Lab Overview - HOL-2251-09-DWS - Workspace ONE UEM - Getting Started with the Digital Workspace
Note: It may take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time. The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.
The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.
Interested in providing a secure digital workspace to meet the demands of a modern and distributed workforce but don't know where to start? Learn the core concepts of Workspace ONE UEM (Unified Endpoint Management) and the fundamentals of enrolling and managing iOS, macOS, Windows 10, and Android devices to distribute apps, policies, restrictions, and powerful workflows. Explore the entire Anywhere Workspace solution, including insightful reports and automation with Workspace ONE Intelligence and how to provide secure access with the Unified Access Gateway.
Lab Module List:
Lab Principals:
Lab Captains:
Associate Lab Captains:
This lab manual can be downloaded from the Hands-on Labs Document site found here:
This lab may be available in other languages. To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:
http://docs.hol.vmware.com/announcements/nee-default-language.pdf
During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.
You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.
You can also use the Online International Keyboard found in the Main Console.
In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.
Notice the @ sign entered in the active console window.
When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.
One of the major benefits of virtualization is that virtual machines can be moved and run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple data centers. However, these data centers may not have identical processors, which triggers a Microsoft activation check through the Internet.
Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements. The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation. Without full access to the Internet, this automated process fails and you see this watermark.
This cosmetic issue has no effect on your lab.
Please check to see that your lab is finished all the start-up routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes. If after 5 minutes your lab has not changed to "Ready", please ask for assistance.
Module 1 - Introduction to Windows 10 Management (30 minutes)
Learn how to enroll a Windows 10 device into Workspace ONE UEM and how to configure and deploy restriction profiles and applications to your enrolled device.
To successfully complete this Hands-On Lab, you'll need to ensure you have the following pre-requisites:
As a reminder, DO NOT access the Hands-On lab from the same machine you plan to enroll & manage as part of the HOL exercise. As part of the HOL, you will be rebooting this machine and temporarily lose access to the lab documentation if you run the lab from the device you enroll.
To complete this lab, we recommend you use a test device ONLY and avoid enrolling personal devices in the lab at all costs.
IMPORTANT: You SHOULD NOT enroll a personal Windows 10 device for the upcoming exercise! Personal devices may be enrolled into other EMM providers which can cause undesired conflicts and issues.
Please follow the upcoming steps to enroll and use the provided Win10-01a virtual machine for this Hands-on Lab.
IMPORTANT: You SHOULD NOT enroll any personal device(s) for the upcoming exercise!
Personal devices may be enrolled into other UEM providers which can cause undesired conflicts and issues. - We want to avoid this!
To complete this lab, we recommend you use a test device ONLY and avoid enrolling personal devices in the lab.
Double-click the Win10-01a.rdp shortcut located on the Main Console Desktop to connect to the Windows 10 virtual machine.
To perform most of the lab, you will log into the Workspace ONE UEM Admin Console.
Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.
The default home page for the browser is https://hol.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.
VMware1!
.NOTE - If you see a Captcha, please be aware that it is case sensitive!
The password field will be displayed after entering your username.
VMware1!
for the Password field.NOTE: Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.
You will be presented with the Workspace ONE UEM Terms of Use. Due to the lab environment the Terms of Use will not display, but this will not affect the lab itself. Click the Accept button.
NOTE: The following steps of logging into the Administration Console will only need to be done during the initial login to the console.
After accepting the Terms of Use, you will be presented with this Security Settings pop-up
The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.
VMware1!
in the Password Recovery Answer field.VMware1!
in the Confirm Password Recovery Answer field.1234
in the Security PIN field.1234
in the Confirm Security PIN field.
A popup window will appear after you complete your security questions.
Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.
Basic accounts are the accounts which are created locally in the Workspace ONE UEM admin console, as opposed to the accounts which are imported from an active directory. In this section, we will create a Basic User account which we will use for enrollment in the following section.
In the top right corner of the Workspace ONE UEM console,
In the pop-up window,
basicuser
VMware1!
VMware1!
Basic
User
basicuser@corp.local
You should see a confirmation that user is created successfully. If the user is already created with the same username then you can use the existing user in the following section.
The activation flow for Hub Services depends on whether you are a new customer or an existing customer.
New cloud customers who purchased Workspace ONE after January 2019 have Hub Services activated automatically as part of the instance provisioning process. Workspace ONE UEM, Workspace ONE Access, and Hub Services consoles are connected together, and the Hub catalog is enabled for the Intelligent Hub app.
Existing customers can configure Workspace ONE Access tenant URL, tenant admin username and password to activate Hub Services. If you do not have a Workspace ONE Access tenant, you can request one from the Workspace ONE UEM administrator console itself, using the Request a Cloud Tenant button.
For this lab, we have already provided you a Workspace ONE Access tenant which we will use in the next step to active Hub Services.
A temporary Workspace ONE Access tenant has been generated for you to use throughout this lab. The Workspace ONE Access tenant URL and login details were uploaded to the Content section in the Workspace ONE UEM Console at the start of the lab.
In the Workspace ONE UEM Console:
vIDM Tenant Details for your@email.shown.here.txt
and click the checkbox beside it to select the file
After the file downloads, click the vIDM Tenant Details for your@email.shown.here.txt file from the download bar to open it.
NOTE: Your tenant name will match your Group ID in the Workspace ONE UEM Console.
Click Get Started to begin the Hub Services activation process.
Administrator
for the usernameVMware1!
for the password
Ensure that the message confirming Hub Services has been successfully activated is displayed. You have now successfully Activated Hub Services for your tenant!
You will now enroll the Windows 10 device in Workspace ONE UEM by using the Workspace ONE Intelligent Hub app.
NOTE: You do NOT need to complete these steps, the Workspace ONE Intelligent Hub has already been downloaded for you! This step is purely informative.
You can download the latest Workspace ONE Intelligent Hub app for your current platform by following the below steps:
https://www.getwsone.com
in your browser.For expediency, the Workspace ONE Intelligent Hub app has already been downloaded for you. Continue to the next step to start the installer.
NOTE: The installer may take a few seconds to launch, please be patient after clicking the AirwatchAgent.msi file.
Click Run to proceed with the installation.
Leave the default install location and click Next.
NOTE: The Next button may take several seconds to enable while the required additional features are installed.
Click Install to start the installer.
NOTE - The Installing Hub UI Component step may take several minutes to complete. Please do not interrupt the install!
If prompted to allow the app to make changes on your device, click Yes. Otherwise, continue to the next step.
NOTE: The installer may take several minutes to complete. Please wait until you see the completed install screen before continuing.
Click Finish to complete the Workspace ONE Intelligent Hub installer.
NOTE: After clicking finish, the Native Enrollment application will launch to guide you through enrolling into Workspace ONE UEM. It will take around 45-60 seconds to launch the agent.
NOTE: The above screen may take 2-3 minutes to display after clicking Finish from the previous step!
hol.awmdm.com
for the Server Address.
The next step is to make sure you know what your Organization Group ID is.
basicuser
in the Username field. VMware1!
in the Password field.NOTE: Wait while the server checks your enrollment details. This may take a few minutes.
Click I Agree.
Click Done to end the Enrollment process. Your Windows 10 device is now successfully enrolled into Workspace ONE UEM!
Once the enrollment is completed, the Workspace ONE Intelligent Hub app will be displayed. The Favorites and Apps tabs will be empty because we have not yet deployed any apps to your users and devices.
In the next steps, you will deploy two applications: Workspace ONE Assist and 7-Zip. Workspace ONE Assist will be deployed and installed automatically to the end user's device, while 7-Zip will be an "on demand" app, meaning users can initiate the app download and install from the app catalog if and when they need access to 7-Zip.
Profiles allow you to modify how the enrolled devices behave. This exercise helps you to configure and deploy a restrictions profile that we can verify has applied to the device later in the section.
In the Workspace ONE UEM Administrator Console:
Select the Windows icon.
Note: Make sure that you select Windows and not Windows Rugged.
Select Windows Desktop.
Select Device Profile.
Windows Restrictions
in the Name text box.Windows Restrictions
into the Description field.Note: You DO NOT need to click Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.
NOTE: When initially setting a payload, a Configure button will show to reduce the risk of accidentally setting a payload configuration.
NOTE: Some restrictions require a certain version of Windows or higher to apply to a device. A few references are available for you to determine which version of Windows is required, including:
https://www.vmwarepolicybuilder.com
http://aka.ms/CSPList
https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management
A preview of devices that will receive this profile based on the assigned smart groups is shown. Click Publish.
You should now see your Restrictions Profile within the List View of the Devices Profiles window.
Note: If you need to edit the Restrictions Profile, this is where you would do so. To edit the profile, click the profile name, then select Add Version. Update the profile and click Save & Publish to push the new settings to the assigned devices.
There are two ways to distribute applications: On Demand and Auto.
This exercise will show how to deploy the 7-Zip executable as an On Demand app.
In the Workspace ONE UEM Administrator Console:
Click Upload.
Click the Choose File button.
Click Save.
NOTE: The app upload may take a few minutes to complete! Continue to the next step once the upload completes. If you see "An error has occurred HTTP Status Code 0" please try the upload again as internet bandwidth is variable.
7-Zip
. This name will be displayed in the app catalog to your users.
7z1604-x64.exe /Uninstall
NOTE: Remember that you can copy and paste text from the manual into the lab to avoid typing mistakes!
NOTE: For more information about copying text from the manual, see the Guidance section.
7z1604-x64.exe /S
NOTE: Remember that you can copy and paste text from the manual into the lab to avoid typing mistakes!
NOTE: For more information about copying text from the manual, see the Guidance section.
C:\Program Files\7-Zip\7zFM.exe
for the Path.NOTE: Remember that you can copy and paste text from the manual into the lab to avoid typing mistakes!
NOTE: For more information about copying text from the manual, see the Guidance section.
Click Save & Assign.
All Devices
for the Name.
Note: You now have the ability to choose if the app is displayed in the app catalog or not. This is helpful when deploying driver updates or scripted actions and don't want the end-user to see this in the catalog.
Click Save to save the app assignments.
Click Publish to publish the application to the list of devices shown.
The 7-Zip application has been created and assigned to the All Devices smart group as an On Demand app, meaning it will not be automatically installed on the end user device when it is enrolled. This allows the app to be installed by the end user through the app catalog or by an administrator through the Workspace ONE UEM administrator console.
Continue to the next step.
You will now distribute an Auto app, which will automatically download and install the app to the user's device without requiring them to interact with the app within the Intelligent Hub app catalog.
In the Workspace ONE UEM Administrator Console:
Click Upload.
Click the Choose File button.
Click Save.
NOTE: The app upload may take a few minutes to complete! Continue to the next step once the upload completes. If you see "An error has occurred HTTP Status Code 0" please try the upload again as internet bandwidth is variable.
Select 64-bit for the Supported Processor Architecture.
All Devices
for the Distribution Name
NOTE: You now have the ability to choose if the app is displayed in the app catalog or not. This is helpful when deploying driver updates or scripted actions and don't want the end-user to see this in the catalog.
Click Save to save the app assignments.
Click Publish to publish the application to the list of devices shown.
The Workspace ONE Assist application has been created and assigned to the All Devices smart group and the App Delivery Method was set to Auto, meaning the app will be automatically downloaded and installed without requiring any user interaction when a Windows 10 device is enrolled into the organization.
Continue to the next step.
