1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

You can also use the Online International Keyboard found in the Main Console.

1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

1. Click once in the active console window.
2. Click on the Shift key.

1. Click on the "@ key".

Notice the @ sign entered in the active console window.

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple data centers.  However, these data centers may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

Please check to see that your lab is finished all the start-up routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

Learn how to enroll a Windows 10 device into Workspace ONE UEM and how to configure and deploy restriction profiles and applications to your enrolled device.

IMPORTANT: You SHOULD NOT enroll a personal Windows 10 device for the upcoming exercise! Personal devices may be enrolled into other EMM providers which can cause undesired conflicts and issues.

Please follow the upcoming steps to enroll and use the provided Win10-01a virtual machine for this Hands-on Lab.

Double-click the Win10-01a.rdp shortcut located on the Main Console Desktop to connect to the Windows 10 virtual machine.

To perform most of the lab, you will log into the Workspace ONE UEM Admin Console.

Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.

The default home page for the browser is https://hol.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

1. Enter your Username. This is the email address that you have associated with your VMware Learning Platform (VLP) account that you utilized to take Hands-on Labs.
2. Click Next, then advance to the next step of the lab manual to enter the password, which will always be VMware1!.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

The password field will be displayed after entering your username.

1. Enter VMware1! for the Password field.
2. Click the Log In button.

NOTE: Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

You will be presented with the Workspace ONE UEM Terms of Use. Due to the lab environment the Terms of Use will not display, but this will not affect the lab itself. Click the Accept button.

NOTE: The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

After accepting the Terms of Use, you will be presented with this Security Settings pop-up

The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
3. Enter VMware1! in the Password Recovery Answer field.
4. Enter VMware1! in the Confirm Password Recovery Answer field.
5. Enter 1234 in the Security PIN field.
6. Enter 1234 in the Confirm Security PIN field.
7. Click the Save button when finished.

A popup window will appear after you complete your security questions.

Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.

Basic accounts are the accounts which are created locally in the Workspace ONE UEM admin console, as opposed to the accounts which are imported from an active directory. In this section, we will create a Basic User account which we will use for enrollment in the following section.

In the top right corner of the Workspace ONE UEM console,

1. Click Add.
2. Click User.

In the pop-up window,

1. Ensure that security type is Basic
2. Enter the username as basicuser
3. Enter the password as VMware1!
4. Confirm the password as VMware1!
5. Enter the first name as Basic
6. Enter the last name as User
7. Enter the e-mail address as basicuser@corp.local
   NOTE: Use the scroll bar if you don't see the option to enter email address
8. Click on Save
   

You should see a confirmation that user is created successfully. If the user is already created with the same username then you can use the existing user in the following section.

The activation flow for Hub Services depends on whether you are a new customer or an existing customer.

New cloud customers who purchased Workspace ONE after January 2019 have Hub Services activated automatically as part of the instance provisioning process. Workspace ONE UEM, Workspace ONE Access, and Hub Services consoles are connected together, and the Hub catalog is enabled for the Intelligent Hub app.

Existing customers can configure Workspace ONE Access tenant URL, tenant admin username and password to activate Hub Services. If you do not have a Workspace ONE Access tenant, you can request one from the Workspace ONE UEM administrator console itself, using the Request a Cloud Tenant button.

For this lab, we have already provided you a Workspace ONE Access tenant which we will use in the next step to active Hub Services.

A temporary Workspace ONE Access tenant has been generated for you to use throughout this lab.  The Workspace ONE Access tenant URL and login details were uploaded to the Content section in the Workspace ONE UEM Console at the start of the lab.

In the Workspace ONE UEM Console:

1. Click Content
2. Expand Content
3. Click List View
4. Find the text file named vIDM Tenant Details for your@email.shown.here.txt and click the checkbox beside it to select the file
5. Click Download

After the file downloads, click the vIDM Tenant Details for your@email.shown.here.txt file from the download bar to open it.

1. Select the Tenant URL text and right-click
2. Click Copy

NOTE: Your tenant name will match your Group ID in the Workspace ONE UEM Console.

1. In the top right corner, click the My Services button
2. Click on Workspace ONE Hub Services

Click Get Started to begin the Hub Services activation process.

1. Right-click in the Tenant URL field and click Paste
2. Ensure that you have entered the URL from the notepad file you downloaded in the earlier step. If the clipboard is blank or carrying some other value, go back and copy the tenant URL from the notepad file you downloaded earlier.
3. Enter Administrator for the username
4. Enter VMware1! for the password
5. Click Test Connection
6. Ensure that the the success message Test Connection Successful! is displayed
7. Click Save to continue

Ensure that the message confirming Hub Services has been successfully activated is displayed. You have now successfully Activated Hub Services for your tenant!

You will now enroll the Windows 10 device in Workspace ONE UEM by using the Workspace ONE Intelligent Hub app.

NOTE: You do NOT need to complete these steps, the Workspace ONE Intelligent Hub has already been downloaded for you! This step is purely informative.

You can download the latest Workspace ONE Intelligent Hub app for your current platform by following the below steps:

1. Navigate to https://www.getwsone.com in your browser.
2. Click Download Hub for Windows 10.
3. Click Keep when warned about the AirWatchAgent.msi download.

For expediency, the Workspace ONE Intelligent Hub app has already been downloaded for you. Continue to the next step to start the installer.

1. Click the File Explorer icon from the taskbar.
2. Click Documents.
3. Click HOL.
4. Double-click the AirwatchAgent.msi file to start the installer.

NOTE: The installer may take a few seconds to launch, please be patient after clicking the AirwatchAgent.msi file.

Click Run to proceed with the installation.

Leave the default install location and click Next.

NOTE: The Next button may take several seconds to enable while the required additional features are installed.

1. Select I accept the terms of the License Agreement.
2. Click Next.

Click Install to start the installer.

NOTE - The Installing Hub UI Component step may take several minutes to complete. Please do not interrupt the install!

If prompted to allow the app to make changes on your device, click Yes. Otherwise, continue to the next step.

NOTE: The installer may take several minutes to complete.  Please wait until you see the completed install screen before continuing.

Click Finish to complete the Workspace ONE Intelligent Hub installer.

NOTE: After clicking finish, the Native Enrollment application will launch to guide you through enrolling into Workspace ONE UEM.  It will take around 45-60 seconds to launch the agent.

NOTE: The above screen may take 2-3 minutes to display after clicking Finish from the previous step!

1. Enter hol.awmdm.com for the Server Address.
2. Click Next.

The next step is to make sure you know what your Organization Group ID is.  

1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
2. Your Group ID is displayed at the bottom of the Organization Group pop up.

1. Enter Your Group ID for the Group ID field.  If you forgot your Group ID, check the previous steps on how to retrieve it.
2. Click Next.

1. Enter basicuser in the Username field.
   NOTE: This was the username of the basic user account you created in previous steps in the Workspace ONE UEM Console
2. Enter VMware1! in the Password field.
3. Click Sign In.

NOTE: Wait while the server checks your enrollment details. This may take a few minutes.

Click I Agree.

Click Done to end the Enrollment process.  Your Windows 10 device is now successfully enrolled into Workspace ONE UEM!

Once the enrollment is completed, the Workspace ONE Intelligent Hub app will be displayed.  The Favorites and Apps tabs will be empty because we have not yet deployed any apps to your users and devices.

In the next steps, you will deploy two applications: Workspace ONE Assist and 7-Zip.  Workspace ONE Assist will be deployed and installed automatically to the end user's device, while 7-Zip will be an "on demand" app, meaning users can initiate the app download and install from the app catalog if and when they need access to 7-Zip.

Profiles allow you to modify how the enrolled devices behave. This exercise helps you to configure and deploy a restrictions profile that we can verify has applied to the device later in the section.

In the Workspace ONE UEM Administrator Console:

1. Click Resources
2. Expand the Profiles & Baselines section
3. Click Profiles
4. Click Add
5. Click Add Profile

Select the Windows icon.

Note: Make sure that you select Windows and not Windows Rugged.

Select Windows Desktop.

Select Device Profile.

1. Select General if it is not already selected.
2. Enter a profile name such as Windows Restrictions in the Name text box.
3. Optionally enter Windows Restrictions into the Description field.
4. Click in the Smart Groups field. This will pop-up the list of created Smart Groups. Select the All Devices Smart Group.
   Note: You may need to scroll down to view the Smart Groups field.

Note: You DO NOT need to click Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

NOTE: When initially setting a payload, a Configure button will show to reduce the risk of accidentally setting a payload configuration.

1. Select the Restrictions payload in the Payload section on the left.
2. Click the Configure button to continue setting the Restrictions payload.

1. Select Block for Allow MDM Unenrollment.
2. Click Save & Publish.

NOTE: Some restrictions require a certain version of Windows or higher to apply to a device.  A few references are available for you to determine which version of Windows is required, including:

• VMware Policy Builder: https://www.vmwarepolicybuilder.com
• Configuration Service Provider (CSP) Reference: http://aka.ms/CSPList
• Whats New in MDM Enrollment and Management: https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management

A preview of devices that will receive this profile based on the assigned smart groups is shown. Click Publish.

You should now see your Restrictions Profile within the List View of the Devices Profiles window.

Note: If you need to edit the Restrictions Profile, this is where you would do so. To edit the profile, click the profile name, then select Add Version. Update the profile and click Save & Publish to push the new settings to the assigned devices.

There are two ways to distribute applications: On Demand and Auto.

• On Demand allows users to initiate the download and install of an app presented in the Intelligent Hub app catalog when they decide that they need access to the app.  
• Auto will download and install the app automatically on the device without requiring the user to interact with the app from the Intelligent Hub app catalog.

This exercise will show how to deploy the 7-Zip executable as an On Demand app.

In the Workspace ONE UEM Administrator Console:

1. Click Resources
2. Expand the Apps section
3. Click Native
4. Click Add
5. Click Application File

Click Upload.

Click the Choose File button.

1. Click Documents.
2. Click HOL.
3. Select the 7z1604-x64 executable file.
4. Click Open.

Click Save.

NOTE: The app upload may take a few minutes to complete! Continue to the next step once the upload completes. If you see "An error has occurred HTTP Status Code 0" please try the upload again as internet bandwidth is variable.

1. Select No for Is this a dependency app?
2. Click Continue.

1. Enter a name for your application: 7-Zip. This name will be displayed in the app catalog to your users.
2. Select 64-bit for the Supported Processor Architecture.

1. Select the Files tab.
2. Scroll down to find the App Uninstall Process section.
3. Enter the following for Uninstall Command: 7z1604-x64.exe /Uninstall

NOTE: Remember that you can copy and paste text from the manual into the lab to avoid typing mistakes!

NOTE: For more information about copying text from the manual, see the Guidance section.

1. Select Deployment Options.
2. Scroll down until you see the option for Install Command.
3. Enter Install Command as: 7z1604-x64.exe /S

NOTE: Remember that you can copy and paste text from the manual into the lab to avoid typing mistakes!

NOTE: For more information about copying text from the manual, see the Guidance section.

1. Scroll down to find the When To Call Install Complete section.
2. Select Defining Criteria for Identity Application By.
3. Click Add.

1. Select File Exists for the Criteria Type.
2. Enter C:\Program Files\7-Zip\7zFM.exe for the Path.
3. Click Add.

NOTE: Remember that you can copy and paste text from the manual into the lab to avoid typing mistakes!

NOTE: For more information about copying text from the manual, see the Guidance section.

Click Save & Assign.

1. Enter All Devices for the Name.
2. Click the Assignment Groups field.
3. Select All Devices (your@email.shown.here) from the list.

1. Select On Demand for the App Delivery Method. This will make the app available to your assigned users in the app catalog.
2. Enable the Display in App Catalog setting.
3. Click Create.

Note: You now have the ability to choose if the app is displayed in the app catalog or not. This is helpful when deploying driver updates or scripted actions and don't want the end-user to see this in the catalog.

Click Save to save the app assignments.

Click Publish to publish the application to the list of devices shown.

The 7-Zip application has been created and assigned to the All Devices smart group as an On Demand app, meaning it will not be automatically installed on the end user device when it is enrolled. This allows the app to be installed by the end user through the app catalog or by an administrator through the Workspace ONE UEM administrator console.

Continue to the next step.

You will now distribute an Auto app, which will automatically download and install the app to the user's device without requiring them to interact with the app within the Intelligent Hub app catalog.

In the Workspace ONE UEM Administrator Console:

1. Click Resources
2. Expand the Apps section
3. Click Native
4. Click Add
5. Click Application File

Click Upload.

Click the Choose File button.

1. Click Documents
2. Click HOL
3. Select the WS1_Assist_v21.03.msi file
4. Click Open

Click Save.

NOTE: The app upload may take a few minutes to complete! Continue to the next step once the upload completes. If you see "An error has occurred HTTP Status Code 0" please try the upload again as internet bandwidth is variable.

1. Select No for Is this a dependency app?
2. Click Continue.

Select 64-bit for the Supported Processor Architecture.

1. Select the Deployment Options tab.
2. Scroll down to find the How To Install section.
3. Notice that the Install Command and installer codes have been entered automatically from the details within the MSI, unlike when working with the EXE file previously.

1. Click the Images tab
2. Click the Icon tab
3. Click the area labeled Click or drag files here

1. Click Documents
2. Click HOL
3. Click to select WS1_Assist_Icon.png
4. Click Open

1. Confirm that the Workspace ONE Assist icon was successfully uploaded
2. Click Save & Assign

1. Enter All Devices for the Distribution Name
2. Click the Assignment Groups field
3. Select the All Devices (your@email.shown.here) group

1. Select Auto for the App Delivery Method. This will automatically deploy and install the app for your users, making it available right away without any interaction with the app catalog.
2. Enable the Display in App Catalog setting.
3. Click Create.

