VMware Hands-on Labs - HOL-1957-07-UEM


Lab Overview - HOL-1957-07-UEM - Workspace ONE UEM - Productivity Apps

Lab Guidance


Note: It may take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

The Workspace ONE UEM solution also includes productivity apps to enable your workforce and provide a unified experience across your devices for core components.  Learn how Workspace ONE Web and Workspace ONE Boxer can provide secure access to cross-platform browser and email platforms, and how Workspace ONE Tunnel allows your users to securely access internal resources from any device to empower your digital workforce.

Lab Module List:

Lab Captains:

 

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

 
 

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Workspace ONE Boxer

Introduction


As part of the Workspace ONE suite of Productivity Apps, Workspace ONE Boxer combines consumer simplicity with enterprise security. The app provides friction-less access to enterprise email, calendar and contacts across both corporate-owned and employee-owned devices. 

We will configure and deploy Workspace ONE Boxer with Data Loss Prevention (DLP) settings and then validate those configurations while highlighting some exclusive features of Workspace ONE Boxer.


Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Configure Workspace ONE Boxer


In this chapter, you will configure and deploy the Workspace ONE Boxer client to the device.


 

Add the Workspace ONE Boxer Client as an iOS Public Application

We can leverage Workspace ONE UEM to deploy and automatically configure the VMware email client on the device through Workspace ONE UEM. This step will walk you through the process of adding an application from the iOS Public App store.

 

Add Workspace ONE Web as a Public App


VMware Boxer also supports Workspace ONE Web for opening links and other features, so in order to demo this functionality, we will be publishing Workspace ONE Web to the iOS device.


 

Add A New Public Application

 

  1. Click Add
  2. Click Public Application

 

 

Search for the Application to Add

 

  1. Select Apple iOS from the Platform dropdown.
  2. Enter Workspace ONE Web in the Name field.
  3. Click Next

 

 

Select the Application From the Search Results

 

Click Select on the Web - Workspace ONE application.

 

 

Save and Assign Workspace ONE Web

 

Click SAVE & ASSIGN

 

 

Add Assignment for Workspace ONE Web

 

Click + ADD ASSIGNMENT

 

 

Configure Workspace ONE Web Assignment Settings

 

  1. Click in the Selected Assignment Groups field. This will pop-up the list of created Assignment Groups. Start Typing All Devices and select the All Devices (your@email.shown.here) Group.
  2. Select AUTO for the App Delivery Method.

 

 

Configure Policies for Workspace ONE Web

 

  1. Scroll down to find the Policies section.
  2. Select ENABLED for Remove On Unenroll
  3. Select ENABLED for Make App MDM Managed if User Installed
  4. Click ADD

 

 

Confirm Assignment and Save

 

  1. Confirm that the Assignment you just configured is displayed.
  2. Click SAVE & PUBLISH

 

 

Preview Assigned Devices and Publish

 

Click PUBLISH

 

iOS Device Enrollment (Using the e-mail address from lab automation)


A temporary Exchange mailbox has been generated for you to use throughout this lab.  The account credentials are uploaded to the Content section of the Workspace ONE UEM Console.


 

Locate Your Exchange Account Details

 

Return to the Workspace ONE UEM Console,

  1. Click Content
  2. Expand Content Locker.
  3. Click List View.
  4. Find the text file named Mailbox Details for your@email.shown.here.txt and click the toggle button beside it to select the file.
  5. Click Download.

 

 

Enroll Your iOS Device

In this section, we are going to enroll an iOS device to complete the steps on the device side.

 

Exploring Workspace ONE Boxer


In this series of steps you will sync email to a sample account and get introduced to a few of the features in Workspace ONE Boxer that make it the top choice for enterprise productivity.


 

Sync your HOL email account

In this step you will sync the Boxer client with the HOL Exchange server and receive email.

 

 

Create a new Custom Box to sync your Sent Items in the Background

In this step you will add a Custom Box to your boxer folders. This is really just a group of folders that can be set to sync in the background just like your Inbox.

NOTE - It may take around 1 -2 minutes for Boxer to sync and populate emails in your mailbox.

 

 

Earlier we set Boxer to open all links into Workspace ONE Web which has been delivered to your device. We will now demo this functionality.

 

 

Explore Settings and Advanced Options

This is a dive into the some of the available settings options for the Boxer email client. Feel free to explore on our own as well!

 

 

Respond to an email with a Quick Response

Boxer has a unique feature that allows you to quickly respond to an email with either a Quick Response or your availability by interactively selecting available times directly on your calendar. We'll see how these features work in the next steps.

 

 

Open a file into Content Locker

When we configured the settings for Workspace ONE Boxer in the Workspace ONE UEM Console we set attachments to open into white listed applications like VMware Content Locker. In this section we will show how to use this feature.

 

 

Workspace ONE Boxer Conclusion

This concludes the Introduction to Workspace ONE Boxer. You may continue to explore Workspace ONE Boxer and move to the next step when you are ready.

 

Un-enrolling Your Device


You are now going to un-enroll the iOS device from Workspace ONE UEM.

NOTE - The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch Agent application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.


 

Enterprise Wipe (un-enroll) your iOS device

 

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device you will first bring up the Workspace ONE UEM Console in a web browser. You may need to re-authenticate with your credentials (VLP registered email address and VMware1! as the password).