Your device was enrolled and received three configurations:
You will now confirm that the Restriction Profile was installed by verifying that the restrictions are applied on your device and that the two apps are available according to their deployment type (On Demand vs. Auto).
Click on Accounts.
Notice, the end-user now does not have the ability to unenroll their device from Workspace ONE UEM management.
Here you can see the before and after results of applying the Allow or Don't Allow MDM Unenrollment policy on the Windows 10 device.
Click the 7-Zip app.
Click Install.
You were able to confirm that the Restriction Profile took affect on the device as intended and that the two applications you made available, Workspace ONE Assist and 7-Zip, were presented to the user from the app catalog and were successfully installed!
In this section, we are going to un-enroll our Windows 10 VM so that we can use it for other lab modules.
We will use the Enterprise Wipe wipe command to remove all of the managed content that was pushed to the device (such as profiles and apps) by Workspace ONE while not modifying any personal content or data on the device.
Return to the Workspace ONE UEM Administrator Console in Google Chrome,
1234
. If you used a different PIN, enter that one instead.
NOTE: The Enterprise Wipe may take several minutes to process.
From the Settings Menu, access Accounts
NOTE: The CORP AD domain is the local domain in this lab and is not controlled by Workspace ONE UEM Enrollment, so you will see this connection when your device is enrolled or unenrolled.
NOTE: If the Access Work or School page was opened from earlier, you may need to refresh or navigate away from the page and return to see the changes.
Click Close (X) on the Remote Desktop Connection bar at the top of the screen to return to the Main Console to finish making configurations within the Workspace ONE UEM Console.
In addition to managing mobile devices, Workspace ONE UEM can also manage your Windows 10 devices. This quick look into Windows 10 management should provide a clearer picture of how you can manage your Windows 10 devices by configuring restrictions and profiles and deploying applications alongside your mobile workforce.
This concludes the Basic Windows 10 Management module.
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 2 - Introduction to Apple iOS Management (30 minutes)
This lab module will focus on introducing the concepts of Unified Endpoint Management (UEM) with Workspace ONE. This lab will walk you through how to enroll an iOS device and deploy device profiles to configure your iOS devices to leverage UEM functionality.
IMPORTANT: You SHOULD NOT enroll a personal device for the upcoming exercise!
Personal devices may be enrolled into other UEM providers which can cause undesired conflicts and issues.
To complete this lab, we recommend you use a test device ONLY and avoid enrolling personal devices in the lab.
To begin this lab, you will need to login to the Workspace ONE UEM admin console.
Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.
VMware1!
The password field is displayed.
VMware1!
in the Password field.NOTE: You may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.
You will be presented with the Workspace ONE UEM Terms of Service. Click the Accept button.
NOTE: The following steps are only performed for the initial login to the administration console.
After accepting the Terms of Use, you will be presented with this Security Settings pop-up
The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.
VMware1!
in the Password Recovery Answer field.VMware1!
in the Confirm Password Recovery Answer field.1234
in the Security PIN field.1234
in the Confirm Security PIN field.
A popup window will appear after you complete your security questions.
Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.
In this section, we will create a restriction profile that will disable the camera and disable Siri on the device. We will set the profile for auto-deployment, so that the profile is installed automatically when the device is enrolled.
In the top right corner of the Workspace ONE UEM console,
Click the Device Profile context option.
iOS Restriction Profile
for the Name field
NOTE: Supervised devices give schools and business greater control over iOS device that they own. Supervising devices allows administrators additional device restrictions that are not possible with Bring Your Own Device (BYOD) scenarios to respect end user privacy.
Click Publish.
Before enrolling your device, confirm that Siri is available for use on your iOS app so you can confirm that the iOS Restriction Profile properly disables Siri once the device is enrolled in an upcoming step.
In this section, we are going to enroll an iOS device. The upcoming steps will need to be completed from an iOS device.
NOTE: Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.
At this point, if you are using your own iOS device or if the device you are using does NOT have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.
To Install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.
Launch the Hub app on the device.
NOTE: If you have your own iOS device and would like to test you will need to download the Workspace ONE Intelligent Hub app first.
Once the Hub has launched you can enroll the device. To do so, follow the below steps.
hol.awmdm.com
for the Server field.NOTE: If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Continue button.
Return to the Workspace ONE UEM Console,
NOTE: The Group ID is required when enrolling your device in the following steps.
Return to the Workspace ONE Intelligent Hub application on your iOS Device,
NOTE: If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.
You will now provide user credentials to authenticate to Workspace ONE UEM.
testuser
in the Username field.VMware1!
in the Password field.
If prompted for password saving, click Not Now
The Workspace ONE Intelligent Hub will show a privacy message detailing what is collected and what is not collected from the device.
The next step is to download the configuration profile to enroll your device into Workspace ONE UEM.
Tap Continue to begin.
The next step is to download the configuration profile to enroll your device into Workspace ONE UEM.
Tap Download profile to begin.
When prompted that the website is trying to download a configuration profile, tap Allow.
When the Profile Downloaded notification is displayed, click Close.
Now that the profile is downloaded, tap Tap here when download finishes. This will return you to the Intelligent Hub application where you will install the profile.
The next step is to Install the configuration profile to enroll your device into Workspace ONE UEM.
Tap Install profile to begin.
An instructional prompt will inform users how to finish their enrollment profile installation in the Settings app. Tap Open the Settings app to continue.
In the Settings app, tap the Profile Downloaded tab at the top of the Settings menu.
You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.
Tap Install in the upper-right corner of the screen.
You should now see the iOS request to trust the source of the MDM profile.
Tap Trust when prompted at the Remote Management dialog.
You should now see that the iOS Profile was successfully installed.
Tap Done in the upper right corner of the prompt.
Your enrollment is now completed! Return to the Workspace ONE Intelligent Hub app.
You will see that the profile is not successfully configured.
Tap Allow if you get a prompt to allow notifications for the Hub app.
Click Skip.
Tap I Understand when shown the Privacy policy.
Tap I Agree for the Data Sharing policy.
Confirm that the Hub app shows the user account (testuser) that you enrolled with..
You have now successfully enrolled your iOS device with Workspace ONE UEM! Continue to the next step.
You will now validate that the restriction profile for disabling Siri on the device is applying as expected. You will confirm the restriction profile in two ways:
Tap the Settings app.
Tap the Device Manager profile under Mobile Device Management.
Tap Restrictions to inspect the restrictions associated with this profile.
Confirm that the Siri not allowed restriction is included in the list.
Attempt to activate Siri on your device again by holding the home button and notice that Siri no longer responds.
If you navigate to the Settings app, you will also notice that the Siri & Search settings are no longer available on the device.
You are now going to un-enroll the iOS device from Workspace ONE UEM.
NOTE: The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the Workspace ONE Intelligent Hub controls.
It will NOT remove the Workspace ONE Intelligent Hub application from the device as this was downloaded manually before the user enrolled in to Workspace ONE UEM.
Enterprise Wiping will remove all the settings and content that were pushed to the device after it was enrolled. It will not affect anything that was on the device prior to enrollment.
Return to the Workspace ONE UEM Console,
After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after you logged into the Workspace ONE UEM console to 1234
.
Enter 1234
for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.
NOTE: If 1234
does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console. Use the value you specified for your Security PIN.
NOTE: If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:
NOTE: Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.
Feel free to continue to the "Force the Wipe" step to manually uninstall the Workspace ONE UEM services from the device if network connectivity is failing.
Return to the device springboard. Notice that any applications pushed through Workspace ONE UEM have been removed from the device. In addition, navigating to Settings > General > Profiles will show that the Workspace Services profile has been removed from the device and any configurations pushed have been reverted.
NOTE: The Workspace ONE Intelligent Hub will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.
If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.
Tap the Device Manager profile that was pushed to the device.
After removing the Device Manager profile, the device will be un-enrolled. Feel free to return to the Verify the Un-Enrollment step to confirm the successful un-enrollment of the device.
Once the device has unenrolled, the restrictions that you pushed to disable Siri will be removed but will not modify any other aspects of your device. Attempt to activate Siri again and confirm that Siri is now working.
Managing your devices with Workspace ONE UEM empowers your administrators to ensure devices are operating and accessing corporate resources securely without violating user privacy. Now that you know how to enroll a device and push a profile, consider exploring the other lab topics available in this module to further expand your Workspace ONE UEM knowledge.
This concludes the Introduction to Apple iOS Management module.
Note that this Hands-On Lab does not cover the full breadth and capabilities for managing iOS and tvOS with Workspace ONE. Please see VMware's TechZone for videos, blogs, and documentation that can help you with advanced topics in iOS/tvOS management, such as:
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 3 - Introduction to Apple macOS Management (45 minutes)
In this lab module, we will explore some Workspace ONE administration features and concepts available for the macOS platform. This lab will give you a better understanding of how macOS devices are enrolled, what management options you have available, and how these options can improve and impact the user experience by configuring macOS and publishing applications.
Before you can start the lab, make sure you review the next page to ensure you can successfully complete the lab.
To successfully complete this Hands-On Lab, you'll need to ensure you have the following pre-requisites:
IMPORTANT: You SHOULD NOT enroll a personal device for the upcoming exercise!
Personal devices may be enrolled into other UEM providers which can cause undesired conflicts and issues.
To complete this lab, we recommend you use a test device ONLY and avoid enrolling personal devices in the lab.
To begin this lab, you will need to login to the Workspace ONE UEM admin console.
Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.
VMware1!
The password field is displayed.
VMware1!
in the Password field.NOTE: You may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.
You will be presented with the Workspace ONE UEM Terms of Service. Click the Accept button.
NOTE: The following steps are only performed for the initial login to the administration console.
After accepting the Terms of Use, you will be presented with this Security Settings pop-up
The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.
VMware1!
in the Password Recovery Answer field.VMware1!
in the Confirm Password Recovery Answer field.1234
in the Security PIN field.1234
in the Confirm Security PIN field.
A popup window will appear after you complete your security questions.
Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.
The activation flow for Hub Services depends on whether you are a new customer or an existing customer.
New cloud customers who purchased Workspace ONE after January 2019 have Hub Services activated automatically as part of the instance provisioning process. Workspace ONE UEM, Workspace ONE Access, and Hub Services consoles are connected together, and the Hub catalog is enabled for the Intelligent Hub app.
Existing customers can configure Workspace ONE Access tenant URL, tenant admin username and password to activate Hub Services. If you do not have a Workspace ONE Access tenant, you can request one from the Workspace ONE UEM administrator console itself, using the Request a Cloud Tenant button.
For this lab, we have already provided you a Workspace ONE Access tenant which we will use in the next step to active Hub Services.
A temporary Workspace ONE Access tenant has been generated for you to use throughout this lab. The Workspace ONE Access tenant URL and login details were uploaded to the Content section in the Workspace ONE UEM Console at the start of the lab.
In the Workspace ONE UEM Console:
vIDM Tenant Details for your@email.shown.here.txt
and click the checkbox beside it to select the file
After the file downloads, click the vIDM Tenant Details for your@email.shown.here.txt file from the download bar to open it.
NOTE: Your tenant name will match your Group ID in the Workspace ONE UEM Console.
Click Get Started to begin the Hub Services activation process.
Administrator
for the usernameVMware1!
for the password
Ensure that the message confirming Hub Services has been successfully activated is displayed. You have now successfully Activated Hub Services for your tenant!