NOTE: You now have the ability to choose if the app is displayed in the app catalog or not. This is helpful when deploying driver updates or scripted actions and don't want the end-user to see this in the catalog.

Click Save to save the app assignments.

Click Publish to publish the application to the list of devices shown.

The Workspace ONE Assist application has been created and assigned to the All Devices smart group and the App Delivery Method was set to Auto, meaning the app will be automatically downloaded and installed without requiring any user interaction when a Windows 10 device is enrolled into the organization.  

Continue to the next step.

Your device was enrolled and received three configurations:

1. A Restriction Profile which prevents end users from unenrolling the Windows 10 device
2. The 7-Zip app was deployed as an On Demand app
3. The Workspace ONE Assist app was deployed as an Auto app

You will now confirm that the Restriction Profile was installed by verifying that the restrictions are applied on your device and that the two apps are available according to their deployment type (On Demand vs. Auto).

1. Click the Windows Start button
2. Click the Windows Settings button

Click on Accounts.

1. Click on Access work or school.
2. Click on Connected to Workspace ONE MDM.

1. Click Disconnect.

Notice, the end-user now does not have the ability to unenroll their device from Workspace ONE UEM management.

Here you can see the before and after results of applying the Allow or Don't Allow MDM Unenrollment policy on the Windows 10 device.

1. Click the Workspace ONE Intelligent Hub app from the task bar.
2. Click the Apps tab to view the app catalog.
3. Click Refresh to view the new apps that have been made available.
4. Confirm that the 7-Zip and Workspace ONE Assist apps both display under the New Apps section.

Click the 7-Zip app.

1. Click the Windows button.
2. Confirm that both 7-Zip and Workspace ONE Assist appear under the Recently Added section. Feel free to launch the apps if you wish, then continue to the next step.

You were able to confirm that the Restriction Profile took affect on the device as intended and that the two applications you made available, Workspace ONE Assist and 7-Zip, were presented to the user from the app catalog and were successfully installed!

In this section, we are going to un-enroll our Windows 10 VM so that we can use it for other lab modules.

We will use the Enterprise Wipe wipe command to remove all of the managed content that was pushed to the device (such as profiles and apps) by Workspace ONE while not modifying any personal content or data on the device.

Return to the Workspace ONE UEM Administrator Console in Google Chrome,

1. Click on Devices
2. Click on List View
3. Select the check box next to your device friendly name.
4. Click on More Actions
5. Click on Enterprise Wipe

1. You may need to scroll down to find the Security PIN input
2. Enter the Security PIN that you created when you first logged into the Workspace ONE UEM administration console, which was 1234. If you used a different PIN, enter that one instead.
3. Click Delete

NOTE: The Enterprise Wipe may take several minutes to process.

1. Click the Refresh icon periodically to refresh the page to check if the Enterprise Wipe has processed
2. If needed, scroll to the right to find the Enrollment column
3. Notice that the Enrollment status for the device changes to Unenrolled once the Enterprise Wipe command is processed

1. Click on the Windows Icon
2. Click on the gear icon to access Windows 10 Settings

From the Settings Menu, access Accounts

1. Click on Access work or school
2. Validate that you DO NOT see any account connected to Workspace ONE MDM.

NOTE: The CORP AD domain is the local domain in this lab and is not controlled by Workspace ONE UEM Enrollment, so you will see this connection when your device is enrolled or unenrolled.

NOTE: If the Access Work or School page was opened from earlier, you may need to refresh or navigate away from the page and return to see the changes.

1. Click the Connected to Workspace ONE UEM account
2. Click Disconnect
3. Click Yes

Click Close (X) on the Remote Desktop Connection bar at the top of the screen to return to the Main Console to finish making configurations within the Workspace ONE UEM Console.

In addition to managing mobile devices, Workspace ONE UEM can also manage your Windows 10 devices.  This quick look into Windows 10 management should provide a clearer picture of how you can manage your Windows 10 devices by configuring restrictions and profiles and deploying applications alongside your mobile workforce.

This concludes the Basic Windows 10 Management module.

Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!

Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero!  Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.

Interested? Check us out at https://techzone.vmware.com!

To begin this lab, you will need to login to the Workspace ONE UEM admin console.

Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.

1. Click the WS1 bookmark folder.
2. Click the WS1 UEM Console link.
3. Enter your Username. This is the email address that you have associated with your VMware Learning Platform (VLP) account that you utilized to take Hands-on Labs.
           Note: Your password for the next step will be VMware1!
4. Click Next.

The password field is displayed.

1. Enter VMware1! in the Password field.
2. Click the Log In button.

NOTE: You may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

You will be presented with the Workspace ONE UEM Terms of Service. Click the Accept button.

NOTE: The following steps are only performed for the initial login to the administration console.

After accepting the Terms of Use, you will be presented with this Security Settings pop-up

The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

1. Scroll down to see the Password Recovery Questions and Security PIN sections.
2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
3. Enter VMware1! in the Password Recovery Answer field.
4. Enter VMware1! in the Confirm Password Recovery Answer field.
5. Enter 1234 in the Security PIN field.
6. Enter 1234 in the Confirm Security PIN field.
7. Click the Save button when finished.

A popup window will appear after you complete your security questions.

Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.

In this section, we will create a restriction profile that will disable the camera and disable Siri on the device. We will set the profile for auto-deployment, so that the profile is installed automatically when the device is enrolled.

In the top right corner of the Workspace ONE UEM console,

1. Click Add.
2. Click Profile.

Click the Device Profile context option.

1. Select General if not selected already
2. Enter iOS Restriction Profile for the Name field
3. Ensure the Assignment Type is Auto
4. Click the Smart Groups dropdown field and select All Devices (your@email.shown.here)

1. Click on the Restrictions payload in the left panel.
2. Click Configure.

1. Scroll down approximately one page to find the Allow Siri option.
2. Uncheck the Allow Siri checkbox listed under the Device Functionality section. This will disable Siri on the device.
3. Take note of the iOS version and Supervised requirements for each restriction. The target device receiving this restriction must on the listed iOS version or higher (ie: iOS 5) and must be Supervised if the Supervised tag is also shown.
   For example: The Allow Siri restriction does not require the device to be Supervised, but the Allow Manual Profile Installation restriction does. Take note of these requirements and ensure your devices meet all of the requirements shown when publishing restriction profiles.
4. Click Save & Publish.

NOTE: Supervised devices give schools and business greater control over iOS device that they own. Supervising devices allows administrators additional device restrictions that are not possible with Bring Your Own Device (BYOD) scenarios to respect end user privacy.

Click Publish.

1. Click Resources.
2. Expand Profiles & Baselines.
3. Click Profiles.
4. Validate that you see iOS Restriction Profile in the Profiles List.

Before enrolling your device, confirm that Siri is available for use on your iOS app so you can confirm that the iOS Restriction Profile properly disables Siri once the device is enrolled in an upcoming step.

1. Activate Siri on your device (holding the Home or Side button, depending on your device).
2. If Siri is disabled, tap Turn On Siri.
3. Ensure you see Siri is listening for input, confirming that Siri is enabled on the device.

In this section, we are going to enroll an iOS device. The upcoming steps will need to be completed from an iOS device.

Launch the Hub app on the device.  

Once the Hub has launched you can enroll the device.  To do so, follow the below steps.

1. Enter hol.awmdm.com for the Server field.
2. Tap the Next button.

 Return to the Workspace ONE UEM Console,

1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
2. Your Group ID is displayed at the bottom of the Organization Group pop up.

NOTE: The Group ID is required when enrolling your device in the following steps.

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

1. Enter your Group ID for your Organization Group for the Group ID field.  Your Group ID was noted previously in the Finding your Group ID step.
2. Tap the Next button.

NOTE: If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

You will now provide user credentials to authenticate to Workspace ONE UEM.

1. Enter testuser in the Username field.
2. Enter VMware1! in the Password field.
3. Tap the Next button.

If prompted for password saving, click Not Now

The Workspace ONE Intelligent Hub will show a privacy message detailing what is collected and what is not collected from the device.  

The next step is to download the configuration profile to enroll your device into Workspace ONE UEM.

Tap Continue to begin.

The next step is to download the configuration profile to enroll your device into Workspace ONE UEM.

Tap Download profile to begin.

When prompted that the website is trying to download a configuration profile, tap Allow.

When the Profile Downloaded notification is displayed, click Close.

Now that the profile is downloaded, tap Tap here when download finishes.  This will return you to the Intelligent Hub application where you will install the profile.

The next step is to Install the configuration profile to enroll your device into Workspace ONE UEM.

Tap Install profile to begin.

An instructional prompt will inform users how to finish their enrollment profile installation in the Settings app. Tap Open the Settings app to continue.

In the Settings app, tap the Profile Downloaded tab at the top of the Settings menu.

1. Tap Install in the upper right corner of the Install Profile dialog box.
   NOTE: If you have a passcode on your device, you will be prompted to input the passcode to continue.
2. Tap Install for the pop-up prompt to confirm.

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper right corner of the prompt.

Your enrollment is now completed! Return to the Workspace ONE Intelligent Hub app.

You will see that the profile is not successfully configured.

1. Tap Take me to Hub to continue.
2. A Configuring Hub loading bar will display, wait for this to complete and then continue to the next step.

Tap Allow if you get a prompt to allow notifications for the Hub app.

Click Skip.

Tap I Understand when shown the Privacy policy.

Tap I Agree for the Data Sharing policy.

Confirm that the Hub app shows the user account (testuser) that you enrolled with..

You have now successfully enrolled your iOS device with Workspace ONE UEM! Continue to the next step.

You will now validate that the restriction profile for disabling Siri on the device is applying as expected. You will confirm the restriction profile in two ways:

1. Inspecting the Mobile Device Management profile that was installed to the device in previous steps to confirm that the restriction is present.
2. Attempting to interact with Siri on the device.

Tap the Settings app.

1. Tap General.
2. Scroll down to find the Profiles & Device Management option.
3. Tap Profiles & Device Management.

Tap the Device Manager profile under Mobile Device Management.

Tap Restrictions to inspect the restrictions associated with this profile.

Confirm that the Siri not allowed restriction is included in the list.

Attempt to activate Siri on your device again by holding the home button and notice that Siri no longer responds.

If you navigate to the Settings app, you will also notice that the Siri & Search settings are no longer available on the device.

You are now going to un-enroll the iOS device from Workspace ONE UEM.

NOTE: The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the Workspace ONE Intelligent Hub controls.

It will NOT remove the Workspace ONE Intelligent Hub application from the device as this was downloaded manually before the user enrolled in to Workspace ONE UEM.

Enterprise Wiping will remove all the settings and content that were pushed to the device after it was enrolled.  It will not affect anything that was on the device prior to enrollment.

Return to the Workspace ONE UEM Console,

1. Click Devices
2. Click List View
3. Click the checkbox next to the device you want to Enterprise Wipe
4. Click More Actions
5. Click Enterprise Wipe

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after you logged into the Workspace ONE UEM console to 1234.

Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  

Return to the device springboard. Notice that any applications pushed through Workspace ONE UEM  have been removed from the device.  In addition, navigating to Settings > General > Profiles will show that the Workspace Services profile has been removed from the device and any configurations pushed have been reverted.

NOTE: The Workspace ONE Intelligent Hub will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.

If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.

1. Tap General in the left column.
2. Scroll down to view the Device Management option.
3. Tap Device Management at the bottom of the list of General settings.

Tap the Device Manager profile that was pushed to the device.

1. Tap Remove Management on the Workspace Services profile
   NOTE: If prompted for a device PIN, enter it to continue
2. Tap Remove on the Remove Management prompt

After removing the Device Manager profile, the device will be un-enrolled.  Feel free to return to the Verify the Un-Enrollment step to confirm the successful un-enrollment of the device.

Once the device has unenrolled, the restrictions that you pushed to disable Siri will be removed but will not modify any other aspects of your device.  Attempt to activate Siri again and confirm that Siri is now working.

Managing your devices with Workspace ONE UEM empowers your administrators to ensure devices are operating and accessing corporate resources securely without violating user privacy.  Now that you know how to enroll a device and push a profile, consider exploring the other lab topics available in this module to further expand your Workspace ONE UEM knowledge.

This concludes the Introduction to Apple iOS Management module.  

Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!

Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero!  Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.

Interested? Check us out at https://techzone.vmware.com!

In this lab module, we will explore some Workspace ONE administration features and concepts available for the macOS platform.  This lab will give you a better understanding of how macOS devices are enrolled, what management options you have available, and how these options can improve and impact the user experience by configuring macOS and publishing applications.

Before you can start the lab, make sure you review the next page to ensure you can successfully complete the lab.

To successfully complete this Hands-On Lab, you'll need to ensure you have the following pre-requisites:

• An Apple device running macOS version 10.14.0 (Mojave) or later.

To begin this lab, you will need to login to the Workspace ONE UEM admin console.

Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.

1. Click the WS1 bookmark folder.
2. Click the WS1 UEM Console link.
3. Enter your Username. This is the email address that you have associated with your VMware Learning Platform (VLP) account that you utilized to take Hands-on Labs.
           Note: Your password for the next step will be VMware1!
4. Click Next.

The password field is displayed.

1. Enter VMware1! in the Password field.
2. Click the Log In button.

NOTE: You may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

You will be presented with the Workspace ONE UEM Terms of Service. Click the Accept button.

NOTE: The following steps are only performed for the initial login to the administration console.

