April 09, 2020

How to Enable Intelligent Hub and Workspace ONE Apps without Full Management

If you are a Workspace ONE UEM administrator, this blog is for you! We walk you through the console settings to enable the use of VMware Workspace ONE Intelligent Hub and Workspace ONE on Android and iOS without requiring full device management (MDM). This blog also describes Adaptive Management for iOS devices. Note that the method to set Management Mode for the Intelligent Hub and Workspace ONE apps differs in the Workspace ONE UEM console. So the key takeaway from this article will be to understand the settings that impact Intelligent Hub versus the settings that impact the Workspace ONE mobile app.

This blog walks the Workspace ONE UEM administrator through the console settings to enable the use of VMware Workspace ONE Intelligent Hub and Workspace ONE on Android and iOS without requiring full device management (MDM). This blog also describes Adaptive Management for iOS devices. Note that the method to set Management Mode for the Intelligent Hub and Workspace ONE apps differs in the Workspace ONE UEM console. So the key takeaway from this article will be to understand the settings that impact Intelligent Hub versus the settings that impact the Workspace ONE mobile app.

MDM Enrollment vs. Registered Mode vs. Adaptive Management

For most corporate-owned mobile devices, organizations require full device management, or MDM Enrollment, to access corporate apps and resources. But what if a “lighter touch” option is needed for employee-owned devices?

The UEM administrator can allow users to log into the Intelligent Hub or Workspace ONE apps without requiring MDM Enrollment. In other words, the user can access the catalog of corporate applications without installing the iOS MDM management profile on their device. This option is called Registered Mode: the user’s device is registered, but not fully managed.

However, if an iOS user attempts to access a restricted corporate application in the catalog that requires MDM Enrollment, the user is prompted to install the iOS MDM management profile. This is referred to as “Adaptive Management” or “Step-up Enrollment.”

See the Workspace ONE Reference Architecture to learn how to enable Adaptive Management for restricted corporate applications that require MDM enrollment for access.

Note on Adaptive Management: Adaptive Management, or Step-up Enrollment, is only supported on iOS devices. The Android platform does not support Adaptive Management.

Note on Intelligent Hub Catalog: Hub Services and Hub Catalog are prerequisites to enable the embedded app catalog within Intelligent Hub. For more details, see Enable Hub Catalog for Workspace ONE Customers Updating to Hub Services.

Enable Intelligent Hub without Full Management

Figure 1: The VMware Intelligent Hub app for iOS

This section describes how to enable access to Intelligent Hub without MDM Enrollment or installing the iOS MDM management profile. The relevant settings for the Intelligent Hub app are located in the Management Mode section of Enrollment settings.

Note: Most of the functionality within the Workspace ONE app, such as the user’s Favorites application list, is included in the Intelligent Hub app, along with additional capabilities limited to Intelligent Hub. Therefore, many organizations are primarily using Intelligent Hub to access corporate applications from mobile devices versus the Workspace ONE mobile app.

  1. From the desired Organization Group within the Workspace ONE UEM console, browse to Groups & Settings > All Settings > Devices & Users > General > Enrollment.
  2. Select the Management Mode tab. Select Override if Inherit is selected.
    Note: These settings only impact the Workspace ONE Intelligent Hub app, formally called the AirWatch Agent.
  3. Take the following steps:
    1. By default, MDM enrollment is required for all devices accessing the Workspace ONE Intelligent Hub app:
      1. Under the Management Mode tab, set iOS and Android to DISABLED to require MDM enrollment for all devices.
      2. However, to enable ALL devices in the current Organization Group to access Intelligent Hub without MDM Enrollment (also known as, Registered Mode):
        1. Set iOS and Android to ENABLED.
        2. Set All iOS devices in this Organization Group to ENABLED.
        3. Set All Android devices in this Organization Group to ENABLED.
      3. Alternatively, the administrator could require MDM Enrollment for some devices and allow other devices to be unmanaged (Registered Mode). To enable a subset of devices to access Intelligent Hub without MDM enrollment:
        1. Set iOS to ENABLED.
        2. Set All iOS devices in this Organization Group to DISABLED.
        3. Start typing the Smart Group in the iOS Smart Groups field or select from the list that appears. Only this Smart Group will be enabled to access Intelligent Hub without MDM enrollment.

Tip: When attempting to log into the Intelligent Hub mobile app without MDM enrollment, the device must be enrolled as Employee Owned. Corporate Owned devices will default to full MDM management. Therefore, be sure to set Prompt for Device Ownership Type to ENABLED under the Optional Prompt tab within Enrollment Settings.


