Workspace ONE Unified Endpoint Management (UEM) provides several modes to manage devices with varying levels of control for the administrator and privacy for the user. This blog will introduce you to the options and uses for each mode.
Flexible Device Management
An organization’s device deployment can become complex. Some devices might be corporate-owned, some employee-owned. Some users may not be full-time, such as contractors or temp workers, and may report to multiple organizations. And depending on the industry, different levels of security might be required.
Regardless of the type of employee or device, the technology should be transparent and not hinder productivity or the employee experience.
The Workspace ONE platform provides flexibility to support the ever-changing device management needs of an organization as devices and use cases evolve, and the ability to provide a consistent onboarding experience across device makes, models, or employee personas.
Management Mode Terminology
To cover a variety of use cases, Workspace ONE provides four general options for device management.
Figure 1: Device Management Modes in Workspace ONE UEM
UEM managed, or device-level management, requires the user to enroll the device into management to access any work applications or resources. Enrollment involves downloading a management, or MDM, profile to the device and then Workspace ONE UEM utilizes APIs built into the device operating system to manage aspects of the device and to query data. This method provides the most control for the administrator, including full policies and restrictions, attestation and compliance, conditional access to internal resources, and device remediation.
Most of the time UEM Managed is used for corporate-owned devices; however, many organizations in regulated industries require this level of management even for employee-owned devices. Other terms you might hear are “MDM managed”, “fully managed” or “device-level management.” Note that fully MDM managed devices are managed by a single MDM provider only.
The OS partitioned option is provided by the device operating system and is enabled using Workspace ONE UEM, also known as Work Profile for Android or iOS User Enrollment. OS partitioned separates work and personal apps and data to enable administrators to maintain control of the work side of the device, but also provides a private, or personal side. Note that in the Workspace ONE admin console, you will see OS partitioned devices labeled as “UEM Managed” mode, as UEM will be managing only the resources within the partitioned area.
Hub Registered Mode
Hub Registered mode allows users to log into Workspace ONE Intelligent Hub, the employee-facing digital workspace, and access applications without full, device-level management or an MDM profile. In other words, the device is registered with the UEM console, not managed by the UEM console. The admin can only retrieve limited information about the device and therefore registered mode provides privacy for the user and is a great option for BYOD, temp or contract workers and any other situations where a user needs quick access to select corporate resources, but the device does not need to be fully managed.
App Level Management
App Level management utilizes the Workspace ONE productivity apps, such as Workspace ONE Boxer, Workspace ONE Content and Workspace ONE Tunnel, in a stand-alone mode without device-level management or Hub Registered Mode. For example, a doctor or contractor may work with two or more organizations, and it is not practical to constantly enroll and unenroll his or her device. So, if the doctor or contractor needed email access only, using Workspace ONE Boxer alone may suffice. You may also hear MAM, which stands for Mobile Application Management, or standalone mode.
Management Mode Comparison
Let’s review some of the major differences between the different management modes.
Figure 2: Device management mode comparison
Each one of these management modes has various levels of control for the administrator. UEM Managed will have the most options for administrators to configure and secure devices. Hub Registered mode has fewer management options, and therefore the control switches over to the end user. For example, in Registered Mode, the admin cannot push applications to the device, but instead, the user can access the corporate app catalog and download apps as needed. Essentially, any actions are controlled by the end user. Although Hub Registered mode will then have limited access to corporate resources.
All these management modes support jailbreak detection for iOS and device rooting detection for Android. Administrators can also enable for advanced mobile threat security within Intelligent Hub for iOS and Android, deploy to support employees by remotely connecting to their devices to troubleshoot in real-time, highlight items onscreen, record remote sessions for training purposes, and much more.
Note that Workspace ONE UEM supports Registered Mode for Windows 10, iOS, and Android and that the desktop functionality differs from mobile platforms due to the differences in the operating system.
And to clarify app level management, or MAM, the Workspace ONE productivity apps, such as Boxer, Web, Content and Tunnel, can be used in a stand-alone mode without requiring Workspace ONE Intelligent Hub on the device. Policies and restrictions, such as data loss prevention (DLP), can still be configured for the app even though the device is not fully managed. Also note that internally developed apps that include the Workspace ONE SDK still require the Intelligent Hub app to register the device in the UEM console.
And if you are not already familiar, let’s cover Workspace ONE Intelligent Hub in a little more detail.
What is Intelligent Hub?