After accepting the Terms of Use, you will be presented with this Security Settings pop-up

The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

1. Scroll down to see the Password Recovery Questions and Security PIN sections.
2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
3. Enter VMware1! in the Password Recovery Answer field.
4. Enter VMware1! in the Confirm Password Recovery Answer field.
5. Enter 1234 in the Security PIN field.
6. Enter 1234 in the Confirm Security PIN field.
7. Click the Save button when finished.

A popup window will appear after you complete your security questions.

Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.

The activation flow for Hub Services depends on whether you are a new customer or an existing customer.

New cloud customers who purchased Workspace ONE after January 2019 have Hub Services activated automatically as part of the instance provisioning process. Workspace ONE UEM, Workspace ONE Access, and Hub Services consoles are connected together, and the Hub catalog is enabled for the Intelligent Hub app.

Existing customers can configure Workspace ONE Access tenant URL, tenant admin username and password to activate Hub Services. If you do not have a Workspace ONE Access tenant, you can request one from the Workspace ONE UEM administrator console itself, using the Request a Cloud Tenant button.

For this lab, we have already provided you a Workspace ONE Access tenant which we will use in the next step to active Hub Services.

A temporary Workspace ONE Access tenant has been generated for you to use throughout this lab.  The Workspace ONE Access tenant URL and login details were uploaded to the Content section in the Workspace ONE UEM Console at the start of the lab.

In the Workspace ONE UEM Console:

1. Click Content
2. Expand Content
3. Click List View
4. Find the text file named vIDM Tenant Details for your@email.shown.here.txt and click the checkbox beside it to select the file
5. Click Download

After the file downloads, click the vIDM Tenant Details for your@email.shown.here.txt file from the download bar to open it.

1. Select the Tenant URL text and right-click
2. Click Copy

NOTE: Your tenant name will match your Group ID in the Workspace ONE UEM Console.

1. In the top right corner, click the My Services button
2. Click on Workspace ONE Hub Services

Click Get Started to begin the Hub Services activation process.

1. Right-click in the Tenant URL field and click Paste
2. Ensure that you have entered the URL from the notepad file you downloaded in the earlier step. If the clipboard is blank or carrying some other value, go back and copy the tenant URL from the notepad file you downloaded earlier.
3. Enter Administrator for the username
4. Enter VMware1! for the password
5. Click Test Connection
6. Ensure that the the success message Test Connection Successful! is displayed
7. Click Save to continue

Ensure that the message confirming Hub Services has been successfully activated is displayed. You have now successfully Activated Hub Services for your tenant!

When you activate Hub Services with your Workspace ONE UEM tenant, the unified app catalog available in Hub Services will be used in the Intelligent Hub app on enrolled devices. One additional setting is needed to activate the modern unified app catalog with Hub Services - you will need to disable the legacy catalog for macOS.

In this section, you are going to activate the Hub App Catalog for macOS.

In the Workspace ONE UEM Console

1. Click Groups & Settings
2. Click All Settings

1. Click Apps
2. Click Workspace ONE
3. Click AirWatch Catalog
4. Click General
5. Click Publishing
6. Select Override for Current Setting
7. Select Disabled for Legacy Catalog (macOS)

This will disable the older web clip based Catalog for the macOS platform. Instead, users will receive the new Hub App Catalog which provides an updated app catalog with richer features, but also includes features such as notifications, people search, a custom home page, and more.

1. Scroll down to the bottom
2. Click Save
3. Click the X to close the Settings window

This exercise explores how to modify the macOS device behavior using Profiles.

Profiles are the mechanism by which Workspace ONE UEM manages settings on a macOS device.  macOS profile management is done in two ways: device level and enrollment-user level. You can set appropriate restrictions and apply appropriate settings regardless of the logged-on user. You can also apply settings specific to the logged-on user on the device. 

All profiles are broken down into two basic sections, the General section and the Payload section.

• The General section has information about the Profile, its name and some filters on what device will get it.
• The Payload sections define actions to be taken on the device.

Every Profile must have all required fields in the General section properly filled out and at least one payload configured.

Device Profiles are typically used to control settings that apply system-wide.  Device profiles can include items such as VPN and Wi-Fi configurations, Global HTTP Proxy, Disk Encryption, and/or Directory (LDAP) integration.

In this exercise, you will create a profile that disables various macOS System Preferences from being changed by the end user.

Return to the Workspace ONE UEM administration console in Google Chrome:

1. Click Resources
2. Expand Profiles & Baselines
3. Click Profiles
4. Click Add
5. Click Add Profile

Click macOS.

There are two contexts for Profiles: User and Device. User Profiles will apply the configuration to only the logged in user on the device. Device Profiles will apply the configuration to the entire device.

Click Device Profile.

Configure the device profile as follows:

1. Select the General payload if not already selected
2. Enter macOS Device Restrictions for the profile name
3. Select Auto for the Assignment Type
4. Scroll down to view the Smart Groups field and click in the search box
5. Select the All Devices (your@email.shown.here) group from the list

Each tab on the left is a "Payload". These represent different features or restrictions you can configure on the device with the selected platform and context of the Profile. You may have more than one Payload per Profile, but it is best practice to generally keep one Payload per Profile (excluding the General payload, which is required).

The configurations you have made with create a macOS device context profile that will be automatically assigned and applied to any macOS device that enrolls in your organization group.

1. Click the Restrictions payload
2. Click Configure

Clicking Configure will add the Restrictions payload to the Profile and allow you to determine what restrictions will be applied to the macOS device with this Profile.

1. Click the Preferences tab
2. Enable the Restrict System Preference panes checkbox
3. Select Disable Selected Items
4. Enable the Accessibility checkbox
5. Enable the Desktop & Screen Saver checkbox
6. Click Save & Publish

This will prevent the end users from being able to access or change the Accessibility and Desktop & Screen Saver settings under System Preferences.

1. Normally, a list of devices that would receive this configuration would be displayed here. Since you have not enrolled a macOS device yet, no devices are displayed.
2. Click Publish.

The macOS Device Restrictions profile is now added to the list of Profiles in your organization group. You can see how many Payloads (excluding General) are configured, the assignment type, and assigned groups.  If you need to edit the Profile, you would return to this view in order to make changes.

This Restrictions profile is now published and will be automatically assigned to any macOS device that enrolls in your organization group. You will confirm this Restrictions profile is applying on the device after enrolling a device in a later step.

Sensors allow you to quickly and securely automate data collection from your endpoints with common scripting languages. macOS Sensors supports Bash, Python 3, and Zsh, and Windows Desktops support PowerShell.

This collected data can be used as conditions in the Freestyle Orchestrator feature to take action based on the condition and value of this data. You can learn more about Freestyle Orchestrator in Module 1 - Introduction to Freestyle Orchestrator. You can also use Workspace ONE Intelligence to create reports and dashboards based on your Sensor data.

In this section, you will create a Sensor for macOS which will query the type of processor that is used on the device.

The first time you access the Sensors page, an overview will be presented with a link to the VMware docs articles for macOS Sensors and Windows Desktop Sensors. Refer to these links for additional documentation around Sensors.

1. Click Resources
2. Click Sensors
3. Scroll down to the bottom of the page
4. Click Get Started

1. Click Add
2. Click macOS

1. Enter macos_cpu_arch for the Name
2. Optionally enter Determine x64 (Intel) vs arm (M1) for the description
3. Click Next

This sensor will be used to report if the device's CPU architecture is x64 (using the Intel chip) or arm (using the M1 chip).  

1. Select Zsh for the Language
2. Select System for the Execution Context
3. Select String for the Response Data Type

This Sensor is setup to use the Zsh language and is targeting the System (Device-wide) execution context rather than the Current User context setting which will run against the currently logged in user of the device. The Response Data Type indicates what will be returned from the script: A String (text), Integer (number), Boolean (true/false), or Date Time.

In this case, the Sensor will read the CPU architecture, which will either be "x64" or "M1", so it is returning the value as a String.

1. Click and drag to highlight the below code block, starting from #!/bin/zsh to echo $PROC, and drag and drop it the Code section to paste the necessary sensor code.
2. Click Next.

You can optionally create variables to use with this script, but it is not needed for this use case. Click Save & Assign to proceed.

1. Notice the warning stating that Employee Owned devices will be automatically excluded from Sensor assignments due to privacy reasons, as Sensors can query sensitive details from the device.
2. Click New Assignment.

1. Enter All Devices for the Assignment Name
2. Click the Select Smart Group field
3. Select the All Devices (your@email.shown.here) group
4. Click Next

For ease, you will deploy this sensor to all non-Employee Owned devices that enroll into your organization. In a real deployment, you could target specific Smart Groups that you wish to deploy this Sensor to.

1. Select Periodically for the Triggers
2. Click Save

You can select more than one trigger, so consider what would fit your user case best when creating Sensors in your organization.

1. Your All Devices sensor is now created. If more than one Assignment was created, they would all show up here and you could use the left handlebar to re-arrange the Priority between them as necessary.
2. Click Close to return to the Resources page.

You have now successfully created and assigned a macOS Sensor which will report back if the device's CPU architecture is "x64" (Intel) or "arm" (M1).  Once you enroll a device in later steps, you will view this sensor and confirm the value.

Sensors are powerful options for securely automating data collection for your endpoints. Consider what other use cases you could accomplish with sensors, and check our the macOS Sensors examples in the documentation for ideas.

Administrators can deliver software to macOS using multiple methods.  As a quick reference, VMware recommends using the following methods to deliver software to macOS devices:

• Mac App Store Applications:   VMware recommends delivering any application that may be available on the Mac App Store be delivered as a Volume-Purchased app from Apple Business Manager.   Apps should be assigned via device-based licenses and set to auto-update if the application is not business-critical.
• Non-Store Applications:   As much as possible, 3rd-Party applications which are not available through the app store should be delivered as an Internal Application (leveraging the underlying munki integration).  

Continue to the next step.

In this section, you will download the Workspace ONE Admin Assistant tool and use it to prepare another 3rd-Party application for deployment.

On a macOS device, open Safari or a web browser of your choice.

1. Enter https://evernote.com/download in the URL bar.  Press ENTER.
2. Click Download.

The DMG file for Evernote will download to the Downloads folder.

In the same tab as you downloaded Skitch, paste the link in Safari to download the Workspace ONE Admin Assistant tool and press ENTER on the keyboard:   https://getwsone.com/AdminAssistant/VMwareAirWatchAdminAssistant.dmg

The DMG file will download to the Downloads folder.

On the dock, perform the following:

1. Click the Downloads folder.
2. Click VMwareWorkspaceONEAdminAssistant.dmg.

Double-click the VMware Workspace ONE Admin Assistant.pkg file

Click Continue

1. Review the License Agreement and click Continue
2. Click Agree.

Click Install.

If prompted for administrative credentials, enter the credentials required to install.

1. Enter the username for the device
2. Enter the password for the device
3. Click Install Software

1. Click Close when the installer completes
2. Click Move to Trash to clean up the installer

1. Launch Launchpad
2. Enter Workspace in the search bar
3. Click Workspace ONE Admin Assistant

1. With the Workspace ONE Admin Assistant open, click the Downloads folder on the Dock.
2. Click and Drag the Evernote DMG.
3. Drag and Drop the Evernote DMG onto the Workspace ONE Admin Assistant app file upload section.

The Workspace ONE Admin Assistant Tool begins parsing the file to extract information necessary to deploy the software.

1. Monitor the progress of the parsing.  The result will change to a green checkmark when it is completed, which may take 15 - 30 seconds.
2. In the pop-up window, click Reveal in Finder

In the Finder window:

1. Note the Path of the Output for the Evernote files:  ~/Documents/Workspace ONE Admin Assistant/Evernote-##.##.##
2. Note the output from the Assistant tool as described below:

Evernote-##.##.##.dmg -- The Application has been packaged into a DMG file.   (Note: MPKG and PKG files will not be modified)
Evernote-##.##.##.plist -- A metadata file (referenced as the pkginfo.plist in munki documentation) which contains information used by the munki framework to determine how to install/uninstall the software
Evernote.png -- An icon image extracted from the app used for user-friendly display in the console and Workspace ONE app for macOS

You will now use the provided Workspace ONE Assist dmg and plist files to upload Workspace ONE Assist as a 3rd party macOS application in Workspace ONE UEM.

Return to the the Workspace ONE UEM Administrator Console in the Hands-on Lab interface:

1. Click Resources
2. Expand Apps
3. Click Native
4. Click the Internal tab
5. Click Add
6. Click Application File

The Workspace ONE Assist application and corresponding metadata have been uploaded to Workspace ONE UEM!

1. The Details tab contains the application ID, version, supported device models, and more. This information is gathered from the provided plist metadata. Feel free to review the Details and other tabs as desired but do not make any changes!
2. Click the Images tab.

The Application Assignment determines which users and devices will receive the Workspace ONE Assist and how the app will be delivered. You will create an assignment rule that will publish the application automatically (installs the app without requiring user input) to all devices in your organization.

1. Enter a descriptive name for the assignment, such as All Devices.
2. Click the Assignment Groups section to see a list of available assignment groups.
3. Select All Devices (your@email.shown.here). This will cause the app to be distributed to all eligible devices enrolled in your organization.

1. A list of devices that will receive this app are displayed here. The list is empty because you have not yet enrolled a macOS device.
2. Click Publish.

The Workspace ONE Assist app is now published! Any macOS device enrolled into your organization will now automatically be assigned the Workspace ONE Assist app and it will install without user interaction. When the device is unenrolled, the app will automatically be removed from the device.

You can return to this view (Resources > Native > Internal) and click the Workspace ONE Assist app to make changes to it in the future as needed, such as updating the assignments, adding a new app version, etc.