Figure 2: Prompt for Device Ownership Type

Enable Workspace ONE App without Full Management

Figure 3: The VMware Workspace ONE app for iOS

If your users utilize the Workspace ONE app to access corporate applications, the following describes how to enable access to this app without MDM Enrollment or installing the iOS MDM management profile. The relevant settings for the Workspace ONE app are located in the Restrictions section of Enrollment settings.

Note: Most of the functionality within the Workspace ONE app, such as the user’s Favorites application list, is included in the Intelligent Hub app, along with additional capabilities limited to Intelligent Hub. Therefore, many organizations are primarily using the Intelligent Hub to access corporate applications from mobile devices versus the Workspace ONE mobile app.

  1. From the desired Organization Group within the Workspace ONE UEM console, browse to Groups & Settings > All Settings > Devices & Users > General > Enrollment.
  2. Under the Restrictions tab, scroll down to the Management Requirements for Workspace ONE section. Click Override if Inherit is selected.

    Note: These settings impact the VMware Workspace ONE app only.
  3. Take the following steps:
    1. To require MDM enrollment for ALL devices accessing the Workspace ONE app:
      1. Set Require MDM for Workspace ONE to ENABLED.
      2. Set the Assigned User Group to All Users.
      3. Set iOS and Android to ENABLED.
    2. To enable ALL DEVICES to access the Workspace ONE app without MDM Enrollment, set Require MDM for Workspace ONE to DISABLED. This allows all users to log into the VMware Workspace ONE app without MDM Enrollment or installing the iOS management profile (also known as, Registered Mode).
    3. To require MDM Enrollment for a subset of devices:
      1. Set Require MDM for Workspace ONE to ENABLED.
      2. Set the Assigned User Group drop-down to the user group that will be required to enroll to log into the Workspace ONE app.
      3. Set iOS and Android to ENABLED.

        The result: All devices in the “Dark Side” user group will be required to install the MDM management profile to access the Workspace ONE mobile app. However, all other users can log into the Workspace ONE app without MDM Enrollment.

Note: If you hover your mouse over the tooltip next to the Require MDM for Workspace ONE setting, you will see the following text:

Figure 4: Require MDM for Workspace ONE Tooltip

“When enabled, devices that fit the assigned criteria are prompted to enroll immediately upon log in to Workspace ONE. Those devices that do not fit the assigned criteria are allowed to log in with an unmanaged state.”

This tooltip describes the ability to require MDM enrollment (or require the MDM management profile) for SOME users, and other users are allowed to log into the Workspace ONE app without MDM Enrollment (Registered Mode).

“They may come under management later using Adaptive Management.”

This statement indicates that if an iOS user attempts to launch a corporate application that requires MDM Enrollment, the user is prompted to install the iOS MDM management profile.

Tip: When attempting to log into the Workspace ONE app without MDM Enrollment, the device must be enrolled as Employee Owned. Corporate Owned devices will default to full MDM management. Therefore, be sure to set Prompt for Device Ownership Type to ENABLED under the Optional Prompt tab within Enrollment Settings.

Figure 5: Prompt for Device Ownership Type

Summary

The UEM administrator can set the Management Mode for Intelligent Hub and Workspace ONE mobile apps so that MDM Enrollment is either required or not for a user to log into these apps. If MDM Enrollment is not required, the end user can register their device with either app into Registered Mode.

When configuring the Management Mode for the Intelligent Hub or Workspace ONE apps, browse to Groups & Settings > All Settings > Devices & Users > General > Enrollment. Settings under the Management Mode tab only impact the Workspace ONE Intelligent Hub mobile app. Settings under the Restrictions tab, within the Management Requirements for Workspace ONE section, only impact the VMware Workspace ONE mobile app.

 

Filter Tags

Workspace ONE Workspace ONE Intelligence Blog Feature Walk-through Intermediate

Christina Minihan

Read More from the Author

Staff Architect, Workspace ONE Technical Marketing, End User Computing. Christina has a background leading Pre-Sales System Engineering teams at End User Computing and VMware's Internet of Things business unit, and also at Google Cloud. Prior to Workspace ONE Technical Marketing, she led Technical Marketing, demo lab management and PoC/Beta Testing Programs for New Product Introduction within the VMware Edge and IoT business. Christina has a passion for communicating highly technical concepts in a format that anyone can understand. She holds a Bachelors in Management Information Systems from The University of Georgia and an MBA from Kennesaw State University.