Managing Android Devices: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.4 and later



VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you enroll an Android device using the AirWatch identifier, configure and test a restrictions profile, and approve applications for VMware Workspace ONE® UEM (unified endpoint management) and Android Enterprise integration.


This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM, is also helpful.

Getting Started with Android Management


This exercise walks-through deploying an Android in Work Managed Device mode. Work Managed Device mode allows Workspace ONE UEM to control the entire device and enforce an extended range of policy controls but restricts the device to only corporate use.


Before you can perform this exercise, you must meet the following requirements.

  • Workspace ONE UEM version 9.4 or later
  • Open Notepad and enable Word Wrapping

Note: In this exercise, you regenerate your tenant's API key and use it to complete integration with Workspace ONE Intelligence. Then, you preserve the regenerated key by copying and pasting it into Notepad. To facilitate this configuration, open Notepad on your Windows Desktop and enable Word Wrap before you begin this exercise.

Word Wrap

This exercise requires specific account information. Gather the required account information, and record it in the following table. The account information provided in the table is based on a test environment. Your account details will differ.

Workspace ONE UEM Account Information
Server URL  https://<WorkspaceONEUEMHostname>  
User name administrator  
Password VMware1!  
Google Admin Account Information

Understanding Android Device Modes

To address a variety of device-ownership use cases, Workspace ONE UEM supports multiple management modes for Android. The easiest way to determine which device mode is the most appropriate for your organization is to evaluate your device-ownership use case.

The following table pairs each device-ownership use case with its coordinating device mode. Review this table, and double-check that the tutorial you are reading will best address your use case.

Use Case Device Mode
BYOD Work Profile
Corporate-Owned Work Managed
Hybrid COPE

Each device mode offers a unique device-side user experience. After you have determined which device mode best addresses your use case, it is important to understand the user experience that mode offers. To help you understand their key similarities and differences, the following table outlines some of the primary device-side capabilities of each mode.

  Work Profile Work Managed COPE
Entire Device Management No Yes Yes
Badged Enterprise Apps Yes No Yes
Dedicated Personal Apps Yes No Yes

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username, for example, administrator.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password, for example, VMware1!
  2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

Registering for Android EMM

After logging into the Workspace ONE UEM console, you register your enterprise with Google. This creates an admin account that connects Google with Workspace ONE UEM.

2. Begin Google Registration

  1. Select Devices & Users.
  2. Expand Android.
  3. Select Android EMM Registration.
  4. Click Register with Google.

3. Provide a Google Admin Account

Provide Google Admin Account
  1. Confirm you are logged into your Google Admin Account that you want to associate with your Android for Work configuration. For example, enter Note: After you register a Google Admin Account to Android for Work, you cannot disassociate your Google Admin Account from that Organization. Ensure the Google Admin Account shown is the account you want to associate with your Organization.
  2. Click Get Started.

4. Provide Organization Details

Provide your Organization Details
  1. Enter your Organization Name.
  2. Select the Google Play Agreement.
  3. Click Confirm.

5. Complete Registration

Complete Registration

Click Complete Registration to return to the Workspace ONE UEM Android Enterprise configuration.

6. Confirm Integration in the Workspace ONE UEM Console

Return to the Android EMM Registration page in the Workspace ONE UEM Console:

  1. On the Configuration tab, scroll down to the Google Admin Console Settings section. Note that the account information you provided to Google displays here.
  2. Confirm the Android Enterprise Registration Status is shown as Successful.
  3. Note how the Client ID and Google Service Account Email Address have been automatically created and configured.  

Enrolling Android Devices Using AirWatch Identifier


Device enrollment establishes communication with the Workspace ONE UEM console and allows devices to access internal resources. To enroll into Workspace ONE UEM, Work Managed devices must use a parent staging process. In this exercise, you enroll an Android Work Managed device using a unique identifier.

The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Although this exercise walks through the AirWatch Identifier enrollment flow, there are several additional enrollment options for Work Managed Android devices.

For an overview of the available enrollment flows, see Work Managed Device Enrollment.


Before you can perform the exercises in this tutorial, you must meet the following requirements.

Caution: Do not factory reset your personal device to complete these exercises.

This exercise requires a user to enroll their device into Workspace ONE UEM. Note the information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information  
User name testuser
Password VMware1!
Workspace ONE Server URL

Enrolling an Out-Of-Box Android Device using AirWatch Identifier

In this activity, use AirWatch Identifier enrollment to set up your device in Work Managed Device mode. You need a factory reset device in out of the box mode.