Workspace ONE Intelligent Hub is the employee-facing digital workspace application which not only contains the agent that makes device management possible, but also includes many other services to improve employee experience, such as a unified app catalog supporting SaaS, native, web and virtual apps, access to links and resources, people search and provides advanced .
To learn more about Intelligent Hub, check out these resources:
How do these management modes look from the admin perspective?
When viewing the list view of devices in the Workspace ONE UEM admin console, you will see either UEM Managed, Hub Registered or App Level. As mentioned earlier, OS Partitioned is still UEM managed, so will have that label in the console.
Figure 3: Device List View in Workspace ONE UEM
The management mode will determine what actions the admin can take on the device and what data can be collected. For example, device compliance status is not available for Hub Registered or App Level management modes.
Then if we look at the device details page for an iPad and compare UEM Managed to Hub Registered mode, we can see several differences.
Figure 4: Device Details Page in Workspace ONE UEM for UEM Managed iPad
Figure 5: Device Details Page in Workspace ONE UEM for iPad in Hub Registered Mode
For example, the action bar in the top right has significantly more options for a device that is UEM Managed. In addition, you can query a fully managed device for compliance status, operating system version, and serial number, which is not collected from a Hub Registered device.
When do I use each management mode?
Even though every organization is unique and there are an unlimited number of scenarios, let’s discuss a few examples.
“I just need email access on my phone.”
Enabling email access on a mobile device is the most common use case when a user is trying to access corporate resources. The quickest method to achieve email access when full device management is not required, is to utilize the App Level management method. All the user needs on their device is Workspace ONE Boxer, and they can register their device and get access to corporate email without downloading any management profiles. Sometimes this is referred to as stand-alone Boxer. The Workspace ONE Productivity apps can be utilized without installing Workspace ONE Intelligent Hub. However, the user would not have access to the app catalog, people search, self-service support resources and other services found within Intelligent Hub.
“Contractors need access to internal web applications.”
A contractor may only need access to an internal web application to do their job. However, we want to maintain user privacy on a BYO device and ensure secure access to internal resources at the same time. There are two options to achieve this.
Option one is to leverage Workspace ONE Web - VMware’s secure mobile web browser for iOS and Android - in App Level management mode, allowing IT to control only the Workspace ONE Web app and related data, and fully configure the app.
DLP, or data loss prevention, policies like passcode, copy/paste, cache control, and bookmark list can be configured and applies only to the Workspace ONE Web app.
This option only requires a single app for the end-user to download simplifying the experience. Although the user would only have access to bookmarked sites in the Workspace ONE Web app.
A better long-term option might be to utilize Workspace ONE Intelligent Hub in Hub Registered mode to provide additional capabilities to any BYO devices. Users can install native apps and launch web apps directly from the unified app catalog. In addition, when Workspace ONE Access is utilized, web applications can be forced to open in Workspace ONE Web instead of the device’s native browser for additional security and network tunneling.
“I need access to corporate Wi-Fi in several offices.”
Access to Wi-Fi from within a corporate office is another common use case and is critical to automate for employees because most Wi-Fi still relies on password authentication, which can lead to support tickets and can impact employee experience.
One option is the use of the AirWatch Cloud Connector integrated with an internal PKI to manage the certificate lifecycle and automate certificate deployment to the device. This will enable certificate-based authentication for Wi-Fi, and several other use cases such as single-sign-on to apps and provide immediate access to corporate resources.
However, the device must be fully managed to achieve certificate authentication for Wi-Fi as this requires interaction with the device certificate store, which is not possible when using Hub Registered mode.
“I want to apply Zero Trust principles to determine access to internal applications, SaaS and VDI.”
Enabling external users not physically on the network to access restricted internal applications is a particularly critical use case today versus before the pandemic when this may not have been a priority for many organizations. Management of user identity is mandatory for this use case since admins must deal with different personas (e.g., full-time employees versus contractors, etc.)
The Workspace ONE platform provides a comprehensive solution for secure application access based on device and user posture that aligns with . Using Workspace ONE Access we can authenticate and authorize the user leveraging an advanced mechanism based on user behavior called Risk Score, in addition to device posture information to only allow devices in compliance to access internal applications. This solution brings together device posture information from UEM with machine learning models in Workspace ONE Intelligence that calculate user risk. The most accurate user risk score and device posture can only be obtained when the device is fully UEM Managed.
Figure 6: Workspace ONE secure access to applications example
Workspace ONE provides a flexible platform to deliver an engaging digital workspace to any device supporting any type of user. Check out these resources to learn more about Workspace ONE.