirWatch Agent application.
  2. Tap the Device section (under Status) in the middle of the screen.
  3. Tap Send Data near the top of the screen.  If this does not make the device check in and immediately un-enroll, continue to Step #4.
  4. If the above doesn't make it immediately un-enroll, then tap Connectivity [Status] under Diagnostics.
  5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

 

Conclusion


The Work managed profile is designed specifically for corporate owned devices. AirWatch provisions the devices as Device Owner ensuring the organization has full control of the device as it "owns the device" and provides more features to ensure the device and the confidential data in the device are secure. Device Owner supports all the Profile Owner-supported features as well as additional features.


Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1957-06-UEM

Version: 20181104-164532