Continue to the next step.

Administrators can now keep users informed on the device provisioning process after enrollment completes by enabling the post-enrollment onboarding experience in Workspace ONE UEM Intelligent Hub. After enrollment is finished, Intelligent Hub will display a new window which tracks all incoming application installs. Administrators can enable and customize the experience in the Workspace ONE UEM administrator console.

This feature requires Workspace ONE UEM 21.05 or later and and Workspace ONE Intelligent Hub 21.04 or later.

1. Click Groups & Settings
2. Click All Settings

1. Expand Devices & Users
2. Expand General
3. Click Enrollment

1. Click the Optional Prompt tab
2. Select Override for Current Setting to make changes

1. Scroll down to the bottom to find the macOS Settings
2. Select Enabled for the Enable Post-Enrollment Onboarding Experience option, then scroll down.
3. Leave the Welcome Header as the default Hello, {FirstName}, which will greet the user by their first name
4. Update the Welcome Subheader to Welcome to ACME Corp
5. Use the default Body Text or supply your own. Note that there is a 500 character count limit
6. When configuring the fields, you can use the Plus (+) button to see supported Lookup Values for this field.  Lookup values, such as {FirstName}, will retrieve the value at runtime and replace it with the current value, allowing for easy dynamic variable retrieval.
7. Click Save
8. Click Close

The post-enrollment onboarding experience is now enabled and configured. This will provide a better user onboarding experience as users can easily track the progress on applications that are downloading and installing.  

In this exercise, you will download and install the Workspace ONE Intelligent Hub on a macOS device. 

Login to a macOS device as an administrator account.

Open Safari or your preferred web browser.

1. Enter  https://www.getwsone.com in the URL field, then press ENTER.
2. Click Download Hub under the macOS section. The Workspace ONE Intelligent Hub installer begins to download and will save to the downloads folder by default.

If prompted to allow downloads from getwsone.com, click Allow. Otherwise, continue to the next step.

1. Click the Downloads folder in the dock (next to the Trash Bin).
2. Click the VMwareWorkspaceONEIntelligentHub.pkg file to begin the installer.

Click Continue.

1. On the License page, click Continue. 
2. Click Agree (to the license terms).

1. Click Install.  You are now  prompted to enter the computers administrator credentials.
2. Enter the username for the device.
3. Enter the password for the device.
4. Click the Install Software button.

NOTE: The install may take a few minutes, please be patient while the install completes.

1. Click Close when the installer finishes.
2. Click Move to Trash to move the installer to the trash.

In this exercise, you enroll a macOS device into Workspace ONE UEM. Enrollment is the action that brings a device under management and control by Workspace ONE UEM. There are a number of ways to enroll the various platforms (macOS included), but for this exercise we cover a basic enrollment scenario.  

1. When the Hub Notification displays, click Enroll Now to start the enrollment process.
2. Alternatively, you can click the Hub Icon from the top bar and click Enroll Now to start the enrollment process.

1. Enter hol.awmdm.com in the Email or Server Address field
2. Click Next

 Return to the Workspace ONE UEM Console,

1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
2. Your Group ID is displayed at the bottom of the Organization Group pop up.

NOTE: The Group ID is required when enrolling your device in the following steps.

1. Enter your Group ID. This was documented in the previous steps titled Retrieve Your Group ID.
2. Click Next.

1. Enter testuser for the enrollment username.
2. Enter VMware1! for the password.
3. Click Next.

Click Next to enable device management.

After a few seconds, the Profiles System Preferences page will be displayed and prompt you to install the Workspace Services profile, which enrolls the device into mobile device management (MDM) with Workspace ONE UEM.

1. Click Install for the Workspace Services profile.
2. Click Install when prompted.
3. Enter the username of the device user.
4. Enter the password of the device user.
5. Click Enroll.
6. Click Close on the System Preferences window to close it.

Return to the Workspace ONE Intelligent Hub app and click Done when the installation completes.

When prompted:

1. Click I Understand for the Privacy Policy
2. Click I agree for the Data Sharing Policy

Follow the next steps to verify that the Mac has been successfully enrolled.

In upper-right corner:

1. Note the Workspace ONE icon in the menu bar. Click the icon to view the menu.
2. Note the menu shows your device as Enrolled.

• Agent-based macOS enrollment is streamlined and intuitive.
• Workspace ONE UEM supports a number of enrollment methods for macOS devices: web-based, agent-based, staged (pre-installed agent), enrollment on-behalf, and enrollment using the Apple Device Enrollment Program.
• Agent logs can be collected directly from the Workspace ONE Intelligent Hub.  This eases helpdesk troubleshooting by allowing end-user to quickly send diagnostic information to helpdesk and/or administrative users.

The Workspace ONE Intelligent Hub will now display the onboarding settings that you configured previous in the Workspace ONE UEM administrator console.

1. Confirm that the Header (Hello, {FirstName}), Subheader (Welcome to ACME Corp), and Body Text display your configured message for a personalized onboarding experience.
2. The app installation progress is shown here.
3. All apps that were configured to install on enrollment are shown in the Activity Monitor for easy and clear monitoring.
4. Once the Workspace ONE Assist app finishes installing, click Get Started. Users can click Get Started at any point to continue to the Hub app catalog before everything is completed, but this provides a clear method for monitoring if their device is fully configured or not before they begin using it.

The modern unified app catalog provided by Hub Services is displayed due to the configurations that you made. This enables the following features:

• Favorites
• Apps
• For You (Notifications)
• Support

1. Click the Apps tab. A list of available apps are shown on this page for the user to interact with. This could include virtual apps made available through Horizon in addition to native apps!
2. A list of filters are available based on the apps you have published to help the user find what they need.
3. The Refresh button will reload the app catalog.
4. The Activity Monitor can be viewed to track progress on new app installs that the user or administrator triggers on the device.
5. Apps can be added to your Favorites for easy access. Click the star icon to add Assist as a Favorite App.

If desired, explore the other features in Intelligent Hub before continuing to the next step to verify the other configurations you published to the device.

1. The Favorites tab shows a list of apps that you have marked as a favorite for quick access.
2. The For You tab is a list of notifications sent by your administrators. This rich notifications can be configured in Hub Services. You can learn more about these notifications in the Introduction to Workspace ONE Intelligent Hub and Hub Services module.
3. The Support tab provides a list of devices that are enrolled to your user account, a method for collecting logs, and configurable contact details to reach your administrators.

Continue to the next step when ready.

1. Open Launchpad
2. Search for Assist
3. Click the Assist app that was installed by Workspace ONE UEM
4. After confirming that the app launches, click the Close button to close the app

This confirms that the Workspace ONE Assist app was successfully downloaded and installed on the device.

1. Open System Preferences.
2. Confirm that the Desktop & Screen Saver and Accessibility options are disabled. This confirms that the Restriction Profile you created to block these configurations in System Preferences has successfully applied to the device.

NOTE: If these options are still accessible, you may need to close and re-open System Preferences.

Return to the Workspace ONE UEM administrator console:

1. Click Devices
2. Click List View
3. Click the enrolled macOS device to view the Device Details page

1. Click the Sensors tab
2. Confirm that the macos_cpu_arch sensor that was created is displayed. A Sensor Value of either x86_64 (for Intel chips) or ARM (for M1 chips) will be displayed based on what your device's processor is.

If the Sensor has not processed on the device yet, you can force the Sensor to process by querying the Sensors on the device. You can skip this and proceed to the next step if your Sensor has already executed.

1. Click More Actions
2. Click Sensors
3. Click Refresh periodically and check if the macos_cpu_arch sensor is reporting data after executing

This completes your verification of the configurations you made for your macOS device! In summary, you configured and confirmed the following:

1. The Hub Services unified app catalog and other features were available on the device through the Intelligent Hub app
2. The Restriction profile to block the Desktop & Screen Saver and Accessibility settings in System Preferences was successful
3. The Sensor to detect the device's processor was deployed to the device and accessible from the Workspace ONE UEM administrator console
4. The Workspace ONE Assist app was successfully uploaded and deployed to the device
5. The custom Post-Enrollment Onboarding Experience was available on the device to help the user understanding if the onboarding process had been completed and what assets were included in onboarding

An Enterprise Wipe removes corporate data that was added to the device while leaving personal data intact. This can be used to retire devices from your organization or wipe lost devices to ensure that corporate apps and data are removed.

1. From the toolbar in the device details header, select More Actions.
2. Select Enterprise Wipe under the Management header in the drop-down menu.

1. Scroll down until you see the section to Enter Security PIN.
2. Enter your security PIN 1234 to initiate the Enterprise Wipe. If you provided another PIN at the beginning of the lab, provide that security PIN instead.

1. Click Devices
2. Click List View
3. Scroll to the right to find the Enrollment column for the macOS device
4. Confirm that the Enrollment column shows Unenrolled
5. If the device is not Unenrolled yet, periodically click the Refresh button to check the status

The Enterprise Wipe may take a few minutes to complete. Once completed, the corporate data and apps that were pushed to the device will be removed while leaving the personal data intact.

Once the Enrollment column reports Unenrolled, continue to the next step.

1. Open System Preferences.
2. Confirm that the Desktop & Screen Saver and Accessibility settings are able to be configured again.

This confirms that the Restrictions Profile was removed when the device was unenrolled.

1. Open Launchpad
2. Enter Assist in the search bar
3. Confirm that Workspace ONE Assist is not in the returned list of apps

Since the Workspace ONE Assist app was pushed with the Remove On Unenroll restriction, Workspace ONE Assist will be removed from the device when it is unenrolled.

Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!

Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero!  Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.

Interested? Check us out at https://techzone.vmware.com!

Learn the fundamentals of Android Enterprise, including how to enroll an Android device into Workspace ONE UEM and manage enrolled devices by configuring restrictions and pushing apps. Learn how Android Enterprise and Workspace ONE UEM secure your Android devices by using modern device management APIs.

What is Android Enterprise?

Android enterprise debuted with 5.0 Lollipop in 2014 as an optional solution manufacturers could add to their OS images in order to integrate a common set of device management and Enterprise Mobility Management (EMM) APIs. From 6.0 Marshmallow, it was no longer optional and has since been a mandatory component for all Google Mobile Service (GMS) certified manufacturers.

Android Enterprise offers a wide variety of rich features that cover numerous device management scenarios:

• A rich Enterprise Mobility Management (EMM) experience.  This allows device administrators to send configurations, applications, and policies down to any Android Enterprise (AE) device, providing a secure method of managing devices and corporate data no matter where your devices are.
• Work Profile mode for BYOD (Bring Your Own Device) scenarios, which allows for a device to have a separate work container from their personal apps and data.
• Work-Managed mode (previously called device owner), which provides corporations a larger suite of options for securing corporate owned devices that are not intended for personal use.
• Corporately Owned, Single Use (COSU) mode, which provides corporations with a kiosk-like experience.  The Work-Managed device is locked down in a Kiosk-like state, granting access to a few applications or resources instead of the entire underlying device operating system.
• Corporate Owned, Personally Enabled (COPE) joins the Work Profile and Work-Managed modes to provide a fully managed device with personal space.
• Zero-Touch Enrollment for out of the box Android 8.0 and higher devices, providing a streamlined enrollment experience for end users.
• A corporate-managed Managed Google Play portal, allowing administrators to explicitly approve applications to an application store that can be accessed by end users.
• Silent Application Installation without requiring a user provided Google account on the device.
• App Configuration, enabling device administrators to deploy key-value pairs to managed applications to modify the end user experience.
• Mandatory Device Encryption to ensure that your corporate resources are secured and protected on the device.

The above graphic shows the big picture differences between various device management scenarios.

Bring Your Own Device (BYOD):

• Commonly used where employees or end users have their own personal devices that need access to corporate resources.
• To avoid managing the end user's personal data or apps, a Work Profile can be deployed to keep the corporate apps and data separate from their personal apps and data.
• This grants device administrators the ability to securely control access to corporate resources from a personal device without managing the full personal device.

Corporate Owned:

• Commonly used where corporations own devices that are given to employees or end users to fulfill their role or task.
• Work-Managed mode allows for the entire device to be managed and controlled, allowing for a wider range of configurations.
• Work-Managed mode does not provide an un-managed personal space and should only be used for corporate owned devices.

Corporate Owned Single Use (COSU):

• Commonly used where corporations own devices that are used as Kiosks or have Kiosk-like applications running on them.
• Corporate Owned Single Use leverages Work-Managed mode to manage the entire device, but does not grant the end user access to the full underlying device operating system.

Corporate Owned, Personally Enabled (COPE):

• Commonly used where corporations own devices that are given to employees or end users that permits some level of personal usage while still being corporately controlled.
• Corporate Owned, Personally Enabled leverages a Work-Managed personal space for varying amounts of personal usage while employing a Work Profile to control corporate resources, data, and apps.
• This joins the ideas of Work Profile and Work-Managed modes into a single device.

In addition to providing different device management scenarios, there are also multiple ways in which devices can be enrolled into Android Enterprise.

With the Near-Field Communication (NFC) bump method, a NFC programmer app is setup on a designated programmer device.  Subsequent devices are "bumped" into the programmer device to pass the necessary initial policies (such as Wi-Fi, device configurations, etc.) to the bumped device via NFC.

The process will vary slightly in terms of pre-applied settings, what agent is downloaded in order to enroll the device on the relevant platform, etc.  Workspace ONE UEM allows for the additional configuration of a named account to directly enroll the device against.