When you activate Hub Services with your Workspace ONE UEM tenant, the unified app catalog available in Hub Services will be used in the Intelligent Hub app on enrolled devices. One additional setting is needed to activate the modern unified app catalog with Hub Services - you will need to disable the legacy catalog for macOS.
In this section, you are going to activate the Hub App Catalog for macOS.
In the Workspace ONE UEM Console
This will disable the older web clip based Catalog for the macOS platform. Instead, users will receive the new Hub App Catalog which provides an updated app catalog with richer features, but also includes features such as notifications, people search, a custom home page, and more.
This exercise explores how to modify the macOS device behavior using Profiles.
Profiles are the mechanism by which Workspace ONE UEM manages settings on a macOS device. macOS profile management is done in two ways: device level and enrollment-user level. You can set appropriate restrictions and apply appropriate settings regardless of the logged-on user. You can also apply settings specific to the logged-on user on the device.
All profiles are broken down into two basic sections, the General section and the Payload section.
Every Profile must have all required fields in the General section properly filled out and at least one payload configured.
Device Profiles are typically used to control settings that apply system-wide. Device profiles can include items such as VPN and Wi-Fi configurations, Global HTTP Proxy, Disk Encryption, and/or Directory (LDAP) integration.
In this exercise, you will create a profile that disables various macOS System Preferences from being changed by the end user.
Return to the Workspace ONE UEM administration console in Google Chrome:
Click macOS.
There are two contexts for Profiles: User and Device. User Profiles will apply the configuration to only the logged in user on the device. Device Profiles will apply the configuration to the entire device.
Click Device Profile.
Configure the device profile as follows:
macOS Device Restrictions
for the profile nameEach tab on the left is a "Payload". These represent different features or restrictions you can configure on the device with the selected platform and context of the Profile. You may have more than one Payload per Profile, but it is best practice to generally keep one Payload per Profile (excluding the General payload, which is required).
The configurations you have made with create a macOS device context profile that will be automatically assigned and applied to any macOS device that enrolls in your organization group.
Clicking Configure will add the Restrictions payload to the Profile and allow you to determine what restrictions will be applied to the macOS device with this Profile.
This will prevent the end users from being able to access or change the Accessibility and Desktop & Screen Saver settings under System Preferences.
The macOS Device Restrictions profile is now added to the list of Profiles in your organization group. You can see how many Payloads (excluding General) are configured, the assignment type, and assigned groups. If you need to edit the Profile, you would return to this view in order to make changes.
This Restrictions profile is now published and will be automatically assigned to any macOS device that enrolls in your organization group. You will confirm this Restrictions profile is applying on the device after enrolling a device in a later step.
Sensors allow you to quickly and securely automate data collection from your endpoints with common scripting languages. macOS Sensors supports Bash, Python 3, and Zsh, and Windows Desktops support PowerShell.
This collected data can be used as conditions in the Freestyle Orchestrator feature to take action based on the condition and value of this data. You can learn more about Freestyle Orchestrator in Module 1 - Introduction to Freestyle Orchestrator. You can also use Workspace ONE Intelligence to create reports and dashboards based on your Sensor data.
In this section, you will create a Sensor for macOS which will query the type of processor that is used on the device.
The first time you access the Sensors page, an overview will be presented with a link to the VMware docs articles for macOS Sensors and Windows Desktop Sensors. Refer to these links for additional documentation around Sensors.
macos_cpu_arch
for the NameDetermine x64 (Intel) vs arm (M1)
for the descriptionThis sensor will be used to report if the device's CPU architecture is x64 (using the Intel chip) or arm (using the M1 chip).
This Sensor is setup to use the Zsh language and is targeting the System (Device-wide) execution context rather than the Current User context setting which will run against the currently logged in user of the device. The Response Data Type indicates what will be returned from the script: A String (text), Integer (number), Boolean (true/false), or Date Time.
In this case, the Sensor will read the CPU architecture, which will either be "x64" or "M1", so it is returning the value as a String.
#!/bin/zsh
to echo $PROC
, and drag and drop it the Code section to paste the necessary sensor code.
You can optionally create variables to use with this script, but it is not needed for this use case. Click Save & Assign to proceed.
All Devices
for the Assignment NameFor ease, you will deploy this sensor to all non-Employee Owned devices that enroll into your organization. In a real deployment, you could target specific Smart Groups that you wish to deploy this Sensor to.
You can select more than one trigger, so consider what would fit your user case best when creating Sensors in your organization.
You have now successfully created and assigned a macOS Sensor which will report back if the device's CPU architecture is "x64" (Intel) or "arm" (M1). Once you enroll a device in later steps, you will view this sensor and confirm the value.
Sensors are powerful options for securely automating data collection for your endpoints. Consider what other use cases you could accomplish with sensors, and check our the macOS Sensors examples in the documentation for ideas.
VMware integrates with the Open-Sourced "munki" project for third-party application management on enrolled macOS devices. Administrators can manage third-party (non-AppStore) software using the internal apps view in Workspace ONE UEM. The integration allows administrators to consume a global CDN for software delivery, without requiring the administrators to fully understand munki's inner workings and configuration.
In this exercise, you will enable the application catalog and deploy an Application to your device.
Note: Workspace ONE UEM also provides a second facility for delivering software/configurations and running scripts/commands on a macOS device. This method, known as Product Provisioning, is outside the scope of this exercise. For more information, refer to Deploying Third-Party macOS Applications: VMware Workspace ONE Operational Tutorial on VMware TechZone.
Administrators can deliver software to macOS using multiple methods. As a quick reference, VMware recommends using the following methods to deliver software to macOS devices:
NOTE: The steps in this section have already been completed for you in the Hands-On Lab. You DO NOT need to Enable Software Management as it has already been completed on your behalf.
Prior to deploying a macOS Application, VMware Workspace ONE UEM administrators must enable their environments for Software Management. The following items are pre-requisites for macOS Software Management:
Continue to the next step.
NOTE: The steps in this section have already been completed for you in the Hands-On Lab. You DO NOT need to Enable Software Management as it has already been completed on your behalf.
NOTE: The steps in this section have already been completed for you in the Hands-On Lab. You DO NOT need to Enable Software Management as it has already been completed on your behalf.
NOTE: The steps in this section have already been completed for you in the Hands-On Lab. You DO NOT need to Enable Software Management as it has already been completed on your behalf.
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
In this section, you will download the Workspace ONE Admin Assistant tool and use it to prepare another 3rd-Party application for deployment.
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
On a macOS device, open Safari or a web browser of your choice.
https://evernote.com/download
in the URL bar. Press ENTER
.The DMG file for Evernote will download to the Downloads folder.
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
In the same tab as you downloaded Skitch, paste the link in Safari to download the Workspace ONE Admin Assistant tool and press ENTER
on the keyboard: https://getwsone.com/AdminAssistant/VMwareAirWatchAdminAssistant.dmg
The DMG file will download to the Downloads folder.
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
On the dock, perform the following:
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
Double-click the VMware Workspace ONE Admin Assistant.pkg file
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
Click Continue
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
Click Install.
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
If prompted for administrative credentials, enter the credentials required to install.
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
Workspace
in the search barNOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
The Workspace ONE Admin Assistant Tool begins parsing the file to extract information necessary to deploy the software.
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
NOTE: These steps are optional as the necessary application files are included for you in the Hands-on Lab. If you wish to see how to extract the necessary files for app deployment on macOS, continue with these steps. If not, CLICK HERE to continue to uploading the app files.
NOTE: These steps require a macOS device.
In the Finder window:
Evernote-##.##.##.dmg -- The Application has been packaged into a DMG file. (Note: MPKG and PKG files will not be modified)
Evernote-##.##.##.plist -- A metadata file (referenced as the pkginfo.plist in munki documentation) which contains information used by the munki framework to determine how to install/uninstall the software
Evernote.png -- An icon image extracted from the app used for user-friendly display in the console and Workspace ONE app for macOS
All output for the Admin Assistant tool follows the convention ~/Documents/Workspace ONE Admin Assistant/{AppName-Version}. At the time this lab was created, Evernote was at version 10.16.7 but may be different depending on when you take this lab.
You will now use the provided Workspace ONE Assist dmg and plist files to upload Workspace ONE Assist as a 3rd party macOS application in Workspace ONE UEM.
Return to the the Workspace ONE UEM Administrator Console in the Hands-on Lab interface:
Click Upload.
Click Choose File.
Click Save to upload the select Assist-21.03.00.014.pkg file.
NOTE: The pkg file may take 1-2 minutes to upload! Continue to the next step once the upload finishes.
Click Continue.
Click Choose File.
Click Save to upload the selected Assist-21.03.00.014 plist file.
The Workspace ONE Assist application and corresponding metadata have been uploaded to Workspace ONE UEM!
You will need to add an icon for the application, which will be displayed in the app catalog and on the user's device once installed. Click the click or drag files here area to upload an image.
The Application Assignment determines which users and devices will receive the Workspace ONE Assist and how the app will be delivered. You will create an assignment rule that will publish the application automatically (installs the app without requiring user input) to all devices in your organization.
All Devices
.
Restrictions can be applied to the assignment to change the behavior of the application.
The Workspace ONE Assist app is now published! Any macOS device enrolled into your organization will now automatically be assigned the Workspace ONE Assist app and it will install without user interaction. When the device is unenrolled, the app will automatically be removed from the device.
You can return to this view (Resources > Native > Internal) and click the Workspace ONE Assist app to make changes to it in the future as needed, such as updating the assignments, adding a new app version, etc.
Continue to the next step.
Administrators can now keep users informed on the device provisioning process after enrollment completes by enabling the post-enrollment onboarding experience in Workspace ONE UEM Intelligent Hub. After enrollment is finished, Intelligent Hub will display a new window which tracks all incoming application installs. Administrators can enable and customize the experience in the Workspace ONE UEM administrator console.
This feature requires Workspace ONE UEM 21.05 or later and and Workspace ONE Intelligent Hub 21.04 or later.
Hello, {FirstName}
, which will greet the user by their first nameWelcome to ACME Corp
{FirstName}
, will retrieve the value at runtime and replace it with the current value, allowing for easy dynamic variable retrieval. The post-enrollment onboarding experience is now enabled and configured. This will provide a better user onboarding experience as users can easily track the progress on applications that are downloading and installing.
NOTE: These steps require a macOS device. If you do not have a macOS device, you can follow these steps in the manual to see the end result.
In this exercise, you will download and install the Workspace ONE Intelligent Hub on a macOS device.
NOTE: These steps require a macOS device. If you do not have a macOS device, you can follow these steps in the manual to see the end result.
Login to a macOS device as an administrator account.
NOTE: These steps require a macOS device. If you do not have a macOS device, you can follow these steps in the manual to see the end result.
Open Safari or your preferred web browser.
https://www.getwsone.com
in the URL field, then press ENTER
.
NOTE: These steps require a macOS device. If you do not have a macOS device, you can follow these steps in the manual to see the end result.
If prompted to allow downloads from getwsone.com, click Allow. Otherwise, continue to the next step.
NOTE: These steps require a macOS device. If you do not have a macOS device, you can follow these steps in the manual to see the end result.
NOTE: These steps require a macOS device. If you do not have a macOS device, you can follow these steps in the manual to see the end result.
Click Continue.
NOTE: These steps require a macOS device. If you do not have a macOS device, you can follow these steps in the manual to see the end result.
NOTE: These steps require a macOS device. If you do not have a macOS device, you can follow these steps in the manual to see the end result.