  1. Click Devices on the left column.
  2. Click List View.
  3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click More Actions. NOTE - If you do not see this option, ensure you have a device selected by clicking the checkbox next to the device.
  2. Click Enterprise Wipe under Management.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234).

  1. Scroll down until you see the option for entering Security PIN
  2. Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  

    NOTE - If 1234 does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console.  Use the value you specified for your Security PIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

  1. On your device, open the AirWatch Agent application.
  2. Tap the Device section (under Status) in the middle of the screen.
  3. Tap Send Data near the top of the screen.  If this does not make the device check in and immediately un-enroll, continue to Step #4.
  4. If the above doesn't make it immediately un-enroll, then tap Connectivity [Status] under Diagnostics.
  5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

Feel free to continue to the "Force the Wipe" step to manually uninstall the Workspace ONE UEM services from the device if network connectivity is failing.

 

 

Verify the Un-Enrollment

 

Press the Home button on the device to go back to the home screen. The applications pushed through Workspace ONE UEM should have been removed from the device.

NOTE - The applications and settings pushed through Workspace ONE UEM should have been removed. The Agent will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.

 

 

Force the Wipe - IF NECESSARY

 

If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.

  1. Tap General in the left column.
  2. Scroll down to view the Device Management option.
  3. Tap Device Manager at the bottom of the list of General settings.

 

 

Force the Wipe - IF NECESSARY

 

Tap the Device Manager profile that was pushed to the device.

 

 

Force the Wipe - IF NECESSARY

 

  1. Tap Remove Management on the Device Manager profile.  
    NOTE - If prompted for a device PIN, enter it to continue.  VMware provisioned devices should not have a device PIN enabled.
  2. Tap Remove on the Remove Management prompt.

After removing the Device Manager profile, the device will be un-enrolled.  Feel free to return to the Verify the Un-Enrollment step to confirm the successful un-enrollment of the device.

 

Conclusion


Workspace ONE Boxer is an industry leading e-mail app with features and functionality targeted towards increased productivity. As we saw in this lab, the containerization of business data from personal data enables IT organizations to exceed their enterprise security, compliance, data loss prevention (DLP) and user privacy requirements.


Module 2 - Workspace ONE Web

Introduction


Workspace ONE Web is an Enterprise-grade mobile browser that can be configured to meet your business requirements by providing a streamlined and productive browsing experience for your employees without sacrificing security and compliance by providing features like kiosk mode, bookmarks and tunneling. Learn how to configure and deploy Workspace ONE Web to an iOS device and explore the configurations from an end-user perspective.


 

Workspace ONE Web Feature Overview

Before diving in, explore the features available in Workspace ONE Web to better understand the use cases that could benefit from deploying Workspace ONE Web to their mobile workforce.

Productivity:

  1. Per-App VPN allows employees to access corporate web apps and intranet sites without manually connecting.
  2. Corporate home pages and bookmarks can be pre-configured for a no-hassle setup.
  3. Personal bookmarks can be synced across devices automatically.
  4. Utilize built-in SSO to eliminiate authentication issues and challenges.
  5. Seamlessly access web app links from business emails by integrating with VMware Boxer.

Security:

  1. End-to-end encryption of data at rest and in-transit with AES 256-bit encryption.
  2. Separate business and personal data, allowing you to manage security policies while keeping individual information private.
  3. Employ Data Loss Prevention (DLP) controls to determine whitelisting/blacklisting, cut/copy/paste restrictions, cookie behaviour, and more.
  4. Trigger manual or automatic compliance actions to block or wipe enterprise data based on flexible policies.

Line of Business:

  1. Lock the device into a single, configurable web application kiosk.
  2. Control browsing to specific home pages, web apps, and links.
  3. Remove the navigation bar for a controlled browsing experience.
  4. Enable shared device modes using Workspace ONE Web as the central point for users to log in and out.

 

 

Lab Overview

In this lab, you will be configuring a few of the features in Workspace ONE Web that will showcase:

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Workspace ONE UEM Console Configuration


This section will explain what configurations must be made in the Workspace ONE UEM Console to achieve the features and restrictions that were outlined in the Introduction section.


 

iOS Per-App VPN Profile

This section will explain how to create a Per-App VPN profile, which will be used to allow Workspace ONE Web to connect to an intranet site.

 

 

Configure Security Policies

This section will explain how to configure the default Security Policies to determine DLP controls.

 

 

Configure Workspace ONE Web Settings

This section will explain how to configure the Workspace ONE Web settings, including security settings, whitelisted and blacklisted sites, bookmarks and kiosk mode.

 

 

Add Workspace ONE Web as a Public App

 

  1. Click Add
  2. Click Public Application

 

 

Publish the VMware Tunnel Application

In order to leverage the Per-App VPN profile we created for Workspace ONE Web, we will need to also publish VMware Tunnel to the device.

 

iOS Device Enrollment


In this section, we are going to enroll an iOS device. The upcoming steps will need to be completed from an iOS device.


 

Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

 

NOTE - Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does NOT have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To Install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

 

 

Launching the Workspace ONE Intelligent Hub

 

Launch the Hub app on the device.  

NOTE - If you have your own iOS device and would like to test you will need to download the Workspace ONE Intelligent Hub app first.

 

 

Enter the Server URL

 

  1. Enter labs.awmdm.com for the Server URL.
  2. Click Next.

Click on the Server Details button.