This method was introduced in Android 6.0 Marshmallow.  When prompted to add or create an account on a freshly wiped (or directly from the box) device, rather than enter in a Google account, the administrator would type in afw#hub and then the device would download the Workspace ONE Intelligent Hub app and begin the enrollment process with the correct configurations.

By tapping on Welcome 6 times when the device boots into the setup Wizard, it will prompt the device to connect to Wi-Fi and start QR enrollment.

In Android 9.0 P, the QR payload is bundled into the system and therefore doesn’t require a download. This offers faster provisioning as the device no longer needs to connect to the internet to download the QR package and the ability to add Wi-Fi credentials to the QR code.

Devices are purchased through authorized resellers, assigned to Workspace ONE UEM and then later, when the end-user first takes the device freshly out of the box, will be ready to enroll as a work-managed device straight away. With Zero-Touch enrollment, administrators can send enrolled and configured devices directly to end-users to authenticate with.

To begin this lab, you will need to login to the Workspace ONE UEM admin console.

Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.

1. Click the WS1 bookmark folder.
2. Click the WS1 UEM Console link.
3. Enter your Username. This is the email address that you have associated with your VMware Learning Platform (VLP) account that you utilized to take Hands-on Labs.
           Note: Your password for the next step will be VMware1!
4. Click Next.

The password field is displayed.

1. Enter VMware1! in the Password field.
2. Click the Log In button.

NOTE: You may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

You will be presented with the Workspace ONE UEM Terms of Service. Click the Accept button.

NOTE: The following steps are only performed for the initial login to the administration console.

After accepting the Terms of Use, you will be presented with this Security Settings pop-up

The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

1. Scroll down to see the Password Recovery Questions and Security PIN sections.
2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
3. Enter VMware1! in the Password Recovery Answer field.
4. Enter VMware1! in the Confirm Password Recovery Answer field.
5. Enter 1234 in the Security PIN field.
6. Enter 1234 in the Confirm Security PIN field.
7. Click the Save button when finished.

A popup window will appear after you complete your security questions.

Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.

We will be covering some of the Android basic functionality.

When running on Android 5.0 Lollipop devices, Android Enterprise is built into the operating system with no need for an additional application.

To begin using Android Enterprise inside the Workspace ONE UEM Console, you need to register your enterprise with Google. This creates your Android Enterprise admin account which connects with Workspace ONE UEM to manage your enterprise devices. Users will not be able to use Android Enterprise features from their devices until registered with Workspace ONE UEM. The Android Enterprise setup wizard simplifies the process. To simplify your experience, this initial process has been done for you.   If you are interested in learning more about this process please talk to your Workspace ONE UEM Sales Engineer or Representative.

NOTE: Once a Google Admin Account is bound to Workspace ONE UEM, you cannot reuse this Google Admin for another organization.  Due to this limitation, you would be unable to use the Google Admin Account we have already bound to Workspace ONE UEM for this lab.

NOTE - The following changes have already been configured for you as part of the lab!

1. Click Groups & Settings
2. Click All Settings

NOTE - The following changes have already been configured for you as part of the lab!

1. Click Devices & Users
2. Expand Android
3. Click Android EMM Enterprise
4. Click Register with Google

NOTE - The following changes have already been configured for you as part of the lab!

1. Confirm you are logged into your Google Admin Account that you wish to associate with your Android Enterprise configuration.
   NOTE - Once you register a Google Admin Account to Android Enterprise, you cannot disassociate your Google Admin Account from that Organization.  Ensure the Google Admin Account shown is the account you wish to associate with your Organization!
2. Click Get Started

NOTE - The following changes have already been configured for you as part of the lab!

1. Enter your Organization Name.
2. Check the Google Play Agreement checkbox.
3. Click Confirm.

NOTE - The following changes have already been configured for you as part of the lab!

Click Complete Registration to return to the Workspace ONE UEM Android Enterprise configuration

NOTE - The following changes have already been configured for you as part of the lab!

Back in the Workspace ONE UEM Console,

1. On the Android Enterprise Configuration page, scroll down until you see the Google Admin Console Settings and Google API Settings sections.
2. Under Google Admin Console Settings, note that the account information you provided during the Android Enterprise configuration step is displayed here.
3. Confirm that your Android Enterprise Registration Status is shown as Successful.
4. Note that the Client ID and Google Service Account Email Address have been created and configured for you automatically.  No additional configurations with Android Enterprise or the Google Developers Console are required.

Your Organization Group is now successfully configured with Android Enterprise!

In this section, we will be enrolling your device with Workspace ONE UEM and get it set up with Android Enterprise.

NOTE - The screenshots in this article will differ depending on the make and model of the Android device you are using.

If you do not have the Workspace ONE Intelligent Hub app on your device, you will need to download it the app before continuing.

To install the Workspace ONE Intelligent Hub app, you can open the Google Play Store app and download the free Workspace ONE Intelligent Hub app or navigate to https://www.getwsone.com in your device browser and follow the Get it on Google Play link to the Workspace ONE Intelligent Hub page in the Google Play Store.

Launch the Hub app on the device.  

1. Enter hol.awmdm.com or the Server URL.
2. Tap NEXT.

Tap Allow.

The next step is to make sure you know what your Organization Group ID is.  

1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
2. Your Group ID is displayed at the bottom of the Organization Group pop up.

1. Enter your Group ID for the Group ID field.  This was noted previously in the Finding your Group ID step.
2. Tap NEXT.

1. Enter testuser for the Username field.
2. Enter VMware1! for the Password field.
3. Tap Continue.

Tap I Understand for the Privacy Policy.

Tap I Agree for the Data Sharing Policy.

Tap Agree.

Tap NEXT.

NOTE - This may take some time, please be patient while the Setup process completes.

If your device is encrypted, you will not see this page and can continue to the next step.

If your device is not encrypted, you will be prompted to encrypt it and must tap ENCRYPT to continue. Encrypting the device can take several minutes or potentially longer depending on the amount of data on the device.

Tap OK to confirm the Privacy Policy.

NOTE - Enrollment time may vary depending on your network connectivity. Typically, it takes around 1 minute to complete.  Please be patient while this process completes.

IMPORTANT - During the enrollment process, you will see several processing screens.  Please note that you do not need to interact with the device further until you see the Workspace ONE Intelligent Hub app confirming your enrollment (next page).

You have now completed enrolling your device using the Workspace ONE Intelligent Hub.  After the enrollment process completes, the Workspace ONE Intelligent Hub app will display the notification Congratulations! You have successfully enrolled your device.

You can now Exit the Workspace ONE Intelligent Hub app.

On your Android device, you should now see the new Work applications. Android Enterprise apps are differentiated by an orange briefcase icon also referred to as Badged Apps.

In the Applications view, your Work apps and Personal apps are shown in a unified launcher.  For example, your device will show both a personal icon for Google Chrome and a separate icon for Work Chrome denoted by the badge. The Workspace ONE Intelligent Hub is badged and exists only within the Work Profile data space.

IMPORTANT - There is no control over personal apps nor will the Hub app have access to personal information. There are a handful of system apps that come with the Work Profile by default such as Work Chrome, Google Play, Google settings, Contacts and Camera.

On some devices, you may also notice the Work container on your device depending on the OS version.  This Work container can be utilized for quick access to your Work (Badged) Apps.

In this section, we are going to create Android Enterprise profiles to modify devices restrictions and to assist in protecting sensitive data. Profiles serve many different purposes, from letting you enforce corporate rules and procedures to tailoring and preparing Android Enterprise capable devices for how they will be used.

IMPORTANT: If your device is enrolled with Android Enterprise, then ONLY Android Enterprise profiles will take effect on the device. Android device profiles will NOT take effect.

Restriction profiles provide a second layer of device data protection by allowing you to specify and control how, when and where your employees use their devices. The Restriction profiles lock down native functionality of Android Enterprise devices and vary based on device enrollment.

In the Workspace ONE UEM Administrator Console,

1. Click Resources
2. Expand the Profiles & Baselines section
3. Click Profiles
4. Click Add
5. Click Add Profile

Click Android

1. Ensure the General payload is selected
2. Enter Android Restrictions for the Name field
3. Click Smart Groups to display the list of available assignments.
4. Select the All Devices (your@email.shown.here) group.

1. Enter Restrictions in the payload search box
2. Click the Restrictions payload
3. Click Configure

Uncheck the Allow Screen Capture checkbox for the Work Profile column.

1. Scroll down to find the Applications section
2. Uncheck the Allow Camera checkbox for the Work Profile column
3. Click Save And Publish

Click Publish.

On your device, notice that after we push the profile your device will no longer have the badged camera application available but your personal side (unbadged) camera will still be available for usage. This confirms the camera restriction that you setup on the Workspace ONE UEM Android profile that was previously created.

1. Search for camera on the device
2. Before the profile takes affect, notice that the Camera work (badged) app exists alongside the personal (unbadged) app
3. After the profile takes affect, notice that the Camera work (badged) app has been removed

NOTE - Due to lab network limitations, it may take a few minutes for the badged Camera application to be removed.  If you still see it on your device, please wait until the application is successfully removed.

1. Search for contacts on the device
2. Open your Personal (non-badged) Contacts app
3. Take a screen shot (Power button and volume down / Power Button + Home Button at the same time for 2 seconds), notice that the screenshot was successful.

NOTE - The shortcut to change screenshot may vary depending on your device model. Please see a lab assistant in case assistance is required.

1. Search for contacts on the device
2. Open your Work (badged) Contacts app
3. Take a screen shot (Power button and volume down / Power Button + Home Button at the same time for 2 seconds), notice that the screenshot was NOT successful.

This shows the screenshot restriction that we applied on the Workspace ONE UEM Android profile created previously.

This section is designed to walk you through the process of approving applications for integration between Workspace ONE UEM and Android Enterprise. Applications that you push through the integration of Workspace ONE UEM and Android Enterprise have the same functionality as their counterparts from the Google Play Store. However, you can use Workspace ONE UEM features to add functionality and security to these applications.

• To add convenience of use, configure the Send Application Configuration option. Application configurations allow you to pre-configure supported key-value pairs and to push them down to devices along with the application. Examples of supported values may include usernames, passwords, and VPN settings. Support values depends upon the application.
• To add secure features, use Workspace ONE UEM profiles for Android Enterprise. Profiles allow you to set passcodes, apply restrictions, and use certificates for authentication.

In the Workspace ONE UEM Administrator Console,

1. Click Resources
2. Expand Apps
3. Click Native
4. Click the Public tab
5. Click Add Application

1. Select Android from the Platform drop-down menu
2. Select Search App Store for the Source
3. Enter Workspace ONE Web in the Name text box
4. Click Next

Click the Web - Workspace ONE app.

1. Notice that the application is already marked as Approved. This is because the Android EMM Registration settings were configured at a parent level organization group and your organization group is inheriting these settings.  Apps only need to be approved once, which has already been done for you.
2. Click Select to proceed.

Continue to the next step, or view the below steps to see the necessary approval steps for a new app.

IMPORTANT: The below steps are purely informative and can be skipped if desired. They are included to show the approval process for new applications.

1. Click Approve for the desired app.
2. Scroll through the list of items the app has access to.
3. Click Approve.
4. Review and select how you would like to handle new app permission requests. This allows you to choose between a manual approval or automatic approval if the app requests new permissions in the future from what we were displayed on the previous screen.  
5. Click Save.

This process would then return the administrator to the first step in this process, allowing them to click Select and continue adding the desired app.

Click Save & Assign.

1. Enter All Devices for the distribution Name
2. Click in the Assignment Groups field
3. Select the All Devices (your@email.shown.here) group

1. Select Auto for the App Delivery Method.
2. Click Create

Click Save.

Click Publish.

Confirm that the Workspace ONE Web app was approved and created and assigned to the All Devices group.

In the previous section, we learned how we can approve and push an Android application from the Workspace ONE UEM Console.  In this section, we will verify that Work apps installed correctly on our enrolled Android device.

Return to your testing Android device and confirm that the Workspace ONE Web application has downloaded and displays as a Work app.

NOTE - Depending on lab network traffic, you may need to wait several minutes for the download to complete.

Using this process, you can rapidly approve new applications and deploy them to your users.

Open your Work Play Store application on your Android device.

NOTE - The screenshot may differ depending on device model and OS.

If you are prompted with the Google Play Terms of Service, tap Accept. Otherwise, continue to the next step.

Tap the Menu button in the top-left corner.

NOTE - The screenshot may differ depending on device model and OS.

Tap My Work Apps from the menu.

NOTE - The screenshot may differ depending on device model and OS.

1. Tap Installed.
2. Confirm that the Workspace ONE Web application is in your list of Work applications.  You may need to scroll down to find the application.

NOTE - The screenshot may differ depending on device model and OS.

The Workspace ONE Web app is listed as a Work app because it was approved as a Work app through the Workspace ONE UEM Console while adding and assigning the application to your users.  This streamlines and rapidly improves the process of approving and deploying Work apps to your Android devices!

You are now going to un-enroll the Android device from Workspace ONE UEM.

NOTE: The term Enterprise Wipe does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the Workspace ONE Intelligent Hub app controls.

NOTE: The Enterprise Wipe will NOT remove the Workspace ONE Intelligent Hub application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device, return to the Workspace ONE UEM Admin Console.

1. Click Devices on the left column
2. Click List View
3. Click the link for the device that you enrolled

1. Click More Actions
2. Click Enterprise Wipe under Management

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234).

1. Scroll down to the bottom of the Enterprise Wipe prompt.
2. Note the optional field to send a reason to your end user stating why their Work Profile was removed.
3. Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  
   NOTE: If 1234 does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console.  Use the value you specified for your Security PIN.