NOTE: The install may take a few minutes, please be patient while the install completes.
NOTE: These steps require a macOS device. If you do not have a macOS device, you can follow these steps in the manual to see the end result.
In this exercise, you enroll a macOS device into Workspace ONE UEM. Enrollment is the action that brings a device under management and control by Workspace ONE UEM. There are a number of ways to enroll the various platforms (macOS included), but for this exercise we cover a basic enrollment scenario.
This enrollment flow is considered User-Approved per the functionality introduced in macOS High Sierra.
hol.awmdm.com
in the Email or Server Address field
Note: The Enrollment Wizard may take a small amount of time to launch based on the capabilities of the hardware or Virtual Machine. If you do not see the Enrollment Wizard immediately, be patient and wait for it to appear.
Return to the Workspace ONE UEM Console,
NOTE: The Group ID is required when enrolling your device in the following steps.
testuser
for the enrollment username.VMware1!
for the password.
Click Next to enable device management.
After a few seconds, the Profiles System Preferences page will be displayed and prompt you to install the Workspace Services profile, which enrolls the device into mobile device management (MDM) with Workspace ONE UEM.
Return to the Workspace ONE Intelligent Hub app and click Done when the installation completes.
When prompted:
Follow the next steps to verify that the Mac has been successfully enrolled.
In upper-right corner:
The Workspace ONE Intelligent Hub will now display the onboarding settings that you configured previous in the Workspace ONE UEM administrator console.
Hello, {FirstName}
), Subheader (Welcome to ACME Corp
), and Body Text display your configured message for a personalized onboarding experience.
The modern unified app catalog provided by Hub Services is displayed due to the configurations that you made. This enables the following features:
If desired, explore the other features in Intelligent Hub before continuing to the next step to verify the other configurations you published to the device.
Continue to the next step when ready.
Assist
This confirms that the Workspace ONE Assist app was successfully downloaded and installed on the device.
NOTE: If these options are still accessible, you may need to close and re-open System Preferences.
Return to the Workspace ONE UEM administrator console:
x86_64
(for Intel chips) or ARM
(for M1 chips) will be displayed based on what your device's processor is.
If the Sensor has not processed on the device yet, you can force the Sensor to process by querying the Sensors on the device. You can skip this and proceed to the next step if your Sensor has already executed.
This completes your verification of the configurations you made for your macOS device! In summary, you configured and confirmed the following:
An Enterprise Wipe removes corporate data that was added to the device while leaving personal data intact. This can be used to retire devices from your organization or wipe lost devices to ensure that corporate apps and data are removed.
1234
to initiate the Enterprise Wipe. If you provided another PIN at the beginning of the lab, provide that security PIN instead.
The Enterprise Wipe may take a few minutes to complete. Once completed, the corporate data and apps that were pushed to the device will be removed while leaving the personal data intact.
Once the Enrollment column reports Unenrolled, continue to the next step.
This confirms that the Restrictions Profile was removed when the device was unenrolled.
Assist
in the search barSince the Workspace ONE Assist app was pushed with the Remove On Unenroll restriction, Workspace ONE Assist will be removed from the device when it is unenrolled.
This lab covered basic macOS administration using VMware Workspace ONE UEM and a user-initiated enrollment workflow. You enrolled your macOS device, created profiles, deployed an application, locked the device, used Custom Attributes and then enterprise wiped the content and settings from the device.
Note that this Hands-On Lab does not cover the full breadth and capabilities for managing macOS with Workspace ONE. Please see VMware's TechZone for videos, blogs, and documentation that can help you with advanced topics in macOS management, such as:
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 4 - Introduction to Android Management (30 minutes)
Learn the fundamentals of Android Enterprise, including how to enroll an Android device into Workspace ONE UEM and manage enrolled devices by configuring restrictions and pushing apps. Learn how Android Enterprise and Workspace ONE UEM secure your Android devices by using modern device management APIs.
What is Android Enterprise?
Android enterprise debuted with 5.0 Lollipop in 2014 as an optional solution manufacturers could add to their OS images in order to integrate a common set of device management and Enterprise Mobility Management (EMM) APIs. From 6.0 Marshmallow, it was no longer optional and has since been a mandatory component for all Google Mobile Service (GMS) certified manufacturers.
Android Enterprise offers a wide variety of rich features that cover numerous device management scenarios:
The above graphic shows the big picture differences between various device management scenarios.
Bring Your Own Device (BYOD):
Corporate Owned:
Corporate Owned Single Use (COSU):
Corporate Owned, Personally Enabled (COPE):
In addition to providing different device management scenarios, there are also multiple ways in which devices can be enrolled into Android Enterprise.
With the Near-Field Communication (NFC) bump method, a NFC programmer app is setup on a designated programmer device. Subsequent devices are "bumped" into the programmer device to pass the necessary initial policies (such as Wi-Fi, device configurations, etc.) to the bumped device via NFC.
The process will vary slightly in terms of pre-applied settings, what agent is downloaded in order to enroll the device on the relevant platform, etc. Workspace ONE UEM allows for the additional configuration of a named account to directly enroll the device against.
This method was introduced in Android 6.0 Marshmallow. When prompted to add or create an account on a freshly wiped (or directly from the box) device, rather than enter in a Google account, the administrator would type in afw#hub
and then the device would download the Workspace ONE Intelligent Hub app and begin the enrollment process with the correct configurations.
By tapping on Welcome 6 times when the device boots into the setup Wizard, it will prompt the device to connect to Wi-Fi and start QR enrollment.
In Android 9.0 P, the QR payload is bundled into the system and therefore doesn’t require a download. This offers faster provisioning as the device no longer needs to connect to the internet to download the QR package and the ability to add Wi-Fi credentials to the QR code.
Devices are purchased through authorized resellers, assigned to Workspace ONE UEM and then later, when the end-user first takes the device freshly out of the box, will be ready to enroll as a work-managed device straight away. With Zero-Touch enrollment, administrators can send enrolled and configured devices directly to end-users to authenticate with.
IMPORTANT: You SHOULD NOT enroll a personal device for the upcoming exercise!
Personal devices may be enrolled into other UEM providers which can cause undesired conflicts and issues.
To complete this lab, we recommend you use a test device ONLY and avoid enrolling personal devices in the lab.
To begin this lab, you will need to login to the Workspace ONE UEM admin console.
Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.
VMware1!
The password field is displayed.
VMware1!
in the Password field.NOTE: You may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.
You will be presented with the Workspace ONE UEM Terms of Service. Click the Accept button.
NOTE: The following steps are only performed for the initial login to the administration console.
After accepting the Terms of Use, you will be presented with this Security Settings pop-up
The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.
VMware1!
in the Password Recovery Answer field.VMware1!
in the Confirm Password Recovery Answer field.1234
in the Security PIN field.1234
in the Confirm Security PIN field.
A popup window will appear after you complete your security questions.
Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.
We will be covering some of the Android basic functionality.
When running on Android 5.0 Lollipop devices, Android Enterprise is built into the operating system with no need for an additional application.
To begin using Android Enterprise inside the Workspace ONE UEM Console, you need to register your enterprise with Google. This creates your Android Enterprise admin account which connects with Workspace ONE UEM to manage your enterprise devices. Users will not be able to use Android Enterprise features from their devices until registered with Workspace ONE UEM. The Android Enterprise setup wizard simplifies the process. To simplify your experience, this initial process has been done for you. If you are interested in learning more about this process please talk to your Workspace ONE UEM Sales Engineer or Representative.
NOTE: Once a Google Admin Account is bound to Workspace ONE UEM, you cannot reuse this Google Admin for another organization. Due to this limitation, you would be unable to use the Google Admin Account we have already bound to Workspace ONE UEM for this lab.
NOTE - The following changes have already been configured for you as part of the lab!
NOTE - The following changes have already been configured for you as part of the lab!
NOTE - The following changes have already been configured for you as part of the lab!
NOTE - The following changes have already been configured for you as part of the lab!
NOTE - The following changes have already been configured for you as part of the lab!
Click Complete Registration to return to the Workspace ONE UEM Android Enterprise configuration
NOTE - The following changes have already been configured for you as part of the lab!
Back in the Workspace ONE UEM Console,
Your Organization Group is now successfully configured with Android Enterprise!
In this section, we will be enrolling your device with Workspace ONE UEM and get it set up with Android Enterprise.
NOTE - The screenshots in this article will differ depending on the make and model of the Android device you are using.
If you do not have the Workspace ONE Intelligent Hub app on your device, you will need to download it the app before continuing.
To install the Workspace ONE Intelligent Hub app, you can open the Google Play Store app and download the free Workspace ONE Intelligent Hub app or navigate to https://www.getwsone.com
in your device browser and follow the Get it on Google Play link to the Workspace ONE Intelligent Hub page in the Google Play Store.
Launch the Hub app on the device.
hol.awmdm.com
or the Server URL.
Tap Allow.
The next step is to make sure you know what your Organization Group ID is.
testuser
for the Username field.VMware1!
for the Password field.
Tap I Understand for the Privacy Policy.
Tap I Agree for the Data Sharing Policy.
Tap Agree.
Tap NEXT.
NOTE - This may take some time, please be patient while the Setup process completes.
If your device is encrypted, you will not see this page and can continue to the next step.
If your device is not encrypted, you will be prompted to encrypt it and must tap ENCRYPT to continue. Encrypting the device can take several minutes or potentially longer depending on the amount of data on the device.
Tap OK to confirm the Privacy Policy.
NOTE - Enrollment time may vary depending on your network connectivity. Typically, it takes around 1 minute to complete. Please be patient while this process completes.
IMPORTANT - During the enrollment process, you will see several processing screens. Please note that you do not need to interact with the device further until you see the Workspace ONE Intelligent Hub app confirming your enrollment (next page).
You have now completed enrolling your device using the Workspace ONE Intelligent Hub. After the enrollment process completes, the Workspace ONE Intelligent Hub app will display the notification Congratulations! You have successfully enrolled your device.
You can now Exit the Workspace ONE Intelligent Hub app.
On your Android device, you should now see the new Work applications. Android Enterprise apps are differentiated by an orange briefcase icon also referred to as Badged Apps.
In the Applications view, your Work apps and Personal apps are shown in a unified launcher. For example, your device will show both a personal icon for Google Chrome and a separate icon for Work Chrome denoted by the badge. The Workspace ONE Intelligent Hub is badged and exists only within the Work Profile data space.
IMPORTANT - There is no control over personal apps nor will the Hub app have access to personal information. There are a handful of system apps that come with the Work Profile by default such as Work Chrome, Google Play, Google settings, Contacts and Camera.
On some devices, you may also notice the Work container on your device depending on the OS version. This Work container can be utilized for quick access to your Work (Badged) Apps.
In this section, we are going to create Android Enterprise profiles to modify devices restrictions and to assist in protecting sensitive data. Profiles serve many different purposes, from letting you enforce corporate rules and procedures to tailoring and preparing Android Enterprise capable devices for how they will be used.
IMPORTANT: If your device is enrolled with Android Enterprise, then ONLY Android Enterprise profiles will take effect on the device. Android device profiles will NOT take effect.
Restriction profiles provide a second layer of device data protection by allowing you to specify and control how, when and where your employees use their devices. The Restriction profiles lock down native functionality of Android Enterprise devices and vary based on device enrollment.
In the Workspace ONE UEM Administrator Console,
Click Android
Android Restrictions
for the Name field
Restrictions
in the payload search box
Uncheck the Allow Screen Capture checkbox for the Work Profile column.