 

 

Find Your Group ID From the Workspace ONE UEM Console

 

Return to the Workspace ONE UEM Console,

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

NOTE - The Group ID is required when enrolling your device in the following steps.

 

 

Attach the Workspace ONE Intelligent Hub to the HOL Sandbox

 

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

  1. Enter your Group ID for your Organization Group for the Group ID field.  Your Group ID was noted previously in the Finding your Group ID step.
  2. Tap the Next button.

NOTE - If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

 

 

Enter User Credentials

 

You will now provide user credentials to authenticate to Workspace ONE UEM.

  1. Enter testuser in the Username field.
  2. Enter VMware1! in the Password field.
  3. Tap the Next button.

 

 

Redirect to Safari and Enable MDM Enrollment in Settings

 

The Workspace ONE Intelligent Hub will prompt you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

 

 

Allow Website to Open Settings (IF NEEDED)

 

If you prompted to allow the website to open Settings to show you a configuration profile, tap Allow.

NOTE - If you do not see this prompt, ignore this and continue to the next step.  This prompt will only occur for iOS Devices on iOS 10.3.3 or later

 

 

Install the Workspace ONE MDM Profile

 

Tap Install in the upper right corner of the Install Profile dialog box.

 

 

Enter Device Passcode (IF NEEDED)

 

If prompted, enter your device passcode to continue.

If you do NOT receive this prompt, continue to the next step.

 

 

Install and Verify the Workspace ONE MDM Profile

 

Tap Install when prompted at the Install Profile dialog.

 

 

iOS MDM Profile Warning

 

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

 

 

Trust the Remote Management Profile.

 

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

 

 

iOS Profile Installation Complete

 

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper right corner of the prompt.

 

 

Workspace ONE UEM Enrollment Success

 

Your enrollment is now completed! Tap Open to navigate to the Workspace ONE Intelligent Hub.

 

 

Accept the Workspace ONE Intelligent Hub Notice

 

Tap Done to confirm the notice and continue.

 

 

Accept Notifications for Hub (IF NEEDED)

 

Tap Allow if you get a prompt to allow notifications for the Hub app.

 

 

Accept the App Installation (IF NEEDED)

 

You may be prompted to install a series of applications depending on which Module you are taking. If prompted, tap Install to accept the application installation.

 

 

Confirm the Privacy Policy

 

Tap I Understand when shown the Privacy policy.

 

 

Accept the Data Sharing Policy

 

Tap I Agree for the Data Sharing policy.

 

 

Confirm the Device Enrollment in the Hub App

 

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM!  Continue to the next step.

 

Explore Workspace ONE Web


We will now launch and explore Workspace ONE Web to confirm that the settings we've configured are controlling the application as expected.


 

Confirm Intranet Access in Safari

Let's try to access internal web page from Safari Browser first to ensure that we can't connect it without any VPN.

 

 

Confirm the Workspace ONE Web Configurations

Now, let's access the same link from Workspace ONE Web.

 

 

Review

You've now confirmed all of the configurations we deployed to Workspace ONE Web during our setup in the Workspace ONE UEM Console.  Feel free to explore any other features of Workspace ONE Web and continue to the next step when you are ready.

 

Un-enrolling Your Device


You are now going to un-enroll the iOS device from Workspace ONE UEM.

NOTE - The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch Agent application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.


 

Enterprise Wipe (un-enroll) your iOS device

 

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device you will first bring up the Workspace ONE UEM Console in a web browser. You may need to re-authenticate with your credentials (VLP registered email address and VMware1! as the password).

  1. Click Devices on the left column.
  2. Click List View.
  3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click More Actions. NOTE - If you do not see this option, ensure you have a device selected by clicking the checkbox next to the device.
  2. Click Enterprise Wipe under Management.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234).

  1. Scroll down until you see the option for entering Security PIN
  2. Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  

    NOTE - If 1234 does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console.  Use the value you specified for your Security PIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

  1. On your device, open the AirWatch Agent application.
  2. Tap the Device section (under Status) in the middle of the screen.
  3. Tap Send Data near the top of the screen.  If this does not make the device check in and immediately un-enroll, continue to Step #4.
  4. If the above doesn't make it immediately un-enroll, then tap Connectivity [Status] under Diagnostics.
  5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

Feel free to continue to the "Force the Wipe" step to manually uninstall the Workspace ONE UEM services from the device if network connectivity is failing.

 

 

Verify the Un-Enrollment

 

Press the Home button on the device to go back to the home screen. The applications pushed through Workspace ONE UEM should have been removed from the device.

NOTE - The applications and settings pushed through Workspace ONE UEM should have been removed. The Agent will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.

 

 

Force the Wipe - IF NECESSARY

 

If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.

  1. Tap General in the left column.
  2. Scroll down to view the Device Management option.
  3. Tap Device Manager at the bottom of the list of General settings.

 

 

Force the Wipe - IF NECESSARY

 

Tap the Device Manager profile that was pushed to the device.

 

 

Force the Wipe - IF NECESSARY

 

  1. Tap Remove Management on the Device Manager profile.  
    NOTE - If prompted for a device PIN, enter it to continue.  VMware provisioned devices should not have a device PIN enabled.
  2. Tap Remove on the Remove Management prompt.

After removing the Device Manager profile, the device will be un-enrolled.  Feel free to return to the Verify the Un-Enrollment step to confirm the successful un-enrollment of the device.