NOTE: If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

1. On your device, open the Workspace ONE Intelligent Hub application.
2. Tap This Device.
3. Scroll down to the bottom and click Sync Device. This will force the device to check in to Workspace ONE UEM to be notified that it should be unenrolled.  Wait a moment a see if the command is processed, if not, skip to step #4.
4. Tap Enrollment.
5. Tap Unenroll Device. This allows you to process the Unenrollment command from the device manually.

NOTE: Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

1. Click Devices
2. Click List View
3. Click the Refresh button on the Device List View screen.
4. Check if the device is showing Unenrolled for the Enrollment status.  If not, continue to refresh the page until the device shows as Unenrolled.

NOTE: Depending on internet connectivity of the device, this could take a couple of minutes.

On the device, notice that the badged apps are removed after the device is unenrolled and any configurations pushed to the device after enrollment has been removed.

This is just a sampling of the functionality you will see with Android Enterprise integrated with Workspace ONE UEM. To learn more about features and functions please contact your VMware End User Computing representative or visit our website at http://www.workspaceone.com/ or the website for Android Enterprise at https://www.android.com/enterprise.

The work profile is designed specifically for personal (BYOD) devices. Using Android in the enterprise, Workspace ONE UEM creates a "Work profile", a container which separates the personal space and the corporate space in a device. Workspace ONE UEM can fully control the work profile but has zero control over the personal profile.

Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!

Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero!  Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.

Interested? Check us out at https://techzone.vmware.com!

Workspace ONE Intelligent Hub is VMware's next generation employee engagement application that allows you to securely access, discover, stay connected, and be productive from anywhere. It replaces the legacy Agent application and combines with Hub Services to enhance the identity, application, and enterprise mobility management capabilities offered by Workspace ONE. 

Intelligent Hub integrates a unified app catalog, access control, and application management on iOS, Android, macOS, Windows 10 and via a browser. The prerequisite for many of the Intelligent Hub features is to activate the Hub Services component within Workspace ONE Access. After Hub Services activation, you can customize Intelligent Hub features based on whether your deployment is integrated with Workspace ONE Access or not.

Without integrating with Workspace ONE Access, you can configure a Hub Catalog to allow access to native mobile apps and web apps, create a custom tab, and brand the Workspace ONE Intelligent Hub app to add your company's logo and color profile.

When Workspace ONE Access is integrated with Workspace ONE UEM, you can create a full digital workspace experience for users with additional Hub features, such as People Search and Notifications, and identity-related features, such as authentication and single sign-on.

In this lab, you will configure several of the features within Hub Services and view the result in the browser version of Intelligent Hub.

To begin this lab, you will need to login to the Workspace ONE UEM admin console.

Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.

1. Click the WS1 bookmark folder.
2. Click the WS1 UEM Console link.
3. Enter your Username. This is the email address that you have associated with your VMware Learning Platform (VLP) account that you utilized to take Hands-on Labs.
           Note: Your password for the next step will be VMware1!
4. Click Next.

The password field is displayed.

1. Enter VMware1! in the Password field.
2. Click the Log In button.

NOTE: You may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

You will be presented with the Workspace ONE UEM Terms of Service. Click the Accept button.

NOTE: The following steps are only performed for the initial login to the administration console.

After accepting the Terms of Use, you will be presented with this Security Settings pop-up

The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

1. Scroll down to see the Password Recovery Questions and Security PIN sections.
2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
3. Enter VMware1! in the Password Recovery Answer field.
4. Enter VMware1! in the Confirm Password Recovery Answer field.
5. Enter 1234 in the Security PIN field.
6. Enter 1234 in the Confirm Security PIN field.
7. Click the Save button when finished.

A popup window will appear after you complete your security questions.

Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.

Workspace ONE Intelligent Hub end-user services are configured via the Hub Services admin console.  Hub Services is co-located with Workspace ONE Access.  Think of Hub Services as the server-side component and Intelligent Hub as the end-user client.

The following sections will guide you through accessing your Workspace ONE Access tenant, logging in, then accessing the Hub Services admin console.

A temporary Workspace ONE Access tenant has been generated for you to use throughout this lab.  The Workspace ONE Access tenant URL and login details were uploaded to the Content section in the Workspace ONE UEM Console at the start of the lab.

In the Workspace ONE UEM Console:

1. Click Content on the far left
2. Expand Content at the top
3. Click List View
4. Find the text file named vIDM Tenant Details for your@email.shown.here.txt and click the checkbox beside it to select the file
5. Click Download

After the file downloads, click the vIDM Tenant Details for your@email.shown.here.txt file from the download bar to open it.

1. Select the Tenant URL text and right-click
2. Click Copy

NOTE: Your tenant name will match your Group ID in the Workspace ONE UEM Console.

In this section, we login to the Workspace ONE Access admin console and access the Hub Services admin console.

Click the Add Tab button in the browser to open a new tab.

1. Right-click inside the address bar in the new tab.
2. Click Paste and go to the URL.

NOTE: This is the Workspace ONE Access tenant URL you received from the previous steps. If you did not copy or note this information from the previous step, return to those previous steps and note your Workspace ONE Access tenant URL.

1. Enter Administrator for the Username
2. Enter VMware1! for the Password
3. Click Sign In

After logging in, you will see the Intelligent Hub User Portal as pictured above.  You will need to navigate to the Administrator Console.

1. Click the User dropdown circle in the top-right corner.
2. Click Workspace ONE Access Console.

This will open the Administration Console in a separate tab in your browser.

NOTE: If you do not see the above view, you are already in the Administration Console and can skip this step.

If you see a banner about Release Notes details, click OK on the far right to dismiss it.

We will add an example SaaS App to our app catalog to utilize in a later section.

1. Click the Catalog tab (Note: Do not click the down arrow in the Catalog tab. Instead just click Catalog.)
2. Click the NEW button.
3. Type Salesforce into the Search field.
4. Click on Salesforce in the search results.

1. Scroll down
2. Click the NEXT button

1. Keep default settings and click NEXT

1. Keep default access policy and click NEXT

1. Click SAVE & ASSIGN

1. Type administrator into the Users / User Groups search field
2. Click administrator@System Domain in the search results
3. Click SAVE

1. Click back to the second tab in the browser, which is the Intelligent Hub User Portal.
2. Click the Apps tab to view the App Catalog.
3. Click the refresh button in the browser to refresh the catalog. You will now see Salesforce in the App Catalog.

The following section will get you started in the Hub Services admin console and introduce you to Hub Templates.

1. Click the third tab in the browser to return to the Workspace ONE Access admin console.

1. Find the Catalog tab and click the down arrow
2. Click on Hub Configuration

1. Click the LAUNCH button

The 20.08 release of Hub Services had a significant addition to support wider adoption of Hub Services and Intelligent Hub features called Hub Templates.  Before 20.08, any Hub Services configurations for Intelligent Hub were all or nothing - all employees received the same configurations.  This limited the administrator’s ability to roll out features in phases or accommodate different teams or divisions.  Now admins can create one or more templates with unique Hub Services capabilities and assign them to UEM Smart Groups or Workspace ONE Access User Groups to control the Intelligent Hub experience for their employees.  Hub Templates is available with Hub Services 20.08 SaaS release and later and requires UEM 20.08 at minimum and at least the 20.08 version of the Intelligent Hub clients.

For environments that already have Hub Services enabled, after upgrading to 20.08, admins will see the migration wizard. The admin can choose whether to migrate the app catalog settings from the UEM console, or create new global settings.  

1. This screen provides an introduction to Hub Templates. Scroll down to find the Next button.
2. Click the Next button.

1. You can read more about Hub Templates configuration steps. Then click the GOT IT button.

Starting with the 20.08 UEM release, all Intelligent Hub app catalog settings are now in the Hub Services console. For environments with Hub Services already configured, the administrator can choose to migrate app catalog settings from Workspace ONE UEM.

1. Click the Migrate button.

1. Scroll down to find the FINISH button.
2. Click the FINISH button.

Before we can create a template for Intelligent Hub settings, we first need to configure a few of the available features for our end users.

The App Catalog tab allows you to define the layout and capabilities of the Intelligent Hub app catalog that is presented to your users.  We will modify the catalog by adding a promotion for the Salesforce app, highlighting this app in our catalog, and then disable the use of Virtual Apps on mobile devices.

1. Click the App Catalog menu item on the left.
2. You may see a notification to Add a Version indicating we can create different versions of the app catalog for different groups of users. Click DON'T SHOW AGAIN.

1. Click the VERSION: GLOBAL dropdown.
2. Click ADD VERSION.

1. Enter the version name Sales Team and add description App Catalog customized for the Sales Team.
2. Scroll down and look for the ADD SECTION dropdown under the Catalog Layout section.

1. Click ADD SECTION
2. Click Promotions

The Sales Team app catalog will now show a Promotions section at the top, followed by New Apps, Recommended and Category List sections.

1. Click the Promotions section to expand it.
2. Click in the App Name search box. If you have multiple apps, you can type here to limit the shown results.
3. Select the Salesforce result from the list.

This will cause the Salesforce app to be promoted to your end users.  Consider promoting important or heavily used apps you are encouraging your end users to utilize!

1. Scroll down past the Catalog Layout section to find the save button.
2. Click SAVE.

The Custom Tab is a URL that directs users to your company intranet site or to another resource that you want to easily share with your users.

1. Select the Custom Tab menu item on the left.
2. Click the VERSION: GLOBAL dropdown.
3. Click ADD VERSION.

1. Enter the Version Name as Custom Tab for Sales Team
2. Enter the Description as Direct Sales Team to product resources
3. Turn the Web toggle ON so this Custom Tab will show in the browser version of the Intelligent Hub.
4. Enter the URL as https://www.vmware.com
5. Select Last for the Position.

1. Scroll down to find the save button.
2. Click SAVE.

By default, VMware branding is used within the Intelligent Hub. However, you can customize the logo, text color, and background color that appears in the Intelligent Hub app and browser views.

In this section, we will change the Company Logo and the Organization Name in the Branding Settings for the Intelligent Hub.

1. Click on the Branding menu item on the left to customize branding for Intelligent Hub.
2. Click the VERSION: GLOBAL dropdown.
3. Click ADD VERSION.

1. Name the version Branding for Sales Team.
2. Click the Organization Logo UPLOAD link.

From the pop-up window,

1. Expand Documents
2. Expand HOL
3. Click on Hub folder
4. Select WWE_logo.png
5. Click Open

1. Notice that after you updated the Company Logo setting, your Preview pane updated to reflect what your users will see.  
2. The Preview pane allows you to switch between Browser, Desktop, and Mobile views to see how your changes will be reflected on each platform.

Other settings on this page will be reflected here as well for a quick preview before you publish changes to your users.

Continue to the next step.

1. Scroll down to the Web Browser section.
2. Change the Organization Name from VMware to Worldwide Enterprises.

1. Scroll to the bottom of the Branding section.
2. Click SAVE to save the branding configurations.

NOTE: There are other branding options such as background and icon color, but to limit the scope of the lab, we are going to only modify the organization name and company logo for demonstration purposes.  Feel free to make additional configurations on your own if you wish to see them in action later.

The Intelligent Hub notifications framework is a robust, flexible cloud-hosted service designed to generate and serve actionable, real-time notifications to your employees. Users can receive notifications in their Hub portal in a browser and the Intelligent Hub app on their devices.

Let's take a look at the types of notifications available:

1. New Apps Available - A notification to announce that new applications are available in the catalog is automatically generated in Hub Services. Users can select new apps and save them to their device from the notification message.
2. Custom Notification - You can either use templates from the Notification wizard within the Hub Services admin console or use the Notification API to automate notifications. These notifications allow you to send reminders, critical information or call for action on user devices.
3. Notifications via Workspace ONE Experience Workflows - You can integrate 3rd-party business applications with Hub Services, such as approval notifications from Salesforce, Concur or Coupa, directly to the For You tab in Intelligent Hub.

In this section, we will create a Custom Notification using the wizard within the Hub Services admin console.

1. Click the Notifications menu item on the left.
2. Click GET STARTED to continue.

1. Click the NEW button.

1. Select Create Notification.

1. Enter Email Outage for the Name.
2. Select All Employees from the Target Audience Type dropdown.
3. Select High-priority Priority type.
4. Click NEXT.

Notifications can be set to Standard, High-priority or Urgent priority levels.  High-priority notifications will display at the top of the For You tab within Intelligent Hub.  Urgent notifications will display as a pop-up window within Intelligent Hub and must be dismissed by the user.

1. Notifications can either be Informational or Actionable.  Actionable Notifications contain buttons the user must click to accept, reject, approve or otherwise acknowledge the notification or take action.  Informational Notifications simply present some information for the user to read.  Select Informational from the Template dropdown.
2. Enter Email Outage for Title.
3. Enter IT Notification for Subtitle.

1. Scroll down to find the Description field.
2. Enter The IT Department is aware of the issues with email and are currently working to correct. for Description.

1. You are able to view a preview of the notification within the Hub Services console on the right side of the screen as you are changing the content.
2. Click NEXT.

1. Review the notification settings and click CREATE.

Although this is just an example scenario for the purposes of this lab, the Hub Services Notification framework is particularly useful when email and other communication mediums are unavailable.

It will take about 10 - 15 seconds to send the notification.

1. Confirm that you see the status as Success for the Email Outage Notification you created in this section.

1. Click the Templates menu item on the left.
2. If you see the Review anytime popup, click DON'T SHOW AGAIN to dismiss.
3. Click ADD TEMPLATE to create a new Intelligent Hub template for the Sales Team.

1. Enter Sales Team Hub Templete to name the new template.
2. Click App Catalog to expand that section.
3. Select Sales Team from the Layout Version dropdown.  This is the catalog layout version we created earlier in this module.