Note: Screenshots may differ due to differences in device models and operating system versions.

1. Begin Enrollment

Turn on your device from a factory reset state and tap Start.

2. Connect to Wi-Fi

  1. Tap to connect to the appropriate Wi-Fi network based on your location.
  2. After connecting to Wi-Fi, tap Next.

3. Review the Terms and Conditions

Tap Next.

4. Accept the Terms and Conditions

Tap Agree.

5. Enter the AirWatch Identifier

  1. Enter afw#airwatch into the Email or phone text box to download the Workspace ONE UEM Agent.
  2. Tap Next.

6. Review and Configure Google Services

  1. Review and configure the Google Services, then scroll down to the bottom.
  2. Tap Next.

7. Install the Agent

Tap Install.

8. Confirm Agent Special Access and Install

Confirm the special access required by the agent and tap Install.

Configuring Workspace ONE UEM Server Details

After the agent has launched, you can enroll the device. In this activity, configure Workspace ONE UEM authentication details.

1. Select Server Authentication

Select AirWatch MDM Agent Authentication Method

Tap Server Details.

2. Enter Server Details

Attach the AirWatch MDM Agent to the HOL Sandbox
  1. For Server, enter <WorkspaceONEHostname>.com where WorkspaceONEHostname is the host name of the Workspace ONE UEM tenant.
  2. Enter the Group ID you retrieved from the Workspace ONE UEM Console for the Group ID field. See Retrieving the Group ID from Workspace ONE UEM Console.
  3. Tap Continue.

3. Allow Agent to Manage Phone Calls (IF NEEDED)

If prompted, tap Allow when the agent requests permission to make and manage phone calls. Otherwise, continue to the next step.

4. Enter the Agent Credentials

Authenticate the AirWatch MDM Agent
  1. Enter the username. For example, testuser.
  2. Enter the password. For example, VMware1!.
  3. Tap Continue.

Encrypting Android Device

In this activity, continue enrollment and encrypt the device.

1. Encrypt Device

Tap Encrypt.

2. Review Encryption Requirements

Tap Encrypt Device.

3. Confirm and Begin Encryption

  1. When prompted, enable Fast Encryption to reduce the time required to encrypt the device.
  2. Tap Encrypt Device. The device encrypts and restarts.

Completing Enrollment for Android Work Managed Device

After the device restarts, you are ready to complete device enrollment. During the enrollment process, you will see several processing screens. You do not need to interact with the device further until you see the Workspace ONE UEM Agent app confirming your enrollment.

1. Accept Terms and Conditions

Review the Terms and Conditions for Android for Work, and tap Agree.

2. Set Up Android for Work

Tap Set up.

3. Accept Privacy Policy

Administrator Rights
  1. Tap I consent to agree to the administrator rights terms.
  2. Tap OK to confirm the Privacy Policy.

4. Wait for Device Connectivity (IF NEEDED)

It may take several minutes to establish a connection to Google Cloud Messaging. Wait until you see the Connectivity Issue notification change to Connectivity Normal before continuing.

5. Confirm Device Enrollment

Confirm Device Enrollment

You have now completed the Agent configuration wizard. After the enrollment process completes, the agent displays the notification Congratulations! You have successfully enrolled your device.

You can now Exit the agent.

Configuring Android Profiles


In this exercise, set up and configure a restrictions profile in Workspace ONE UEM to explore how enterprise profile settings apply on an Android device.


Before you can complete this exercise, you must successfully enroll an Android device in Work Managed mode.

Understanding Configuration Options for Android Profiles

Profiles are the mechanism by which Workspace ONE UEM manages settings on a device. All profiles are broken down into two basic sections; the General section and the Payload section.

  • The General section defines the profile's name and assignment settings.
  • The Payload sections define actions to be taken on the device.

Every profile must have all required fields in the General section properly filled out and at least one payload configured.

To address multiple device ownership use cases, you can enable Android profile payload settings in Workspace ONE UEM at the Work Profile level and at the Work Managed device level.

  • Work Profile-level configurations only apply restrictions and settings to the device's badged enterprise apps, and do not affect the users personal apps or settings.
  • Work Managed device-level configurations apply restrictions and settings to the entire device.
  • Corporate Owned Personally-Enabled devices use Work Profile-level and Work Managed device-level configurations

Configuring a Restriction Profile for an Android Work Managed Device

In this activity, control camera settings by configuring a restrictions profile for a Work Managed Android device in the Workspace ONE UEM console.  