 

Conclusion


Workspace ONE Web has a wide variety of configurations that can be adjusted to meet your business needs across multiple platforms.  We explored a few options through this lab, but there are more features that can provide a higher quality user experience at the level of security that your business requires.  Consider how Workspace ONE Web can improve your productivity by providing a secure and configurable browsing experience!

This concludes this lab module.


Module 3 - Workspace ONE Tunnel

Introduction


Leveraging Per-App VPN allows you to control which applications on a device have access to your VPN by automatically enabling or disabling VPN access based on which applications are active. This prevents you from needing to provide a device-wide VPN on your devices, which allows unintended or unauthorized apps or processes to access your VPN. Explore how to configure and deploy Workspace ONE Tunnel to enable per-app VPN on an enrolled device.


Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Create Per-App VPN Profile


For iOS 7 and higher devices and Android Enterprise devices, you can force selected applications to connect through your corporate VPN. Your VPN provider must support this feature, and you must publish the apps as managed applications.


 

Create an iOS VPN Profile

In this step you will configure the iOS profile that will be delivered to the device to configure the VMware Tunnel Client on the device to allow only designated applications to access content on internal servers.

 

Publish VMware Tunnel as a Public App


In this section you will create a Per-App VPN profile and deploy an Application configured to use the VPN Tunnel on iOS.


 

Add the VMware Tunnel Client as a Public Application

In order to leverage the VPN profile, the VMware Tunnel client must be installed on your device. We can leverage Workspace ONE UEM to deploy the client as a managed application to the device.

This step will walk you through the process of adding the client application to the Workspace ONE UEM Console to automatically install on enrolled devices. Please note, while it is required that the VMware Tunnel client application is installed on any device using Per App Tunnel, it does not have to be a managed application.

Users can download the VMware Tunnel client from the App Store.

 

 

Add VMware Tunnel as a Public App

 

  1. Click Add
  2. Click Public Application

 

 

Search App Store for VMware Tunnel

 

  1. Select Apple iOS for the Platform.
  2. Enter VMware Tunnel for the Name.
  3. Click NEXT

 

 

Select the VMware Tunnel Result

 

Click SELECT for the VMware Tunnel result.

 

 

Save and Assign VMware Tunnel

 

Click SAVE & ASSIGN

 

 

Add Assignment for VMware Tunnel

 

Click + Add Assignment.

 

 

Configure VMware Tunnel Assignment Settings

 

  1. Click in the Selected Assignment Groups field. This will pop-up the list of created Assignment Groups. Start Typing All Devices and select the All Devices (your@email.shown.here) Group.
  2. Select Auto for the App Delivery Method.

 

 

Configure Policies for VMware Tunnel

 

  1. Scroll down to find the Policies section.
  2. Select ENABLED for Remove On Unenroll.
  3. Click ADD

 

 

Confirm Assignment and Save

 

  1. Ensure the Assignment you created is displayed.
  2. Click SAVE & PUBLISH

 

 

Preview Assigned Devices and Publish

 

Click PUBLISH

 

Configure Workspace ONE Web for Per-App VPN


Now that the VMware Tunnel client is assigned to the appropriate group, this section walks through adding an application that is enabled to use Per App Tunnel.  After enabling the setting that allows an application to use VPN, you must select the VPN profile that the app should use. This requires that any application you would like to leverage Per App VPN is pushed to the device from the Workspace ONE UEM Console as a managed app. There is one exception to this, which is the Safari application on iOS.  This is covered in detail in a later section of this lab.

This step will walk you through the process of adding an application from the Public App store that will be associated to the VPN profile you created.


 

Add Workspace ONE Web as a Public App

 

  1. Click Add
  2. Click Public Application

 

iOS Device Enrollment


In this section, we are going to enroll an iOS device. The upcoming steps will need to be completed from an iOS device.


 

Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

 

NOTE - Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does NOT have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To Install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

 

 

Launching the Workspace ONE Intelligent Hub

 

Launch the Hub app on the device.  

NOTE - If you have your own iOS device and would like to test you will need to download the Workspace ONE Intelligent Hub app first.

 

 

Enter the Server URL

 

  1. Enter labs.awmdm.com for the Server URL.
  2. Click Next.

Click on the Server Details button.

 

 

Find Your Group ID From the Workspace ONE UEM Console

 

Return to the Workspace ONE UEM Console,

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

NOTE - The Group ID is required when enrolling your device in the following steps.

 

 

Attach the Workspace ONE Intelligent Hub to the HOL Sandbox

 

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

  1. Enter your Group ID for your Organization Group for the Group ID field.  Your Group ID was noted previously in the Finding your Group ID step.
  2. Tap the Next button.

NOTE - If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

 

 

Enter User Credentials

 

You will now provide user credentials to authenticate to Workspace ONE UEM.

  1. Enter testuser in the Username field.
  2. Enter VMware1! in the Password field.
  3. Tap the Next button.

 

 

Redirect to Safari and Enable MDM Enrollment in Settings

 

The Workspace ONE Intelligent Hub will prompt you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

 

 

Allow Website to Open Settings (IF NEEDED)

 

If you prompted to allow the website to open Settings to show you a configuration profile, tap Allow.

NOTE - If you do not see this prompt, ignore this and continue to the next step.  This prompt will only occur for iOS Devices on iOS 10.3.3 or later

 

 

Install the Workspace ONE MDM Profile

 

Tap Install in the upper right corner of the Install Profile dialog box.