Click Publish.
On your device, notice that after we push the profile your device will no longer have the badged camera application available but your personal side (unbadged) camera will still be available for usage. This confirms the camera restriction that you setup on the Workspace ONE UEM Android profile that was previously created.
camera
on the deviceNOTE - Due to lab network limitations, it may take a few minutes for the badged Camera application to be removed. If you still see it on your device, please wait until the application is successfully removed.
contacts
on the deviceNOTE - The shortcut to change screenshot may vary depending on your device model. Please see a lab assistant in case assistance is required.
contacts
on the deviceThis shows the screenshot restriction that we applied on the Workspace ONE UEM Android profile created previously.
This section is designed to walk you through the process of approving applications for integration between Workspace ONE UEM and Android Enterprise. Applications that you push through the integration of Workspace ONE UEM and Android Enterprise have the same functionality as their counterparts from the Google Play Store. However, you can use Workspace ONE UEM features to add functionality and security to these applications.
In the Workspace ONE UEM Administrator Console,
Workspace ONE Web
in the Name text box
Click the Web - Workspace ONE app.
Continue to the next step, or view the below steps to see the necessary approval steps for a new app.
IMPORTANT: The below steps are purely informative and can be skipped if desired. They are included to show the approval process for new applications.
This process would then return the administrator to the first step in this process, allowing them to click Select and continue adding the desired app.
Click Save & Assign.
All Devices
for the distribution Name
Click Save.
Click Publish.
Confirm that the Workspace ONE Web app was approved and created and assigned to the All Devices group.
In the previous section, we learned how we can approve and push an Android application from the Workspace ONE UEM Console. In this section, we will verify that Work apps installed correctly on our enrolled Android device.
Return to your testing Android device and confirm that the Workspace ONE Web application has downloaded and displays as a Work app.
NOTE - Depending on lab network traffic, you may need to wait several minutes for the download to complete.
Using this process, you can rapidly approve new applications and deploy them to your users.
Open your Work Play Store application on your Android device.
NOTE - The screenshot may differ depending on device model and OS.
If you are prompted with the Google Play Terms of Service, tap Accept. Otherwise, continue to the next step.
Tap the Menu button in the top-left corner.
NOTE - The screenshot may differ depending on device model and OS.
Tap My Work Apps from the menu.
NOTE - The screenshot may differ depending on device model and OS.
NOTE - The screenshot may differ depending on device model and OS.
The Workspace ONE Web app is listed as a Work app because it was approved as a Work app through the Workspace ONE UEM Console while adding and assigning the application to your users. This streamlines and rapidly improves the process of approving and deploying Work apps to your Android devices!
You are now going to un-enroll the Android device from Workspace ONE UEM.
NOTE: The term Enterprise Wipe does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the Workspace ONE Intelligent Hub app controls.
NOTE: The Enterprise Wipe will NOT remove the Workspace ONE Intelligent Hub application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.
Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled. It will not affect anything that was on the device prior to enrollment.
To Enterprise Wipe your device, return to the Workspace ONE UEM Admin Console.
After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234
).
1234
for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested. 1234
does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console. Use the value you specified for your Security PIN.NOTE: If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:
NOTE: Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.
NOTE: Depending on internet connectivity of the device, this could take a couple of minutes.
On the device, notice that the badged apps are removed after the device is unenrolled and any configurations pushed to the device after enrollment has been removed.
This is just a sampling of the functionality you will see with Android Enterprise integrated with Workspace ONE UEM. To learn more about features and functions please contact your VMware End User Computing representative or visit our website at http://www.workspaceone.com/ or the website for Android Enterprise at https://www.android.com/enterprise.
The work profile is designed specifically for personal (BYOD) devices. Using Android in the enterprise, Workspace ONE UEM creates a "Work profile", a container which separates the personal space and the corporate space in a device. Workspace ONE UEM can fully control the work profile but has zero control over the personal profile.
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 5 - Introduction to Workspace ONE Intelligent Hub and Hub Services (60 minutes)
Workspace ONE Intelligent Hub is VMware's next generation employee engagement application that allows you to securely access, discover, stay connected, and be productive from anywhere. It replaces the legacy Agent application and combines with Hub Services to enhance the identity, application, and enterprise mobility management capabilities offered by Workspace ONE.
Intelligent Hub integrates a unified app catalog, access control, and application management on iOS, Android, macOS, Windows 10 and via a browser. The prerequisite for many of the Intelligent Hub features is to activate the Hub Services component within Workspace ONE Access. After Hub Services activation, you can customize Intelligent Hub features based on whether your deployment is integrated with Workspace ONE Access or not.
Without integrating with Workspace ONE Access, you can configure a Hub Catalog to allow access to native mobile apps and web apps, create a custom tab, and brand the Workspace ONE Intelligent Hub app to add your company's logo and color profile.
When Workspace ONE Access is integrated with Workspace ONE UEM, you can create a full digital workspace experience for users with additional Hub features, such as People Search and Notifications, and identity-related features, such as authentication and single sign-on.
In this lab, you will configure several of the features within Hub Services and view the result in the browser version of Intelligent Hub.
To begin this lab, you will need to login to the Workspace ONE UEM admin console.
Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.
VMware1!
The password field is displayed.
VMware1!
in the Password field.NOTE: You may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.
You will be presented with the Workspace ONE UEM Terms of Service. Click the Accept button.
NOTE: The following steps are only performed for the initial login to the administration console.
After accepting the Terms of Use, you will be presented with this Security Settings pop-up
The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.
VMware1!
in the Password Recovery Answer field.VMware1!
in the Confirm Password Recovery Answer field.1234
in the Security PIN field.1234
in the Confirm Security PIN field.
A popup window will appear after you complete your security questions.
Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.
Workspace ONE Intelligent Hub end-user services are configured via the Hub Services admin console. Hub Services is co-located with Workspace ONE Access. Think of Hub Services as the server-side component and Intelligent Hub as the end-user client.
The following sections will guide you through accessing your Workspace ONE Access tenant, logging in, then accessing the Hub Services admin console.
A temporary Workspace ONE Access tenant has been generated for you to use throughout this lab. The Workspace ONE Access tenant URL and login details were uploaded to the Content section in the Workspace ONE UEM Console at the start of the lab.
In the Workspace ONE UEM Console:
vIDM Tenant Details for your@email.shown.here.txt
and click the checkbox beside it to select the file
After the file downloads, click the vIDM Tenant Details for your@email.shown.here.txt file from the download bar to open it.
NOTE: Your tenant name will match your Group ID in the Workspace ONE UEM Console.
In this section, we login to the Workspace ONE Access admin console and access the Hub Services admin console.
Click the Add Tab button in the browser to open a new tab.
NOTE: This is the Workspace ONE Access tenant URL you received from the previous steps. If you did not copy or note this information from the previous step, return to those previous steps and note your Workspace ONE Access tenant URL.
Administrator
for the UsernameVMware1!
for the Password
After logging in, you will see the Intelligent Hub User Portal as pictured above. You will need to navigate to the Administrator Console.
This will open the Administration Console in a separate tab in your browser.
NOTE: If you do not see the above view, you are already in the Administration Console and can skip this step.
If you see a banner about Release Notes details, click OK on the far right to dismiss it.
We will add an example SaaS App to our app catalog to utilize in a later section.
Salesforce
into the Search field.
administrator
into the Users / User Groups search field
The following section will get you started in the Hub Services admin console and introduce you to Hub Templates.
The 20.08 release of Hub Services had a significant addition to support wider adoption of Hub Services and Intelligent Hub features called Hub Templates. Before 20.08, any Hub Services configurations for Intelligent Hub were all or nothing - all employees received the same configurations. This limited the administrator’s ability to roll out features in phases or accommodate different teams or divisions. Now admins can create one or more templates with unique Hub Services capabilities and assign them to UEM Smart Groups or Workspace ONE Access User Groups to control the Intelligent Hub experience for their employees. Hub Templates is available with Hub Services 20.08 SaaS release and later and requires UEM 20.08 at minimum and at least the 20.08 version of the Intelligent Hub clients.
For environments that already have Hub Services enabled, after upgrading to 20.08, admins will see the migration wizard. The admin can choose whether to migrate the app catalog settings from the UEM console, or create new global settings.
Starting with the 20.08 UEM release, all Intelligent Hub app catalog settings are now in the Hub Services console. For environments with Hub Services already configured, the administrator can choose to migrate app catalog settings from Workspace ONE UEM.
Before we can create a template for Intelligent Hub settings, we first need to configure a few of the available features for our end users.
The App Catalog tab allows you to define the layout and capabilities of the Intelligent Hub app catalog that is presented to your users. We will modify the catalog by adding a promotion for the Salesforce app, highlighting this app in our catalog, and then disable the use of Virtual Apps on mobile devices.
Sales Team
and add description App Catalog customized for the Sales Team
.
The Sales Team app catalog will now show a Promotions section at the top, followed by New Apps, Recommended and Category List sections.
This will cause the Salesforce app to be promoted to your end users. Consider promoting important or heavily used apps you are encouraging your end users to utilize!
The Custom Tab is a URL that directs users to your company intranet site or to another resource that you want to easily share with your users.
Custom Tab for Sales Team
Direct Sales Team to product resources
https://www.vmware.com
By default, VMware branding is used within the Intelligent Hub. However, you can customize the logo, text color, and background color that appears in the Intelligent Hub app and browser views.
In this section, we will change the Company Logo and the Organization Name in the Branding Settings for the Intelligent Hub.
Branding for Sales Team
.
From the pop-up window,
Other settings on this page will be reflected here as well for a quick preview before you publish changes to your users.
Continue to the next step.
Worldwide Enterprises
.
NOTE: There are other branding options such as background and icon color, but to limit the scope of the lab, we are going to only modify the organization name and company logo for demonstration purposes. Feel free to make additional configurations on your own if you wish to see them in action later.
The Intelligent Hub notifications framework is a robust, flexible cloud-hosted service designed to generate and serve actionable, real-time notifications to your employees. Users can receive notifications in their Hub portal in a browser and the Intelligent Hub app on their devices.
Let's take a look at the types of notifications available:
In this section, we will create a Custom Notification using the wizard within the Hub Services admin console.
Email Outage
for the Name.Notifications can be set to Standard, High-priority or Urgent priority levels. High-priority notifications will display at the top of the For You tab within Intelligent Hub. Urgent notifications will display as a pop-up window within Intelligent Hub and must be dismissed by the user.
Email Outage
for Title.IT Notification
for Subtitle.
The IT Department is aware of the issues with email and are currently working to correct.
for Description.
Although this is just an example scenario for the purposes of this lab, the Hub Services Notification framework is particularly useful when email and other communication mediums are unavailable.
It will take about 10 - 15 seconds to send the notification.
Sales Team Hub Templete
to name the new template.
In the Template Assignment dialog box that pops up:
all
into the Access User Groups search bar.
To view the App Catalog, Branding and Custom Tab changes we made earlier, we need to log out of Intelligent Hub and log back in.
administrator
for Username.VMware1!
for Password.
Congratulations! You have completed the Workspace ONE Intelligent Hub and Hub Services module! In this module, you learned how to:
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 6 - Workspace ONE Intelligence - Introduction to Dashboards, Automation, and Reports (45 minutes)
With so much data available to IT admins managing modern, mobile work styles and no single tool to make sense of it, IT is faced with a huge challenge to manage the digital workspace. The lack of unified visibility across devices, applications and users makes it particularly hard to make data-driven decisions. As a result, manual processes become the norm, and IT is cornered into being reactive to employee demands and external events instead of being proactive.