1. Scroll down to find the Branding Settings.
2. Expand the Branding section.
3. Select the Branding for Sales Team version in the dropdown.
4. Toggle the Custom Tab ON so that it turns green. When turned on, Custom Tab will move to the list of Enabled services and will be removed from the Available services section.

1. Notice the Custom Tab setting moved from Available services to the Enabled section.
2. Click SAVE & ASSIGN.

In the Template Assignment dialog box that pops up:

1. Type all into the Access User Groups search bar.
2. Click ALL USERS search result.
3. Click the SAVE button.

1. We can see the Hub Template for the Sales Team is assigned to ALL USERS.  Priority can be utilized to manage any conflicts for users that exist in more than one user group.

1. Click the second tab in the browser, which is the Intelligent Hub User Portal.
2. Click the For You tab in Intelligent Hub.  Notice the Notification count as 1 on the tab to indicate there is one new notification.
3. Notice the IT Notification we created immediately shows in the Priority section of the For You tab - no browser refresh required.  Click the X in the top right of each notification to dismiss and move the notification to the history.

To view the App Catalog, Branding and Custom Tab changes we made earlier, we need to log out of Intelligent Hub and log back in.

1. Click the User dropdown circle at the top right of the Intelligent Hub.
2. Click Sign out to log out of Intelligent Hub.

1. Click the Go back to login page button.

1. Enter administrator for Username.
2. Enter VMware1! for Password.
3. Click the Sign in button.

1. Notice the Company Name in the browser tab has changed to Worldwide Enterprises.
2. Notice the company logo has changed to the logo we uploaded.
3. Notice the Salesforce app is now promoted at the top of the App Catalog.
4. Click the Home tab and notice a new browser tab opens to the URL we entered earlier.

Congratulations! You have completed the Workspace ONE Intelligent Hub and Hub Services module!  In this module, you learned how to:

• Configure Workspace ONE Hub Services and view customizations within Intelligent Hub
• Add a SaaS app to the Intelligent Hub catalog
• Create different versions of Intelligent Hub settings and assign to a Hub Template
• Customize the Intelligent Hub app catalog layout
• Customize branding for the Workspace ONE Intelligent Hub app
• Create a Custom Tab for Intelligent Hub
• Create and send Custom Notifications to the Intelligent Hub app

Interested in learning more about VMware End User Computing (EUC) but don't know where to start? Look no further than https://techzone.vmware.com, your fastest path to understanding, evaluating, and deploying VMware End User Computing products!

Tech Zone focuses on providing practical product guidance, curated activity paths, and technical content to take you from zero to hero!  Our mission at Tech Zone is to provide you with the resources you need to keep leveling up your knowledge no matter where you are in your digital workspace journey.

Interested? Check us out at https://techzone.vmware.com!

With so much data available to IT admins managing modern, mobile work styles and no single tool to make sense of it, IT is faced with a huge challenge to manage the digital workspace. The lack of unified visibility across devices, applications and users makes it particularly hard to make data-driven decisions. As a result, manual processes become the norm, and IT is cornered into being reactive to employee demands and external events instead of being proactive.

Deep insights empower IT admins to better plan and optimize their app and policy deployments based on network performance, resource entitlement and deployment risk. And with the ability to automate processes, IT admins can proactively increase their level of security hygiene and meet compliance requirements, while improving user experiences.

With the automation engine at the heart of Workspace ONE Intelligence, IT admins can automate workflows across their environments by defining rules that take actions based on a rich set of parameters. This allows IT to create contextual workflows that take automated remediation actions based on security threats, and meet compliance requirements through automated access control. In addition, the Experience Management solution within Intelligence monitors digital employee experience and automated actions can be triggered when a poor experience is detected.  And because Workspace ONE Intelligence provides extensibility with an API layer for third parties, IT admins can build workflows that leverage their unique environment to meet their needs.

With automation, Workspace ONE Intelligence helps IT meet employee experience targets and increase security through automated remediation.

Double-click the Win10-01a.rdp shortcut located on the Main Console Desktop to connect to the Windows 10 virtual machine.

To perform most of the lab, you will log into the Workspace ONE UEM Admin Console.

Double-click the Google Chrome shortcut located on the desktop of the virtual machine you are currently connected to.

The default home page for the browser is https://hol.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

1. Enter your Username. This is the email address that you have associated with your VMware Learning Platform (VLP) account that you utilized to take Hands-on Labs.
2. Click Next, then advance to the next step of the lab manual to enter the password, which will always be VMware1!.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

The password field will be displayed after entering your username.

1. Enter VMware1! for the Password field.
2. Click the Log In button.

NOTE: Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

You will be presented with the Workspace ONE UEM Terms of Use. Due to the lab environment the Terms of Use will not display, but this will not affect the lab itself. Click the Accept button.

NOTE: The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

After accepting the Terms of Use, you will be presented with this Security Settings pop-up

The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
3. Enter VMware1! in the Password Recovery Answer field.
4. Enter VMware1! in the Confirm Password Recovery Answer field.
5. Enter 1234 in the Security PIN field.
6. Enter 1234 in the Confirm Security PIN field.
7. Click the Save button when finished.

A popup window will appear after you complete your security questions.

Click the 'X' in the upper right corner to close the Workspace ONE UEM Console Highlights window.

The first step to start using Workspace ONE Intelligence is to authorize the data synchronization between Workspace ONE UEM and Intelligence Cloud Service. This is done through the Opt-In Process that needs to be performed by someone with administrator privileges to the Workspace ONE UEM console.

In the Workspace ONE UEM Console:

1. Click Monitor.
2. Click Intelligence.

Click GET STARTED to initiate the Opt-in process

1. Scroll down to find the Opt In checkbox.
2. Enable the Opt In checkbox.
3. Click Next.

This is the final step on the opt-in Process, where you will be providing your information and accept the VMware Cloud Services Terms of Service.

1. Enter your Name.
2. Enter your Email Address.
3. Enter your Title.
4. Enter your Company Name.
5. Enter your Company Address.
6. Click Accept.

After accepting, you will be redirected to the Workspace ONE Intelligence Console.

1. You may see a popup window with product announcements. Click the X in the top right to dismiss the window.

1. Click Dashboards
2. Click Activate 30 Day Trial

1. Enter your First Name.
2. Enter your Last Name.
3. Enter your Email Address.
4. Enter your Job Title.
5. Enter your Company Name.
6. Enter your Company City.
7. Enter your Zip/Postal Code.
8. Enter your Company Country.
9. Enter your Phone Number.
10. Click Accept.

Click Get Started.

You will now enroll the provided Windows 10 virtual machine into Workspace ONE UEM. You will use this Windows 10 virtual machine throughout the lab to see how you can interact with the device in both Workspace ONE UEM and Workspace ONE Intelligence.

1. Click the Services button.
2. Click Workspace ONE UEM.

IMPORTANT: You SHOULD NOT enroll a personal Windows 10 device for the upcoming exercise! Personal devices may be enrolled into other EMM providers which can cause undesired conflicts and issues.

Please follow the upcoming steps to enroll and use the provided Win10-01a virtual machine for this Hands-on Lab.

You will now enroll the Windows 10 device in Workspace ONE UEM by using the Workspace ONE Intelligent Hub app.

NOTE: You do NOT need to complete these steps, the Workspace ONE Intelligent Hub has already been downloaded for you! This step is purely informative.

You can download the latest Workspace ONE Intelligent Hub app for your current platform by following the below steps:

1. Navigate to https://www.getwsone.com in your browser.
2. Click Download Hub for Windows 10.
3. Click Keep when warned about the AirWatchAgent.msi download.

For expediency, the Workspace ONE Intelligent Hub app has already been downloaded for you. Continue to the next step to start the installer.

1. Click the File Explorer icon from the taskbar.
2. Click Documents.
3. Click HOL.
4. Double-click the AirwatchAgent.msi file to start the installer.

NOTE: The installer may take a few seconds to launch, please be patient after clicking the AirwatchAgent.msi file.

Click Run to proceed with the installation.

Leave the default install location and click Next.

NOTE: The Next button may take several seconds to enable while the required additional features are installed.

1. Select I accept the terms of the License Agreement.
2. Click Next.

Click Install to start the installer.

NOTE: The Workspace ONE Intelligent Hub install may take several minutes to complete, do not interrupt the installer!

NOTE: The installer may take several minutes to complete.  Please wait until you see the completed install screen before continuing.

Click Finish to complete the Workspace ONE Intelligent Hub installer.

NOTE: After clicking finish, the Native Enrollment application will launch to guide you through enrolling into Workspace ONE UEM.  It will take 2-3 minutes to launch the Intelligent Hub.

NOTE: The above screen may take 2-3 minutes to display after clicking Finish from the previous step!

1. Enter hol.awmdm.com for the Server Address.
2. Click Next.

The next step is to retrieve your Organization Group ID.

1. To find the Group ID, Go back to the Workspace ONE UEM Administration Console and hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
2. Your Group ID is displayed at the bottom of the Organization Group pop up. Copy this value.

1. Enter Your Group ID in the Group ID field.  If you forgot your Group ID, check the previous steps on how to retrieve it.
2. Click Next.

1. Enter testuser in the Username field.
2. Enter VMware1! in the Password field.
3. Click Sign In.

NOTE: Wait while the server checks your enrollment details. This may take a few minutes.

Click I Agree.

Click Done to end the Enrollment process.  Your Windows 10 device is now successfully enrolled into Workspace ONE UEM!

Back in the Workspace ONE UEM Administration console in your browser,

1. Click the My Services button in the top-right corner.
2. Click Workspace ONE Intelligence.

In this activity, you explore reporting capabilities by creating a report for enrolled devices.

In the Workspace ONE Intelligence Console:

1. Click Reports.
2. A Get Started page is displayed if this is the first time accessing the Reports section. If displayed, click Get Started.

1. Click Add.
2. Click From Template.

To begin creating a report, select the category of data you want to obtain. The available categories include:

• Apps
• Devices
• Platform
• Security
• Integration

Then, use the tags on each category to filter the category's customizable templates to define the content your report collects. For complete control of the report's content, use the Custom Report template to define your own criteria.

Feel free to click on each category to see the templates available to each.

1. Select Devices category.
2. Select Status tag to filter the related templates.
3. Click Start for the Enrolled Devices template. Selecting this template creates a report about enrolled devices that displays data in pre-defined columns

1. Under Filters, click the + icon to add a new filter.
2. Enter platform in the first search field.
3. Select Platform under Devices from the drop-down menu that appears.
4. Select Includes for the Select Operator field.
5. Select Apple, Android, and WinRT from the final drop-down menu.
   NOTE: If you do not see the above options in the drop-down menu, this means you do not have an enrolled device of that type in your organization. You can type each platform name manually and press ENTER after each to add them to the list.

NOTE: The platform list is based on devices available in your environment, so you may not see all three requested platforms on this activity.

Scroll down to the Report Preview section and click Refresh Preview. Observe how your currently enrolled devices automatically populate in the preview.

1. Under Report Preview, click the Edit Columns button.
2. Scroll down to find the Devices section. You can click the arrows next to App Activity, App Feedback and Apps to collapse these sections.
3. Under Available Columns, select the following:
   • Available Device Storage Capacity
   • Available Physical Memory
   • BIOS Version
   • Battery Percent
4. Click Add.

1. Under Selected Columns, select Available Device Storage Capacity, Available Physical Memory, BIOS Version, and Battery Percent. These newly added columns will be at the top of the list. You will need to Shift + Click each column to select multiple columns at once.
2. Click Down four times to re-order the columns. You can also drag and drop the selected items to move the values up and down.
3. Click Save.

In the Report Preview, verify the new columns appear in the report.

NOTE: If column data is empty, it is either because the device samples have not been retrieved yet or the column does not apply to the given device (i.e.: Battery Percent on a Desktop device).

NOTE: The above screenshot is from a demo environment with multiple devices to show an example. Your environment will look different.

1. Click Save in the top right corner to save the report.
2. Confirm that the Enrolled Devices report saved successfully.

After the report saves, it is added to the list of available reports. Click the Report Name (Enrolled Devices) to manage the report.

From this view, you can configure additional management settings:

NOTE: Do not click the following buttons, these details are informational only.

1. Edit allows you to alter the settings you configured when you made the report.
2. Run allows you to manually trigger a data sync.
3. Share allows you to email the report.
4. Save As Template allows you to create a template from this report.
5. Delete allows you to remove the report.

After saving a report, you can use scheduling to automate data collection and collaboration. In this activity, you will schedule the Enrolled Devices report to run on a monthly basis.

1. Click Schedules.
2. Click Add.

1. Enter a Schedule Name. For example, Windows, Apple and Android Enrolled Devices.
2. For Recurrence, select Monthly.
3. For Day of the Month, select 1.
4. For Starts At, change the time to 08:00.
5. For Ends, select a future date such as 06/30/2028. You can click the dropdown arrow by the Year on the popout to change between the currently selected year.
6. Click Schedule.

1. Click Schedules.
2. Confirm that the schedule matches the parameters you defined.

To delete a schedule report:

1. Select the report to be deleted. In this case, select the Windows, Apple and Android Enrolled Devices report you just created.
2. Click Delete.
3. Click Delete on the popup to confirm the action.

After saving a report, you can almost immediately download it as a CSV file. In this activity, you will download the CSV file for the Enrolled Devices report that you created.

To access the report's available downloads, select the Downloads tab.