 

 

Enter Device Passcode (IF NEEDED)

 

If prompted, enter your device passcode to continue.

If you do NOT receive this prompt, continue to the next step.

 

 

Install and Verify the Workspace ONE MDM Profile

 

Tap Install when prompted at the Install Profile dialog.

 

 

iOS MDM Profile Warning

 

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

 

 

Trust the Remote Management Profile.

 

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

 

 

iOS Profile Installation Complete

 

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper right corner of the prompt.

 

 

Workspace ONE UEM Enrollment Success

 

Your enrollment is now completed! Tap Open to navigate to the Workspace ONE Intelligent Hub.

 

 

Accept the Workspace ONE Intelligent Hub Notice

 

Tap Done to confirm the notice and continue.

 

 

Accept Notifications for Hub (IF NEEDED)

 

Tap Allow if you get a prompt to allow notifications for the Hub app.

 

 

Accept the App Installation (IF NEEDED)

 

You may be prompted to install a series of applications depending on which Module you are taking. If prompted, tap Install to accept the application installation.

 

 

Confirm the Privacy Policy

 

Tap I Understand when shown the Privacy policy.

 

 

Accept the Data Sharing Policy

 

Tap I Agree for the Data Sharing policy.

 

 

Confirm the Device Enrollment in the Hub App

 

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM!  Continue to the next step.

 

Testing Per App VPN


Now that the device is enrolled and has received the settings we configured in the Workspace ONE UEM Console, we are ready to begin testing the Per-App VPN functionality.


 

Testing Per App VPN on iOS

The applications assigned in the previous steps should push down during enrollment. The VMware Tunnel and Workspace ONE Web applications should be installed on your device.

 

 

Launch the Workspace ONE Web

 

Press the Home button on the iPad to return to the Launchpad. Swipe right to see the downloaded applications if needed.

Tap the Workspace ONE Web icon to launch the application. If prompted, select OK to allow the Web to send your device push notifications.

 

 

Access the Internal Website with Workspace ONE Web

 

  1. The application will launch and you will see the VPN icon appear indicating the connection is active. The application will now connect to Workspace ONE UEM and retrieve the settings for your Sandbox Organization Group. These settings include a default homepage that has been pre-configured for this lab. This website is available on an internal web server but not accessible from the public internet.
  2. The website will load and you'll see the Welcome message.

 

 

Attempt to Access the Website From Safari

We will now show that although the VPN connection is active, other applications on the device will not be able to access the Tunnel or the internal resources.

 

Safari Domain Profile Configuration


In this chapter you create a Per-App VPN profile and deploy an Application configured to use the VPN Tunnel on iOS.


 

Add a New Version to the iOS VPN Profile

In this step you will update the iOS profile created in the first step to include Safari domains.

 

Testing Safari Domains with Per App Tunnel


Now that the VPN profile is updated to include the domain tested in the first example in the Safari Domains list, we can confirm these settings have updated on the device and test in the native Safari application.


 

Confirm the VPN Configuration Has Updated

This section will walk-through how to confirm that the VPN configuration has successfully updated on your device.

 

 

Attempt to Access the Website From Safari

We will now show that browsing to a site in the domain added to the "Safari Domains" list will initiate a VPN connection.

 

Un-enrolling Your Device


You are now going to un-enroll the iOS device from Workspace ONE UEM.

NOTE - The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch Agent application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.


 

Enterprise Wipe (un-enroll) your iOS device

 

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device you will first bring up the Workspace ONE UEM Console in a web browser. You may need to re-authenticate with your credentials (VLP registered email address and VMware1! as the password).

  1. Click Devices on the left column.
  2. Click List View.
  3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click More Actions. NOTE - If you do not see this option, ensure you have a device selected by clicking the checkbox next to the device.
  2. Click Enterprise Wipe under Management.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234).

  1. Scroll down until you see the option for entering Security PIN
  2. Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  

    NOTE - If 1234 does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console.  Use the value you specified for your Security PIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

  1. On your device, open the AirWatch Agent application.
  2. Tap the Device section (under Status) in the middle of the screen.
  3. Tap Send Data near the top of the screen.  If this does not make the device check in and immediately un-enroll, continue to Step #4.
  4. If the above doesn't make it immediately un-enroll, then tap Connectivity [Status] under Diagnostics.
  5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

Feel free to continue to the "Force the Wipe" step to manually uninstall the Workspace ONE UEM services from the device if network connectivity is failing.

 

 

Verify the Un-Enrollment

 

Press the Home button on the device to go back to the home screen. The applications pushed through Workspace ONE UEM should have been removed from the device.

NOTE - The applications and settings pushed through Workspace ONE UEM should have been removed. The Agent will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.

 

 

Force the Wipe - IF NECESSARY

 

If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.

  1. Tap General in the left column.
  2. Scroll down to view the Device Management option.
  3. Tap Device Manager at the bottom of the list of General settings.

 

 

Force the Wipe - IF NECESSARY

 

Tap the Device Manager profile that was pushed to the device.

 

 

Force the Wipe - IF NECESSARY

 

  1. Tap Remove Management on the Device Manager profile.  
    NOTE - If prompted for a device PIN, enter it to continue.  VMware provisioned devices should not have a device PIN enabled.
  2. Tap Remove on the Remove Management prompt.