1. Create a New Profile

In the Workspace ONE UEM Console:

  1. Click Add.
  2. Click Profile.

2. Select the Android Platform

Select Android.

3. Configure the General Settings

  1. Select General.
  2. Enter a name for the Android Profile. For example, Android Restriction.
  3. Click Assigned Groups to display the list of available assignments.
  4. Select All Devices.

4. Open the Restrictions Payload

  1. Select the Restrictions payload.
  2. Click Configure.

5. Configure Screen Capture Restrictions

Under Device Functionality:

  1. In the Work Managed Device column, deselect the Allow Screen Capture check box.
  2. Ignore the settings in the Work Profile column — they do not apply on a device in Work Managed mode.

6. Configure Camera Restrictions

  1. Scroll down to the Application section.
  2. In the Work Managed Device column, deselect the Allow Camera check box.
  3. Ignore the settings in the Work Profile column — they do not apply on a device in Work Managed mode.
  4. Click Save & Publish.

7. Publish the Profile

Click Publish.

Testing Android Work Managed Device Restriction Settings

For Android, the various device modes change the way profile settings apply to devices. After configuring a restriction profile, test the profile settings to see how they applied on your Work Managed Android device.

1. Verify Camera Restrictions

After the restrictions profile pushes to the device, notice that the camera application is not available.

2. Test Screenshot Restrictions in Contacts

Verify the Android for Work Screen Shot Restriction

Open your Contacts app, and try to take a screenshot within the app. Notice that the screen shot is not successful. In certain device models and OS versions, a message may also appear.

Deploying Android Applications


After an Android enrolled in Work Managed Device mode is activated, the end user can access various applications pre-loaded on the device. Any additional applications can only be approved and added through the Workspace ONE UEM console.

In this section, walk through approving applications for Workspace ONE UEM and Android Enterprise integration. Integrated applications have the same functionality as their Google Play Store counterparts, plus the additional security features that come with Workspace ONE UEM.


Before you can complete this exercise, you must successfully enroll an Android device in Work Managed mode.

Deploying VMware Workspace ONE Web to an Android Device

The following steps walk through deploying VMware Workspace ONE Web, a public application, to an Android device.

1. Add Public Application

Add Public Application

In the Workspace ONE UEM Console:

  1. Select Add.
  2. Select Public Application.

2. Search for Workspace ONE Web

  1. Select Android from the Platform drop-down menu.
  2. Select Search App Store for the Source.
  3. Enter Web in the Name text box.
  4. Click Next.

3. Select the Web - Workspace ONE App

Click the Boxer app.

4. Approve Web - Workspace ONE

If prompted, click Approve.

5. Confirm Approval for Boxer - Workspace ONE

Click Approve again in the Application pop-up window.

Note: Scroll down if you do not see the pop-up window.

6. Save Approval Settings

You may need to scroll down to view the Approval Settings button.

  1. Select Keep approved when app requests new permission.
  2. Click Save.

7. Publish the App

Click Save & Assign.

8. Add Assignment

Click Add Assignment.

9. Configure Assignment

  1. Click in the Selected Assignment Groups search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All Devices (
  2. Select Auto for the App Delivery Method.
  3. Click Add.

10. Save and Publish Web - Workspace ONE App

Click Save & Publish.

11. Preview Assigned Devices and Publish

Click Publish.

Verifying Workspace ONE Web on an Android Work Managed Device

In the previous exercise, we learned how to approve and push the Workspace ONE Web application from the Workspace ONE UEM Console. This exercise helps you to verify that the application installed correctly on the enrolled Android device.

Note: Screenshots may differ depending on device model and OS.

1. Confirm the Published Workspace ONE Web Application Downloaded

Return to your testing Android device and confirm that the Workspace ONE Web application has downloaded and displays as a Work app.

Using this process, you can rapidly approve new applications and deploy them to your users.

Summary and Additional Resources


This operational tutorial provided basic steps to configure and manage Android devices. 

Procedures included:

  • Enrolling Android devices using the AirWatch identifier
  • Configuring and testing a restrictions profile
  • Approving applications for Workspace ONE UEM and Android Enterprise integration

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

About the Author

This tutorial was written by:

  • Karim Chelouati, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware


The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at