Deep insights empower IT admins to better plan and optimize their app and policy deployments based on network performance, resource entitlement and deployment risk. And with the ability to automate processes, IT admins can proactively increase their level of security hygiene and meet compliance requirements, while improving user experiences.
With the automation engine at the heart of Workspace ONE Intelligence, IT admins can automate workflows across their environments by defining rules that take actions based on a rich set of parameters. This allows IT to create contextual workflows that take automated remediation actions based on security threats, and meet compliance requirements through automated access control. In addition, the Experience Management solution within Intelligence monitors digital employee experience and automated actions can be triggered when a poor experience is detected. And because Workspace ONE Intelligence provides extensibility with an API layer for third parties, IT admins can build workflows that leverage their unique environment to meet their needs.
With automation, Workspace ONE Intelligence helps IT meet employee experience targets and increase security through automated remediation.
Double-click the Win10-01a.rdp shortcut located on the Main Console Desktop to connect to the Windows 10 virtual machine.
To perform most of the lab, you will log into the Workspace ONE UEM Admin Console.
Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.
The default home page for the browser is https://hol.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.
VMware1!
.NOTE - If you see a Captcha, please be aware that it is case sensitive!
The password field will be displayed after entering your username.
VMware1!
for the Password field.NOTE: Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.
You will be presented with the Workspace ONE UEM Terms of Use. Due to the lab environment the Terms of Use will not display, but this will not affect the lab itself. Click the Accept button.
NOTE: The following steps of logging into the Administration Console will only need to be done during the initial login to the console.
After accepting the Terms of Use, you will be presented with this Security Settings pop-up
The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.
VMware1!
in the Password Recovery Answer field.VMware1!
in the Confirm Password Recovery Answer field.1234
in the Security PIN field.1234
in the Confirm Security PIN field.
A popup window will appear after you complete your security questions.
Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.
The first step to start using Workspace ONE Intelligence is to authorize the data synchronization between Workspace ONE UEM and Intelligence Cloud Service. This is done through the Opt-In Process that needs to be performed by someone with administrator privileges to the Workspace ONE UEM console.
In the Workspace ONE UEM Console:
Click GET STARTED to initiate the Opt-in process
This is the final step on the opt-in Process, where you will be providing your information and accept the VMware Cloud Services Terms of Service.
After accepting, you will be redirected to the Workspace ONE Intelligence Console.
Click Get Started.
You will now enroll the provided Windows 10 virtual machine into Workspace ONE UEM. You will use this Windows 10 virtual machine throughout the lab to see how you can interact with the device in both Workspace ONE UEM and Workspace ONE Intelligence.
IMPORTANT: You SHOULD NOT enroll a personal Windows 10 device for the upcoming exercise! Personal devices may be enrolled into other EMM providers which can cause undesired conflicts and issues.
Please follow the upcoming steps to enroll and use the provided Win10-01a virtual machine for this Hands-on Lab.
IMPORTANT: You SHOULD NOT enroll any personal device(s) for the upcoming exercise!
Personal devices may be enrolled into other UEM providers which can cause undesired conflicts and issues. - We want to avoid this!
To complete this lab, we recommend you use a test device ONLY and avoid enrolling personal devices in the lab.
You will now enroll the Windows 10 device in Workspace ONE UEM by using the Workspace ONE Intelligent Hub app.
NOTE: You do NOT need to complete these steps, the Workspace ONE Intelligent Hub has already been downloaded for you! This step is purely informative.
You can download the latest Workspace ONE Intelligent Hub app for your current platform by following the below steps:
https://www.getwsone.com
in your browser.For expediency, the Workspace ONE Intelligent Hub app has already been downloaded for you. Continue to the next step to start the installer.
NOTE: The installer may take a few seconds to launch, please be patient after clicking the AirwatchAgent.msi file.
Click Run to proceed with the installation.
Leave the default install location and click Next.
NOTE: The Next button may take several seconds to enable while the required additional features are installed.
Click Install to start the installer.
NOTE: The Workspace ONE Intelligent Hub install may take several minutes to complete, do not interrupt the installer!
NOTE: The installer may take several minutes to complete. Please wait until you see the completed install screen before continuing.
Click Finish to complete the Workspace ONE Intelligent Hub installer.
NOTE: After clicking finish, the Native Enrollment application will launch to guide you through enrolling into Workspace ONE UEM. It will take 2-3 minutes to launch the Intelligent Hub.
NOTE: The above screen may take 2-3 minutes to display after clicking Finish from the previous step!
hol.awmdm.com
for the Server Address.
The next step is to retrieve your Organization Group ID.
testuser
in the Username field. VMware1!
in the Password field.NOTE: Wait while the server checks your enrollment details. This may take a few minutes.
Click I Agree.
Click Done to end the Enrollment process. Your Windows 10 device is now successfully enrolled into Workspace ONE UEM!
Back in the Workspace ONE UEM Administration console in your browser,
In this activity, you explore reporting capabilities by creating a report for enrolled devices.
In the Workspace ONE Intelligence Console:
To begin creating a report, select the category of data you want to obtain. The available categories include:
Then, use the tags on each category to filter the category's customizable templates to define the content your report collects. For complete control of the report's content, use the Custom Report template to define your own criteria.
Feel free to click on each category to see the templates available to each.
platform
in the first search field.ENTER
after each to add them to the list.NOTE: The platform list is based on devices available in your environment, so you may not see all three requested platforms on this activity.
Scroll down to the Report Preview section and click Refresh Preview. Observe how your currently enrolled devices automatically populate in the preview.
In the Report Preview, verify the new columns appear in the report.
NOTE: If column data is empty, it is either because the device samples have not been retrieved yet or the column does not apply to the given device (i.e.: Battery Percent on a Desktop device).
NOTE: The above screenshot is from a demo environment with multiple devices to show an example. Your environment will look different.
After the report saves, it is added to the list of available reports. Click the Report Name (Enrolled Devices) to manage the report.
From this view, you can configure additional management settings:
NOTE: Do not click the following buttons, these details are informational only.
After saving a report, you can use scheduling to automate data collection and collaboration. In this activity, you will schedule the Enrolled Devices report to run on a monthly basis.
Windows, Apple and Android Enrolled Devices
.
To delete a schedule report:
After saving a report, you can almost immediately download it as a CSV file. In this activity, you will download the CSV file for the Enrolled Devices report that you created.
To access the report's available downloads, select the Downloads tab.
On the Downloads tab:
My Devices Dashboard
Newly created dashboards by default have no information on them. You can add widgets to them and create custom dashboards to meet your business needs.
To begin creating a widget, you can select Custom Widget or select one of built-in widgets by selecting the categories and tags. The list of categories will be based on the integrations configured within your Workspace ONE Intelligence tenant and may differ from the image you see in this activity.
The available categories can include:
When you start with Workspace ONE Intelligence for the first time, you will see multiple categories.
Then, use the tag for each category to filter the customizable templates to define the content your widget displays. For complete control of the widget's content, use the Custom Widget template to define your own criteria.
Feel free to click on each category to see the templates available to each.
Under Data Visualization, review the default Total Enrollments template. The initial default settings provide a snapshot of current device enrollment. If you change the settings, the snapshot results change accordingly.
Total Enrollments Over Time
.
To create a snapshot of total enrollments over time, modify the default Total Enrollments template.
Platform
and select the first result from the list.Last 14 Days
.Note: The screenshot shown is from a test environment. Your preview is based on your environment, and will differ from the preview you see in the screenshot.
As a supplement to its reporting capabilities, the Workspace ONE Intelligence dashboard displays critical business data in an easy-to-consume visual summary. Within dashboards, the configurable widgets allow you to customize the data that displays.
After configuring the Total Enrollment Over Time widget, you can manage how it displays on your dashboard. In this activity, you will modify your dashboard view by repositioning and expanding the Total Enrollment Over Time widget.
By default, the new widget appears at the bottom of your dashboard. Since this is the first widget on this dashboard, it will be at the top.
Click Save to save the dashboard layout.
If you wish to modify the dashboard in the future, you can interact with the following:
The Security Risk dashboards in Workspace ONE Intelligence gather reports on numerous device states and quickly identify high-risk devices. In this activity, you will explore the following Security Risk dashboards Workspace ONE Intelligence: Threats Summary, Compromised Devices, Policy Risks, and Vulnerabilities.
In the Workspace ONE Intelligence console, under Dashboards, click Security Risk.
NOTE: The screenshot was taken from a demo environment, so your view will not match the example above.
NOTE: The screenshot was taken from a demo environment, so your view will not match the example above.
Scroll down to find Unencrypted Device Events dashboard. This chart shows the total number of unencrypted devices identified on a daily basis by Workspace ONE Intelligence.
NOTE: The screenshot was taken from a demo environment, so your view will not match the example above.
Select the Vulnerabilities tab to view the number of vulnerable devices identified in the last 30 days.
Without encryption, confidential information is unprotected, and can easily land in the wrong hands. To mitigate this risk, create policies to enforce device encryption. For example, you can create a policy to block corporate access until the device is encrypted through Workspace ONE UEM.
To take full advantage of Workspace ONE Intelligence, you need to configure at least one Automation Connector to enable Automation Actions in your environment.
Among the multiple available Connectors, the Workspace ONE UEM connector is key, as it enables Intelligence Automation to take actions against your organization's devices, apps, device sensors and OS updates.
In this activity, you will configure the Workspace ONE UEM Connectors to allow API communication between Workspace ONE Intelligence and Workspace ONE UEM.
From the Workspace ONE Intelligence console:
In the Workspace ONE UEM Administrator console:
From the Workspace ONE UEM Administrator console:
On the Workspace ONE UEM card, click Set Up.
https://as350.awmdm.com
.VMware1!
.
As a result, you are now able to define automated flows, which can take over 25+ different actions against your devices, apps, and OS updates. The screenshot shows some of the actions available against devices.
Continue to the next step.
In this activity, you will use the automation capabilities in Workspace ONE Intelligence to tag low battery life devices in Workspace ONE UEM.
From the Workspace ONE Intelligence Console:
In the Workspace ONE UEM console:
Low Battery Health
for the Tag Name.
Note: In the sample image, the tag ID is 10007
– your ID will differ.
In the Workspace ONE Intelligence console:
Dell Battery Replacement
.25
.
Add tag
in the search field.
${device_id}
${device_id}
from the previous step. The single Device ID record correlates to the Windows 10 device you enrolled earlier, click to select it.
NOTE: This screenshot was taken from a sample environment. Your Filter Results will show 0 because the Dell Battery Health event does not apply to the Windows 10 virtual machine that was enrolled. When deploying the same automation to physical Dell devices, your affected devices would show here.
Confirm that you can see the Dell Battery Replacement automation in the dashboard with a status of Enabled.
After you have created an automation in the Workspace ONE Intelligence console, the configured actions begin to take effect and are recorded in the logs. In this activity, you will use the automation logs to review the automation events for Dell devices that need battery replacement.
NOTE: The screenshot will differ from your environment because the Dell Battery Health event will not trigger for the Windows 10 virtual machine that was enrolled since it is not a physical Dell device. Refer to the screenshot for a sample of how this would appear in a real environment.