After removing the Device Manager profile, the device will be un-enrolled.  Feel free to return to the Verify the Un-Enrollment step to confirm the successful un-enrollment of the device.

 

Conclusion


This lab module reviewed how to leverage native Per-App VPN capabilities by publishing Per-App VPN profiles to your devices to ensure that only authorized apps are accessing your VPN.  This prevents users from needing to manually start and end VPN connections based on what apps they are accessing and provides an extra layer of security to your corporate resources by ensuring non-authorized apps are not able to connect to your VPN.

This concludes this lab module.


Module 4 - Workspace ONE App Catalog

Introduction


The Workspace ONE App Catalog provides your users with a unified app catalog where they can access applications you deploy across all devices from anywhere and any time.  This provides an identical experience across all your devices, streamlining this experience for your users.

In this exercise, you will explore the basic concepts of Mobile Application Management (MAM) with Workspace ONE UEM and learn how to deploy applications to the Workspace ONE App Catalog.  You will enroll a device to explore the Workspace ONE App Catalog to see how users interact with and download apps from the App Catalog.


Different types of applications - Internal / Public / Purchased / Web Apps


Depending on the type and mode of deployment, Workspace ONE UEM classifies applications as Internal, Public, Purchased and Web apps.

Platform/ Type Internal Public Web Purchased
iOS X X X X
Android X X X
macOS X
X X
Windows Phone X X

Windows Desktop X X X
Google Chromebook

X

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Download AppLifecycle Apps


In this section, we are going to download AppLifecycle Apps that we will be using as Internal apps for this lab.


 

Download AppLifecycle 101

 

  1. Open a new tab in Chrome Browser
  2. Enter the following URL https://hol.awmdm.com/MyDevice/s/2239/be759588-38d0-4ad4-949e-88a1f4398f4b and hit Enter
    NOTE:
    Remember that you can drag and drop text from the manual into the URL bar to avoid typing!
  3. Validate that you have downloaded Applifecycle_101.ipa

 

 

Download AppLifecycle 102

 

  1. Open a new tab in Chrome Browser.
  2. Enter the following URL https://hol.awmdm.com/MyDevice/s/2239/86896741-33e4-43fd-a843-6225742f002c and hit Enter
    NOTE:
    Remember that you can drag and drop text from the manual into the URL bar to avoid typing!
  3. Validate that you have downloaded Applifecycle_102.ipa

 

iOS Device Enrollment With Directory Account


In this section, we are going to enroll an iOS device. The upcoming steps will need to be completed from an iOS device.


 

Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

 

NOTE - Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does NOT have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To Install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

 

 

Launching the Workspace ONE Intelligent Hub

 

Launch the Hub app on the device.  

NOTE - If you have your own iOS device and would like to test you will need to download the Workspace ONE Intelligent Hub app first.

 

 

Enter the Server URL

 

  1. Enter labs.awmdm.com for the Server URL.
  2. Click Next.

Click on the Server Details button.

 

 

Find Your Group ID From the Workspace ONE UEM Console

 

Return to the Workspace ONE UEM Console,

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

NOTE - The Group ID is required when enrolling your device in the following steps.

 

 

Attach the Workspace ONE Intelligent Hub to the HOL Sandbox

 

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

  1. Enter your Group ID for your Organization Group for the Group ID field.  Your Group ID was noted previously in the Finding your Group ID step.
  2. Tap the Next button.

NOTE - If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

 

 

Enter User Credentials

 

You will now provide user credentials to authenticate to Workspace ONE UEM.

  1. Enter aduser in the Username field.
  2. Enter VMware1! in the Password field.
  3. Tap the Next button.

 

 

Redirect to Safari and Enable MDM Enrollment in Settings

 

The Workspace ONE Intelligent Hub will prompt you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

 

 

Allow Website to Open Settings (IF NEEDED)

 

If you prompted to allow the website to open Settings to show you a configuration profile, tap Allow.

NOTE - If you do not see this prompt, ignore this and continue to the next step.  This prompt will only occur for iOS Devices on iOS 10.3.3 or later

 

 

Install the Workspace ONE MDM Profile

 

Tap Install in the upper right corner of the Install Profile dialog box.

 

 

Enter Device Passcode (IF NEEDED)

 

If prompted, enter your device passcode to continue.

If you do NOT receive this prompt, continue to the next step.

 

 

Install and Verify the Workspace ONE MDM Profile

 

Tap Install when prompted at the Install Profile dialog.

 

 

iOS MDM Profile Warning

 

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

 

 

Trust the Remote Management Profile.

 

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

 

 

iOS Profile Installation Complete

 

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper right corner of the prompt.

 

 

Workspace ONE UEM Enrollment Success

 

Your enrollment is now completed! Tap Open to navigate to the Workspace ONE Intelligent Hub.

 

 

Accept the Workspace ONE Intelligent Hub Notice

 

Tap Done to confirm the notice and continue.

 

 

Accept Notifications for Hub (IF NEEDED)

 

Tap Allow if you get a prompt to allow notifications for the Hub app.

 

 

Accept the App Installation (IF NEEDED)

 

You may be prompted to install a series of applications depending on which Module you are taking. If prompted, tap Install to accept the application installation.

 

 

Confirm the Privacy Policy

 

Tap I Understand when shown the Privacy policy.

 

 

Accept the Data Sharing Policy

 

Tap I Agree for the Data Sharing policy.