On the Downloads tab:

1. Scroll down to the reports list.
2. Click the Refresh icon if no reports are displayed to refresh the list.
3. Verify the status displays as Completed.
4. Click Download.
5. Validate that a CSV of the Enrolled Devices report downloads.

1. Click the Dashboards tab.
2. A Getting Started page is shown the first time you access the Dashboards page. If displayed, click Get Started.
3. Click Add to create a new Dashboard.
4. Click Custom Dashboard.

1. Enter a dashboard name, such as My Devices Dashboard
2. Enter an optional description for the dashboard
3. Click Save

Newly created dashboards by default have no information on them. You can add widgets to them and create custom dashboards to meet your business needs.

1. Click Add Widget.
2. Click From Template.

To begin creating a widget, you can select Custom Widget or select one of built-in widgets by selecting the categories and tags. The list of categories will be based on the integrations configured within your Workspace ONE Intelligence tenant and may differ from the image you see in this activity.

The available categories can include:

• Apps
• Devices
• Hub
• Platform
• Product
• Security
• Integration

When you start with Workspace ONE Intelligence for the first time, you will see multiple categories.

Then, use the tag for each category to filter the customizable templates to define the content your widget displays. For complete control of the widget's content, use the Custom Widget template to define your own criteria.

Feel free to click on each category to see the templates available to each.

1. Select the Devices Category.
   NOTE: If the dropdown does not load when clicked, you may need to scroll down before clicking the Devices category or maximize the lab window. The list will not load if there is not enough UI space to draw the drop down on the smaller resolution.
2. Select the Enrollments tag.
3. Click Start for Total Enrollments template.

Under Data Visualization, review the default Total Enrollments template. The initial default settings provide a snapshot of current device enrollment. If you change the settings, the snapshot results change accordingly.

1. Change the name of the widget to Total Enrollments Over Time.

To create a snapshot of total enrollments over time, modify the default Total Enrollments template.

1. Select Historical.
2. For Chart Type, select Line.
3. For Group by, enter Platform and select the first result from the list.
4. Set the Date Range to Last 14 Days.
5. Click Save in the top right corner to save the widget.

Note: The screenshot shown is from a test environment. Your preview is based on your environment, and will differ from the preview you see in the screenshot.

As a supplement to its reporting capabilities, the Workspace ONE Intelligence dashboard displays critical business data in an easy-to-consume visual summary. Within dashboards, the configurable widgets allow you to customize the data that displays.

After configuring the Total Enrollment Over Time widget, you can manage how it displays on your dashboard. In this activity, you will modify your dashboard view by repositioning and expanding the Total Enrollment Over Time widget.

By default, the new widget appears at the bottom of your dashboard. Since this is the first widget on this dashboard, it will be at the top.

1. Click Customize the unlock the dashboard widgets.
2. You can click Total Enrollments Over Time (the chart title) and drag the widget to a new location on your dashboard.
3. You can click and drag the corners of the widget to change the width or height of the Total Enrollments Over Time widget.
4. After you are satisfied with the position and size of the widget, click Save at the top of the Dashboards page.

Click Save to save the dashboard layout.

If you wish to modify the dashboard in the future, you can interact with the following:

1. Add Widget allows you to add additional widgets to the dashboard.
2. Customize allows you to change the layout of the existing widgets on the dashboard.

The Security Risk dashboards in Workspace ONE Intelligence gather reports on numerous device states and quickly identify high-risk devices. In this activity, you will explore the following Security Risk dashboards Workspace ONE Intelligence: Threats Summary, Compromised Devices, Policy Risks, and Vulnerabilities. 

In the Workspace ONE Intelligence console, under Dashboards, click Security Risk.

NOTE: The screenshot was taken from a demo environment, so your view will not match the example above.

1. Select the Policy Risks tab to view the number of passcode-less devices detected in the past 30 days.
   Then, after you understand the scope of the issue, use automation to mitigate the risk. For example, you can create a rule to automatically move a passcode-less device to quarantine, or remove its access to corporate data.
2. Scroll down.

NOTE: The screenshot was taken from a demo environment, so your view will not match the example above.

Scroll down to find Unencrypted Device Events dashboard. This chart shows the total number of unencrypted devices identified on a daily basis by Workspace ONE Intelligence.

1. Point to the data points for additional details about the number of devices per platform.
2. Click View to obtain a detailed list of devices.
3. Click Security Risk: Policy Risks to return.

NOTE: The screenshot was taken from a demo environment, so your view will not match the example above.

Select the Vulnerabilities tab to view the number of vulnerable devices identified in the last 30 days.

Without encryption, confidential information is unprotected, and can easily land in the wrong hands. To mitigate this risk, create policies to enforce device encryption. For example, you can create a policy to block corporate access until the device is encrypted through Workspace ONE UEM.

To take full advantage of Workspace ONE Intelligence, you need to configure at least one Automation Connector to enable Automation Actions in your environment.

Among the multiple available Connectors, the Workspace ONE UEM connector is key, as it enables Intelligence Automation to take actions against your organization's devices, apps, device sensors and OS updates.

In this activity, you will configure the Workspace ONE UEM Connectors to allow API communication between Workspace ONE Intelligence and Workspace ONE UEM.

From the Workspace ONE Intelligence console:

1. Click the Services menu icon.
2. Select Workspace ONE UEM.

In the Workspace ONE UEM Administrator console:

1. Click Groups & Settings.
2. Click All Settings.

1. Click System.
2. Click Advanced.
3. Click API.
4. Click REST API.
5. Click Override to generate the new API Key used to integrate with Workspace ONE Intelligence.
6. For the AirWatchAPI Service, select the full API Key field and right-click.
7. Click Copy to save the API Key for an upcoming step.
8. Click Save.
9. Click Close.

From the Workspace ONE UEM Administrator console:

1. Click the Services menu icon.
2. Select Workspace ONE Intelligence.

1. Click Integrations.
2. Click Workflow Connectors.
3. Click Get Started.

1. If you were taken away from the Integrations tab after clicking Get Started, click the Integrations tab again.
2. Click View for the Workflow Connections card.
3. Click Setup for the Workspace ONE UEM card.

On the Workspace ONE UEM card, click Set Up.

1. Enter the Base URL for the Workspace ONE UEM environment. In this case, https://as350.awmdm.com.
2. Choose Basic Authentication for the Auth Type.
3. Enter the API User Name for the Workspace ONE UEM administrator with access to the REST API Key you copied earlier.  This will be Your VLP E-Mail Address that you used to sign into the Workspace ONE UEM Console.
4. Enter the API User Password VMware1!.
5. Paste the Workspace ONE UEM API Key. This is the AirWatchAPI Service Key that you copied from the Workspace ONE UEM console in the previous activity.
6. Click Authorize.

1. Verify the Workspace ONE UEM card now displays the Status as Authorized and the card action changes to Deauthorize. This indicates integration was successful.
2. Click the ... button.
3. Click View Actions.

As a result, you are now able to define automated flows, which can take over 25+ different actions against your devices, apps, and OS updates. The screenshot shows some of the actions available against devices.

Continue to the next step.

In this activity, you will use the automation capabilities in Workspace ONE Intelligence to tag low battery life devices in Workspace ONE UEM.

From the Workspace ONE Intelligence Console:

1. Click the Services menu.
2. Click Workspace ONE UEM.

In the Workspace ONE UEM console:

1. Click Groups & Settings.
2. Click All Settings.

1. Click Device & Users.
2. Click Advanced.
3. Click Tags.
4. Click Create Tag.

1. Enter Low Battery Health for the Tag Name.
2. Click Save.

1. Hover the mouse over the Low Battery Health tag you just created.
2. The tag URL is displayed on the status bar of the browser—the tag ID is the number at the end of the URL. Manually enter the number into Notepad or copy it somewhere you can reference. This tag ID will be used as part of the automation action in the following steps.
3. Click Close.

Note: In the sample image, the tag ID is 10007 – your ID will differ.

1. Click the My Services button.
2. Click Workspace ONE Intelligence.

In the Workspace ONE Intelligence console:

1. Click the Automations tab.
2. Click Add.
3. Click Custom Workflow.

1. Navigate to Category.
2. Navigate to Workspace ONE UEM.
3. Click Devices.

1. In the Name field, enter Dell Battery Replacement.
2. Under Filter (If), select Dell Battery Health.
3. Select Less Than.
4. Enter 25.

1. In the Action (Then) section, click the + icon to expand the options.
2. Click Workspace ONE UEM.
3. Enter Add tag in the search field.
4. Select the Workspace ONE UEM -> Add Tag to Device result.

1. Leave the Device ID field as ${device_id}
2. Change the Path Variables selection to Search for existing values.
3. Click the Organization Name field and select your organization name from the list. The organization name of your group will match your email address.
4. Click the Tag Name field and select the Low Battery Health tag from the list.
5. Click Test.

1. You will need to select a Device ID to substitute for the dynamic value ${device_id} from the previous step. The single Device ID record correlates to the Windows 10 device you enrolled earlier, click to select it.
   NOTE: The Device ID shown here will differ from your environment.
2. Click Next.

1. Notice that the Device ID and Tag ID values were replaced with the values from your Workspace ONE UEM environment.
   NOTE: The Device ID shown here will differ from your environment.
2. Click Test.

1. Confirm that the Test Results show 200 OK.
2. Click Cancel to exit the automation test.

1. In the bottom right corner, toggle Enable Workflow on.
2. Click Save.

NOTE: This screenshot was taken from a sample environment. Your Filter Results will show 0 because the Dell Battery Health event does not apply to the Windows 10 virtual machine that was enrolled. When deploying the same automation to physical Dell devices, your affected devices would show here.

1. Toggle the One-time Manual Run option to on. This will immediately execute the workflow against the target devices.
2. Click Save & Run.

Confirm that you can see the Dell Battery Replacement automation in the dashboard with a status of Enabled.

After you have created an automation in the Workspace ONE Intelligence console, the configured actions begin to take effect and are recorded in the logs. In this activity, you will use the automation logs to review the automation events for Dell devices that need battery replacement.

NOTE: The screenshot will differ from your environment because the Dell Battery Health event will not trigger for the Windows 10 virtual machine that was enrolled since it is not a physical Dell device. Refer to the screenshot for a sample of how this would appear in a real environment.

In the Automations Dashboard:

1. Click the Dell Battery Replacement workflow.
2. Select Activity.

NOTE: The screenshot will differ from your environment because the Dell Battery Health event will not trigger for the Windows 10 virtual machine that was enrolled since it is not a physical Dell device. Refer to the screenshot for a sample of how this would appear in a real environment.

Depending on the battery health of the device you enrolled, the automation event you configured in this activity may or may not have been triggered. For this reason, the following screenshot is a sample from an unrelated log. It provides an example of multiple actions taken on different services.

In the top-right corner of the Workspace ONE Intelligence Console:

1. Click the My Services button
2. Click the Workspace ONE UEM button

In this section, we are going to un-enroll our Windows 10 VM so that we can use it for other lab modules.

We will use the Enterprise Wipe wipe command to remove all of the managed content that was pushed to the device (such as profiles and apps) by Workspace ONE while not modifying any personal content or data on the device.

Return to the Workspace ONE UEM Administrator Console in Google Chrome,

1. Click on Devices
2. Click on List View
3. Select the check box next to your device friendly name.
4. Click on More Actions
5. Click on Enterprise Wipe

1. You may need to scroll down to find the Security PIN input
2. Enter the Security PIN that you created when you first logged into the Workspace ONE UEM administration console, which was 1234. If you used a different PIN, enter that one instead.
3. Click Delete

NOTE: The Enterprise Wipe may take several minutes to process.

1. Click the Refresh icon periodically to refresh the page to check if the Enterprise Wipe has processed
2. If needed, scroll to the right to find the Enrollment column
3. Notice that the Enrollment status for the device changes to Unenrolled once the Enterprise Wipe command is processed

1. Click on the Windows Icon
2. Click on the gear icon to access Windows 10 Settings

From the Settings Menu, access Accounts

1. Click on Access work or school
2. Validate that you DO NOT see any account connected to Workspace ONE MDM.

NOTE: The CORP AD domain is the local domain in this lab and is not controlled by Workspace ONE UEM Enrollment, so you will see this connection when your device is enrolled or unenrolled.

NOTE: If the Access Work or School page was opened from earlier, you may need to refresh or navigate away from the page and return to see the changes.

1. Click the Connected to Workspace ONE UEM account
2. Click Disconnect
3. Click Yes

Click Close (X) on the Remote Desktop Connection bar at the top of the screen to return to the Main Console to finish making configurations within the Workspace ONE UEM Console.

NOTE: If the Remote Desktop Connection bar is not visible, you may have unpinned it. Hover your mouse of the top of the screen to display the Remote Desktop Connection bar again, then click close.

In this module, you've learned how to:

• Create automated reports that share relevant information to interested parties, and eliminate manual steps for the IT Team.
• Add Widgets to Dashboards that show Total Enrollments over time.
• Predict battery failures and automate replacement tagging for Windows 10 Dell devices.
• Leverage integration with 3rd party services, like ServiceNow, to trigger automated actions.

To learn more about additional use cases where you can leverage Workspace ONE Intelligence, please review the following resources:

• VMware Workspace ONE Digital Employee Experience (DEX) Solution Overview
• Digital Employee Experience Management Whitepaper
• Digital Employee Experience (DEX) Solution Architecture
• Workspace ONE Intelligence and VMware Carbon Black: Automating Device Quarantine - Feature Walk-through
• VMware Workspace ONE Intelligence: Connectors - Feature Walk-through
• Workspace ONE Intelligence: Understanding Risk Analytics - Deep Dive
• How VMware IT Uses Workspace ONE Intelligence - VMware on VMware