In the Automations Dashboard:
NOTE: The screenshot will differ from your environment because the Dell Battery Health event will not trigger for the Windows 10 virtual machine that was enrolled since it is not a physical Dell device. Refer to the screenshot for a sample of how this would appear in a real environment.
Depending on the battery health of the device you enrolled, the automation event you configured in this activity may or may not have been triggered. For this reason, the following screenshot is a sample from an unrelated log. It provides an example of multiple actions taken on different services.
In the top-right corner of the Workspace ONE Intelligence Console:
In this section, we are going to un-enroll our Windows 10 VM so that we can use it for other lab modules.
We will use the Enterprise Wipe wipe command to remove all of the managed content that was pushed to the device (such as profiles and apps) by Workspace ONE while not modifying any personal content or data on the device.
Return to the Workspace ONE UEM Administrator Console in Google Chrome,
1234
. If you used a different PIN, enter that one instead.
NOTE: The Enterprise Wipe may take several minutes to process.
From the Settings Menu, access Accounts
NOTE: The CORP AD domain is the local domain in this lab and is not controlled by Workspace ONE UEM Enrollment, so you will see this connection when your device is enrolled or unenrolled.
NOTE: If the Access Work or School page was opened from earlier, you may need to refresh or navigate away from the page and return to see the changes.
Click Close (X) on the Remote Desktop Connection bar at the top of the screen to return to the Main Console to finish making configurations within the Workspace ONE UEM Console.
NOTE: If the Remote Desktop Connection bar is not visible, you may have unpinned it. Hover your mouse of the top of the screen to display the Remote Desktop Connection bar again, then click close.
In this module, you've learned how to:
To learn more about additional use cases where you can leverage Workspace ONE Intelligence, please review the following resources:
For additional resources and information on Workspace ONE Intelligence, be sure to check out the VMware Workspace ONE Intelligence pages:
https://www.vmware.com/products/workspace-one/intelligence.html
https://www.vmware.com/products/workspace-one/digital-employee-experience-management.html
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Module 7 - Securing the Anywhere Workspace with Secure Access Service Edge (SASE) (60 minutes)
The Workspace ONE Tunnel and Secure Access Service Edge are two components of the Anywhere Workspace that allow employees to securely access resources on-premises and in the cloud by providing a Per-Application and full device Tunnel connection that allows applications to tunnel, block, or bypass traffic based on the target domain.
With VMware Secure Access, VMware has combined the consistent, secure cloud application access functionality of VMware SD-WAN with the capability of Workspace ONE to allow only trusted devices and users to access applications hosted on-premises or in the cloud.
With Workspace ONE:
With SASE:
In this lab, you will learn how to:
Double-click the Win10-01a.rdp shortcut located on the Main Console Desktop to connect to the Windows 10 virtual machine.
To perform most of the lab, you will log into the Workspace ONE UEM Admin Console.
Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.
The default home page for the browser is https://hol.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.
VMware1!
.NOTE - If you see a Captcha, please be aware that it is case sensitive!
The password field will be displayed after entering your username.
VMware1!
for the Password field.NOTE: Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.
You will be presented with the Workspace ONE UEM Terms of Use. Due to the lab environment the Terms of Use will not display, but this will not affect the lab itself. Click the Accept button.
NOTE: The following steps of logging into the Administration Console will only need to be done during the initial login to the console.
After accepting the Terms of Use, you will be presented with this Security Settings pop-up
The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.
VMware1!
in the Password Recovery Answer field.VMware1!
in the Confirm Password Recovery Answer field.1234
in the Security PIN field.1234
in the Confirm Security PIN field.
A popup window will appear after you complete your security questions.
Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.
In addition to the Workspace ONE UEM administrator console, you will also be logging in as a read-only user to the SD-WAN Network Orchestrator console for this Hands-on Lab to view and confirm various settings related to the Workspace ONE Tunnel service hosting, Secure Access settings, and Cloud Web Security Policies.
holuser@vmware.com
for the usernameVMware1!
for the passwordLeave the SD-WAN Network Orchestrator tab open as you will be periodically returning to this tab throughout the lab.
An intranet website is being hosted on an external private network which is not reachable from the Hands-on Labs network. This intranet website accepts accepts connects over ports 80, 8081, and 8082.
You will browse to this intranet website prior to publishing the Workspace ONE Tunnel and VPN policies to your Windows 10 virtual machine to confirm it is inaccessible. You will browse to this intranet website after the Workspace ONE Tunnel app and policies are configured and distributed to the enrolled virtual machine to confirm that the device can reach the intranet website on the protected network by tunneling the traffic through the Workspace ONE Tunnel service.
In Google Chrome:
Since http://intranet-server is not accessible over the public internet, our virtual machine cannot display the webpage. The intranet site is hosted on a private network which can only be reached once the device is connected to the Workspace ONE Tunnel service hosted in the same private network.
You will need to deploy and configure the Workspace ONE Tunnel app and a VPN profile to allow your devices to establish a connection to the Tunnel service that is hosted on a SASE PoP (Point of Presence) in San Jose. Once these configurations are completed, the device will tunnel traffic for the http://intranet-server site to the private network where the intranet site is hosted.
Before you can push the necessary app and profile to your device, you will need to enroll the device first. This will allow Workspace ONE UEM to manage the device and publish the app and profile to it over the air.
You will now enroll the Windows 10 device in Workspace ONE UEM by using the Workspace ONE Intelligent Hub app.
NOTE: You do NOT need to complete these steps, the Workspace ONE Intelligent Hub has already been downloaded for you! This step is purely informative.
You can download the latest Workspace ONE Intelligent Hub app for your current platform by following the below steps:
https://www.getwsone.com
in your browser.For expediency, the Workspace ONE Intelligent Hub app has already been downloaded for you. Continue to the next step to start the installer.
NOTE: The installer may take a few seconds to launch, please be patient after clicking the AirwatchAgent.msi file.
Click Run to proceed with the installation.
Leave the default install location and click Next.
NOTE: The Next button may take several seconds to enable while the required additional features are installed.
Click Install to start the installer.
NOTE: The Workspace ONE Intelligent Hub install may take several minutes to complete, do not interrupt the installer!
NOTE: The installer may take several minutes to complete. Please wait until you see the completed install screen before continuing.
Click Finish to complete the Workspace ONE Intelligent Hub installer.
NOTE: After clicking finish, the Native Enrollment application will launch to guide you through enrolling into Workspace ONE UEM. It will take 2-3 minutes to launch the Intelligent Hub.
NOTE: The above screen may take 2-3 minutes to display after clicking Finish from the previous step!
hol.awmdm.com
for the Server Address.
The next step is to retrieve your Organization Group ID.
testuser
in the Username field. VMware1!
in the Password field.NOTE: Wait while the server checks your enrollment details. This may take a few minutes.
Click I Agree.
Click Done to end the Enrollment process. Your Windows 10 device is now successfully enrolled into Workspace ONE UEM!
When administrators integrate the Workspace ONE Tunnel service hosted from their SASE PoP into Workspace ONE UEM, they would follow these steps:
In this lab, the Secure Access Policies and Workspace ONE Tunnel integrations have been made for you for the sake of time. You will have read-only access to both the SD-WAN Network Orchestrator console and the Workspace ONE Tunnel settings in Workspace ONE UEM. You will step through this process to become familiar with the configurations and review what has been setup.
In Google Chrome:
The Secure Access Policies page has a list of your Secure Access clients.
Now that you have seen how the Secure Access deployment and the single PoP are configured, return to the Workspace ONE UEM administrator console to review the Workspace ONE Tunnel integration settings.
NOTE: The Tunnel configuration to the SASE PoP tenant has already been setup for you in the interest of time. You will review the configured changes to understand what settings were used for this implementation.
This section defines how to connect to the Tunnel service. The Windows 10 virtual machine in the lab will use these settings to establish a connection to the Tunnel service hosted on the SASE PoP at hosted at euchol.sa.gsm.vmware.com on port 443.
Continue to the next step.
Certificates are used to secure the traffic between the client and the Tunnel service. The AirWatch Certificate Authority can be used to generate client and/or server certificates for the Tunnel service. You can optionally provide your own certificates by selecting Third Party and uploading your certificates.
In our use case, we will leverage the AirWatch Certificate Authority for our certificates.
Device Traffic Rule Sets define which applications for which devices are allowed to utilize the Tunnel service to reach a destination, which destinations are blocked, and which can be bypassed (not sent through the Tunnel).
See Understanding Device Traffic Rules on TechZone for more information.
In this Hands-on Lab, you will not have privileges to view the Device Traffic Rules since they are configured at a parent organization group. See below for a screenshot of the configuration to review what has been configured for the lab.
NOTE: You will not be able to access the above page or make changes to these settings. The screenshot is for informational purposes so you can see the configuration of the Tunnel for this lab.
In this configuration, we are allowing a small subset of destinations to traverse through the Tunnel when using Google Chrome on Windows 10 devices and bypassing the Tunnel in all other use cases. This configuration is used to show specific use cases in the Hands-on Labs networking, and the next step will discuss more typical real-world configurations for comparison.
NOTE: This step is informational only and discusses a few real world applications of the Tunnel Traffic Rules to achieve a desired result. You cannot make the configurations shown on this step.
In the previous steps, we mentioned that the Device Traffic Rules we are using are not reflective of a typical deployment.
USE CASE: Corporate-Owned iOS Devices
In the below example, the Device Traffic Rules allowing a few specific browsers for iOS to Tunnel necessary corporate traffic (such as SalesForce and Microsoft Office) while blocking some social media sites that corporate does not want allow on corporate-owned devices.
USE CASE: Limited Tunnel Traffic with Contractors
Consider a use case where Contractors need access to a set of intranet sites from their devices, and they may not always be on site to access your corporate network. In this example, a set of browsers across iOS, macOS, Android, and Windows are allowed to Tunnel traffic to two intranet sites while all other traffic bypasses the Tunnel. This helps respect end-user privacy by not tunneling their personal traffic through the Tunnel service while also ensuring potentially malicious or undesirable sites are not routed through your Tunnel service.
Consider how you can use the combination of Per Application and Full Device rules combined with the TUNNEL, BYPASS, BLOCK, and PROXY actions to achieve your desired outcomes for different business use cases.
Continue to the next step.
Click Close on the Manage Traffic Assignments popup to return to the Tunnel configuration page.
You have now reviewed the Tunnel configuration that has been completed for you in order for Google Chrome on an enrolled Windows 10 device to be allowed to Tunnel all matching domains and IPs to the Tunnel service hosted by the SASE PoP. This configuration will allow traffic to the http://intranet-server destination to tunnel to the private network and access the intranet site, while also tunneling traffic to inspect for malicious or unwanted network behavior and protect the user with your configured Cloud Web Security (CWS) policies.
Next, you will create the a Profile with a VPN payload that will send your Workspace ONE Tunnel configuration to devices that enroll in your organization.
With the Workspace ONE Tunnel integrated with Workspace ONE UEM, you are ready to create a Profile with a VPN payload. The Workspace ONE Tunnel app, which you will deploy in a later step, requires a Profile with a VPN payload to be available on the device so that the Tunnel Device Traffic Rules can be parsed and enforced.
This allows you to deliver different Tunnel Device Traffic Rules to different users or different devices in your organizations to meet their specific needs.
For more details, the Workspace ONE Tunnel operational tutorial on TechZone covers creating Per-App VPN Profiles for iOS, macOS, Windows 10, and Android.
Click Windows.