 

 

Confirm the Device Enrollment in the Hub App

 

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM!  Continue to the next step.

 

Internal App Deployment


Use Workspace ONE UEM to distribute, track, and manage your internal applications. These are applications built in-house and not hosted on Public App Stores. You can upload the application files directly to WOrkspace ONE  console for deployment. However, if you use an external repository to host your internal applications, then you can easily integrate that host with Workspace ONE UEM, instead of migrating the entire catalog to Workspace ONE UEM.

Supported File types for different platforms:

Platform File Type
Android APK
iOS IPA
macOS APP Package Bundles
Windows Desktop APPX, EXE, MSI, ZIP
Windows Phone APPX, XAP

Once the application is installed, you can track the installation status and reason codes in case of failures.


 

Upload Internal Application with a Local File

In this section, you are going to add an iPA file to AirWatch console as an internal iOS app.

 

 

Add an Assignment to the Internal Application

We will now configure which devices will receive the internal application.

 

 

Provisioning Profiles for Enterprise Distribution

 

  1. Click Apps & Books.
  2. Expand Applications.
  3. Click Native.
  4. Click the Internal tab.
  5. Validate that you have the application uploaded with the name as AppLifecycle.
  6. In the Version column, you will see the version as 1.0.1.
  7. In the column Renewal Date, you will see when the provisioning profile is going to expire for this particular app.

You can renew this provisioning profile from the Workspace ONE UEM console (via the Application Details > Files menu), without having to rebuild and re-upload the app to the Workspace ONE UEM console. This simplifies the recurring task of profile renewal, without any intervention from App Developers and any interruption on the end user devices.

For this exercise, we are not going to renew the provisioning profile of this app.

 

Public App Deployment - Workspace ONE Catalog


Workspace ONE UEM offers two app catalogs - the Workspace ONE App Catalog and the AirWatch Catalog. Both catalogs support the features in the Apps Settings of the Workspace ONE UEM Console.

The Workspace ONE catalog integrates resources from environments that use VMware Identity Manager and Workspace ONE UEM. If your deployment does not use VMware Identity Manager, you still have access to the features previously released for the AirWatch Catalog.

In this lab, you are going to access the assigned apps via the Workspace ONE App Catalog, which is available as a public app from your device App Store.


 

Add Workspace One as a public app

 

  1. Click Add.
  2. Click Public Application.

 

 

Accept the app installation prompt

 

As soon as the device checks in after the app is assigned, you will see a prompt on the device to install the Workspace ONE app.

Click Install to continue.

NOTE: The push notification to install the application may take a minute or two to display on the device.

NOTE: If you are using a supervised device, such as a borrowed device at VMworld, you will not see the prompt and the app will be installed automatically.

 

Log into Workspace ONE Catalog



 

Launch Workspace App

 

Click on the Workspace app to launch.

 

 

Create a Passcode (IF NEEDED)

If you do not already have a device passcode set on the iOS device, you will receive a warning message before being able to access the Workspace ONE app. Please navigate to Settings > Passcode > Turn Passcode On, to setup a new passcode, then return to Workspace ONE.

 

 

Validate App Service Host URL from AppConfig

 

  1. Validate that the pre-populated URL is https://hol-cn1193-ws1mam.vidmpreview.com.
  2. Tap Next to continue.

This is the value that you entered for the key AppServiceHost while configuring the deployment options for the Workspace ONE app. This is how easy it is to pre-configure the Workspace ONE app for a seamless end user experience.

 

 

Select domain as corp.local

 

  1. Select the hol domain.
  2. Click Next.

 

 

Enter Credentials

 

  1. Enter aduser for the username.
  2. Enter VMware1! for the password.
  3. Ensure that you are seeing hol as the domain.
  4. Tap Sign in.

 

 

Enter Workspace ONE

 

Whenever you see the message Your Workspace is ready, tap on Enter.

 

 

Accept the Notifications Prompt (IF NEEDED)

 

If you are prompted to enable Notifications for Workspace, tap Allow.

 

 

Accept the Privacy Policy

 

Tap I Understand when the Privacy Policy is displayed.

 

 

Accept Data Sharing

 

Tap I Agree when the Data Sharing prompt is displayed.

 

Internal App Versioning


Internal and Enterprise apps get updated on a regular basis to offer latest functionality and security enhancements. Workspace ONE makes it easy to update these apps on end user devices over-the-air automatically, without having to connect the device to a computer. In this section, we are going to add an internal app on-demand and install it from Workspace ONE catalog. You will also see how to update the app in the Workspace ONE UEM console so that it gets updated on the enrolled device without any app data loss.


 

Install the Internal app from Workspace ONE Catalog

Since you do not have many apps deployed in this lab, you can see all the apps from the default view. However, you are will still validate the app category we assigned while deploying our internal app.

 

 

Add an updated version of the Internal app to the Workspace ONE UEM Console

You will now upload a new version of our internal app to see how this reflects in the Workspace ONE UEM Console as well as on the device.

 

 

Install the updated version of the app from Workspace ONE Catalog

Let's view the update process on the device in Workspace ONE when apps are updated through the AirWatch Console.