Click the Windows Desktop device type. This will apply the following configurations you make to Windows 10 devices.
Click the Device Profile context.
This will apply the configurations you make to the entire Windows 10 device, regardless of the user. You would use User Profiles instead if you wished to deploy user-specific configurations.
Corporate Tunnel
for the Name. This Profile will be identified by this name in the Admin Console and on devices.This will configure the profile, named Corporate Tunnel, to be published automatically to any Windows 10 devices that enroll to your organization.
Profiles can have more than one Payload associated with them, so you will need to click Configure for each Payload you wish to add. However, it is generally best practice to only include one Payload per Profile for simplicity.
Corporate Tunnel
for the connection name.
This VPN Profile will be pushed down to the device, which the Workspace ONE Tunnel application will use to determine where the Tunnel service is hosted (euchol.sa.gsm.vmware.com:443) and what Device Traffic Rules will be used.
The Profile with the VPN payload is now published to your devices with the necessary Workspace ONE Tunnel configuration. Since the assignment type was set to Auto, your devices that get enrolled will automatically receive this configuration.
Once created, the Corporate Tunnel Profile will appear in your list of Profiles in the Workspace ONE UEM administrator console. If you need to edit or update your Profile, you would do so through this view.
You will now upload and prepare the Workspace ONE Tunnel app for deployment. The Workspace ONE Tunnel app is responsible for utilizing the details of your Profile containing VPN payloads to establish connections to the Workspace ONE Tunnel service hosted in the SASE PoP.
The Workspace ONE Tunnel binary has been hosted for you on the virtual machine. Ordinarily, you would navigate to https://my.workspaceone.com, sign in with your credentials, and download the Workspace ONE Tunnel binary from the Products section for the desired platform.
Click Upload.
Click Choose File.
NOTE: The app upload may take a few minutes to complete! Continue to the next step once the upload completes. If you see "An error has occurred HTTP Status Code 0" please try the upload again as internet bandwidth is variable..
Click Continue.
Workspace ONE Tunnel
for the Name field2.1.1.7
for the App Version fieldDO NOT click Save & Assign yet, continue to the next step.
NOTE: Remember that you can copy + paste the text from the manual into the console by using keyboard shortcuts or by clicking + dragging to highlight the text, then dragging the text into the text field.
VMwareTunnelInstaller_2.1.1.exe /uninstall /Passive
NOTE: Remember that you can copy + paste the text from the manual into the console by using keyboard shortcuts or by clicking + dragging to highlight the text, then dragging the text into the text field.
VMwareTunnelInstaller_2.1.1.exe /install /Passive
. This will inform UEM how to silently install the app when it is published to devices.
10
for the Installer Timeout
3010
for the Installer Reboot Exit Code
0
for the Installer Success Exit Code
The Install Timeout field informs UEM how long (in minutes) it should attempt to install the executable before retrying the command.
Exit Codes inform the device how to respond to the install process. 3010 notes that a restart is required to complete the install. 0 indicates that the action completed successfully.
NOTE: Remember that you can copy + paste the text from the manual into the console by using keyboard shortcuts or by clicking + dragging to highlight the text, then dragging the text into the text field.
C:\Program Files\VMware\Workspace ONE Tunnel\VMwareTunnel.exe
for the PathThis File exists Criteria will inform UEM that the Workspace ONE Tunnel app has been successfully installed once the VMwareTunnel.exe file exists at the configured path.
The application configuration is completed! Click Save & Assign.
Now that you have uploaded the application and input details so that Workspace ONE UEM knows how to install and uninstall the application, you now need to assign which users or devices in your organization will receive this app.
All Devices
for the Assignment NameThis assignment to the All Devices group indicates that every Windows 10 device that enrolls into your organization, regardless of the user or type (Employee Owned, Corporate Owned, etc.) will receive the application.
Configuring the App Delivery Method to Auto means that the application will automatically be delivered to any Windows 10 devices that enroll in your organization. If you wanted users to be able to download the application as needed, you could select On Demand.
The Make App MDM Managed if User Installed option will overwrite the Workspace ONE Tunnel application installed on the device if it already exists. This can be important if you need to push configurations down to a device, as this is not possible if the device is not managed by MDM (Workspace ONE UEM). Enabling this will ensure all installed Workspace ONE Tunnel applications on our devices are MDM managed.
The application is now configured and assigned and ready to publish! Publishing will make the application with its configurations available to your users.
The Workspace ONE Tunnel app that was published to the device requires a restart in order to complete the installation. The app configuration that was setup will force the device to reboot automatically once the app is finished installing.
To expedite the sync process that will trigger the application install:
The Workspace ONE Tunnel app that was published to the device requires a restart in order to complete the installation. The app configuration that was setup will force the device to reboot automatically once the app is finished installing.
IMPORTANT: The Workspace ONE Tunnel app may take several minutes to install, therefore, the automatic restart may not trigger right away. Please wait until the device automatically restarts, do not trigger a restart manually!
Once the device restart triggers, you will be notified that the Remote Desktop Connection was ended. Click OK.
From the Main Console desktop, double-click the Win10-01a.rdp shortcut to reconnect to the virtual machine.
NOTE: It may take a few minutes before the device finishes rebooting. If your connection attempt fails, wait a minute and try again.
NOTE: Remember that you can click + drag to highlight the above text, then drag and drop it into the HOL console to paste it to avoid typos!
C:\HOL\Win10TunnelProxy.ps1
and press ENTER
.Restart-Service -Name VMwareTunnel
and press ENTER
.Due to the networking in the Hands-on Labs environment, we need to an an entry into the proxy settings to allow the outbound traffic to leave the network. This script makes this update for you.
internet options
*.vmware.com
entry.
Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.
The default home page for the browser is https://hol.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.
VMware1!
.NOTE - If you see a Captcha, please be aware that it is case sensitive!
The password field will be displayed after entering your username.
VMware1!
for the Password field.NOTE: Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.
In addition to the Workspace ONE UEM administrator console, you will also be logging in as a read-only user to the SD-WAN Network Orchestrator console for this Hands-on Lab to view and confirm various settings related to the Workspace ONE Tunnel service hosting, Secure Access settings, and Cloud Web Security Policies.
holuser@vmware.com
for the usernameVMware1!
for the passwordLeave the SD-WAN Network Orchestrator tab open as you will be periodically returning to this tab throughout the lab.
You have now made the following configurations:
With the Workspace ONE Tunnel app deployed and configured, you are now ready to test accessing the intranet site again.
This time, the Workspace ONE Tunnel Device Tunnel Traffic rules specify that requests to IPs in the 172.31.64.0/23 range (which is where the intranet-server is hosted) on ports 80, 8081, and 8082 should pass through the Tunnel. Since the Tunnel is hosted in the same private network,
IMPORTANT: If you see an error about the hostname not being resolvable when connecting to the site, the Tunnel service may have been establishing a connection still. Wait a few seconds and refresh the page.
Recall that our Device Traffic Rules were also allowing port 8081 and 8082 to the 172.31.64.0/23 network where the intranet server resides. This confirms that you can also successfully reach the http://intranet-server:8081 endpoint through the Tunnel.
Recall that our Device Traffic Rules were also allowing port 8081 and 8082 to the 172.31.64.0/23 network where the intranet server resides. This confirms that you can also successfully reach the http://intranet-server:8082 endpoint through the Tunnel.
You may recall that while we inspected the Secure Access setting in the SD-WAN Network Orchestrator that a Cloud Web Security (CWS) policy named Corporate-Policy was enabled. Cloud Web Security policies allow for network traffic for Secure Access users to be inspected and blocked to keep users and corporate resources safe from malicious and undesirable sites.
The Corporate-Policy Cloud Web Security policy has been configured to:
Click the Configure tab.
The list of Security Policies for your Secure Access deployment are available here. Click the Corporate-Policy link.
The SSL Inspection tab is the default landing tab. All policies process in order from top to bottom, similar to a Network Access Control List (NACL).
awmdm.com
, which means our Workspace ONE UEM traffic to hol.awmdm.com won't be inspected.
Remember that the rules are processed in order from top to bottom, so the three default allow rules will only be processed if any proceeding rules do not apply.
Remember that the rules are processed in order from top to bottom, so the two default allow rules will only be processed if any proceeding rules do not apply.
NOTE: The following is for informational purposes only. Due to this being a live production environment, no changes can be made. Click the Cancel button to continue.
No additional Content Inspection rules were created for this deployment.
Recall that our URL Filtering policies had a rule that blocked accessing a few categories of websites, one of which included gambling websites. This confirms that the traffic passing through the Tunnel service was inspected, the category was determined to be a gambling website, which our policy specifies should be blocked.
After attempting to download the .zip file, the request is blocked because it violates the Document or File Download Policy Restriction that has been configured. Recall that the default Content Filtering rule only allows file downloads if they are encrypted and require a password prompt, which this file does not. Because none of our other configured rules explicitly allow non-encrypted files to be downloaded, the file is therefore blocked.
Recall that our Cloud Web Security policy had a Content Filtering rule that blocked all file uploads for all users. This confirms that the user was unable to upload the file because the process was blocked by the Cloud Web Security policy.
You have reviewed how the Cloud Web Security policy was configured to prevent actions for your end users. You will now inspect the Monitoring section of the Cloud Web Security section of the SD-WAN Network Orchestrator UI to see what details are available for administrators of the system.
NOTE: Your dashboards will differ from the above view because they are displaying real metrics gathered from the Hands-on Lab.
NOTE: Your dashboards will differ from the above view because they are displaying real metrics gathered from the Hands-on Lab.
NOTE: Your dashboards will differ from the above view because they are displaying real metrics gathered from the Hands-on Lab.
NOTE: Your dashboards will differ from the above view because they are displaying real metrics gathered from the Hands-on Lab.
A log of traffic, how it was categorized, and how it was handled by your policies is available in the Web Logs section.
Click the first tab to navigate back to the Workspace ONE UEM Administrator console to complete the next steps.
In this section, we are going to un-enroll our Windows 10 VM so that we can use it for other lab modules.
We will use the Enterprise Wipe wipe command to remove all of the managed content that was pushed to the device (such as profiles and apps) by Workspace ONE while not modifying any personal content or data on the device.
Return to the Workspace ONE UEM Administrator Console in Google Chrome,
1234
. If you used a different PIN, enter that one instead.
NOTE: The Enterprise Wipe may take several minutes to process.
From the Settings Menu, access Accounts
NOTE: The CORP AD domain is the local domain in this lab and is not controlled by Workspace ONE UEM Enrollment, so you will see this connection when your device is enrolled or unenrolled.
NOTE: If the Access Work or School page was opened from earlier, you may need to refresh or navigate away from the page and return to see the changes.
Click Close (X) on the Remote Desktop Connection bar at the top of the screen to return to the Main Console to finish making configurations within the Workspace ONE UEM Console.
NOTE: If the Remote Desktop Connection bar is not visible, you may have unpinned it. Hover your mouse of the top of the screen to display the Remote Desktop Connection bar again, then click close.
You have completed this Hands-on lab for Securing the Anywhere Workspace with Secure Access Service Edge (SASE)! With the principals learned here, consider how the Anywhere Workspace can enable remote and secure access to your cloud applications and corporate datacenter no matter where your employees are located.
In review, you learned how to:
Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!
Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero! Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.
Interested? Check us out at https://techzone.vmware.com!
Conclusion
Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-2251-09-DWS
Version: 20230328-223206