 

 

Uninstall the app from managed devices

As a part of the Workspace ONE UEM flexible deployment, the app removal from Workspace ONE UEM has three different phases:

  1. Retire - Removes an application from all managed devices. For iOS devices, if an older version of the application exists in the Workspace ONE UEM solution, then this older version is pushed to devices.
  2. Deactivate - Removes an application and all versions of it from all managed devices.
  3. Delete - Deletes the app from Workspace ONE UEM Database. If the application is currently installed on any devices, it puts the app in the Deactivated state first. You can then remove the app by changing the filter to Inactive.

Use the Retire option if you want to revert to an earlier version, without uninstalling the app from all the enrolled devices.

 

Web App Deployment


Web applications are useful for navigating to complex URLs with many characters. You can place Web application icons on the springboard to minimize the frustration with accessing these website. These icons connect end-users to internal content repositories or login screens, so end-users do not open a browser and type out a long or complex URL.


 

Add Web App to the Workspace ONE UEM Console

Continue to walk-through the process of adding a Web app through the Workspace ONE UEM Console.

 

 

Access the Web App from enrolled device

Now that the Web app is added to the AirWatch Console and published to devices, let's view and interact with the Web app from our device.

 

Remove Apps via Workspace ONE UEM Console


So far, we have seen how to deploy apps using Workspace ONE UEM. Having the ability to remove the apps from a device is as important as deploying them, especially in the scenarios where a device is lost or stolen or if an employee leaves the organization. This not only clears the sensitive app data from the device but it also revokes access to the corporate resources and functionality that the app has access to.


 

Uninstall the Web App

In this section, we will see how to remove the apps from the enrolled devices.

 

Assume Management


Apple iOS enables Workspace ONE UEM to assume management of user-installed applications without requiring the deletion of the previously installed application from the device. In this section, we are going to install a public app from App Store and assume the management for it. This will enable us to perform all the mobile application management policies on this user-installed app, including removal upon un-enrollment. We will validate this in the next article.

Consider the scenario where your employee has installed the app from App Store directly (very common in BYOD - Bring Your Own Device). In that case this app is unmanaged since it is not pushed down via Workspace ONE UEM. As a result, this app can not have MAM (Mobile Application Management) enhancements like per-app VPN (to connect to a backend resource), App Config (to auto-configure the app over-the-air), or Data Loss Prevention (removal of the app in case the device is stolen or compromised).

In this section, we will see how to convert such apps as managed apps so that they can leverage the above Workspace ONE UEM Mobile Application Management (MAM) enhancements and much more.


 

Install an unmanaged app from App Store

Begin by downloading and installing an unmanaged app from the App Store on our device.  You will assume management of this app in an upcoming step.

 

 

Add the same application as a public app from the Workspace ONE UEM Console

Now that you have downloaded an unmanaged app, we will publish the same app from the Workspace ONE UEM Console as part of the process of assuming management.

 

 

Salesforce as managed app

We will now see how the Salesforce app becomes managed by AirWatch on our device.

 

 

Conclusion

This is how easy it is to manage a user installed device via Workspace ONE UEM. This feature is very powerful in a BYOD scenario to enhance functionality and ensure proper security of the user installed apps.

 

Un-enrolling Your Device


You are now going to un-enroll the iOS device from Workspace ONE UEM.

NOTE - The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch Agent application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.


 

Enterprise Wipe (un-enroll) your iOS device

 

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device you will first bring up the Workspace ONE UEM Console in a web browser. You may need to re-authenticate with your credentials (VLP registered email address and VMware1! as the password).

  1. Click Devices on the left column.
  2. Click List View.
  3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click More Actions. NOTE - If you do not see this option, ensure you have a device selected by clicking the checkbox next to the device.
  2. Click Enterprise Wipe under Management.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234).

  1. Scroll down until you see the option for entering Security PIN
  2. Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  

    NOTE - If 1234 does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console.  Use the value you specified for your Security PIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

  1. On your device, open the AirWatch Agent application.
  2. Tap the Device section (under Status) in the middle of the screen.
  3. Tap Send Data near the top of the screen.  If this does not make the device check in and immediately un-enroll, continue to Step #4.
  4. If the above doesn't make it immediately un-enroll, then tap Connectivity [Status] under Diagnostics.
  5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

Feel free to continue to the "Force the Wipe" step to manually uninstall the Workspace ONE UEM services from the device if network connectivity is failing.

 

 

Verify the Un-Enrollment

 

Press the Home button on the device to go back to the home screen. The applications pushed through Workspace ONE UEM should have been removed from the device.

NOTE - The applications and settings pushed through Workspace ONE UEM should have been removed. The Agent will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.

 

 

Force the Wipe - IF NECESSARY

 

If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.

  1. Tap General in the left column.
  2. Scroll down to view the Device Management option.
  3. Tap Device Manager at the bottom of the list of General settings.

 

 

Force the Wipe - IF NECESSARY

 

Tap the Device Manager profile that was pushed to the device.

 

 

Force the Wipe - IF NECESSARY

 

  1. Tap Remove Management on the Device Manager profile.  
    NOTE - If prompted for a device PIN, enter it to continue.  VMware provisioned devices should not have a device PIN enabled.
  2. Tap Remove on the Remove Management prompt.

After removing the Device Manager profile, the device will be un-enrolled.  Feel free to return to the Verify the Un-Enrollment step to confirm the successful un-enrollment of the device.

 

Conclusion


In this exercise, you have learned how to deploy and manage different types of applications using Workspace ONE. We also saw how to remove a managed app from a device and how to assume management of apps installed by the end users.


Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1957-07-UEM

Version: 20181104-123713