Managing Corporate Owned Personally-Enabled Android Devices: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 1810 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you deploy corporate owned personally-enabled (COPE) Android devices. First, you register Android EMM (enterprise mobility management) and configure COPE devices. Then, you configure the enrollment QR code and enroll using the QR code. Finally, you configure camera restrictions.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM (unified endpoint management), powered by VMware AirWatch, is also helpful.

Getting Started with COPE Android Management

Introduction

This exercise walks-through deploying an Android device in Corporate Owned Personally-Enabled (COPE) mode. Android COPE devices give Workspace ONE UEM control of the entire device, but also dedicate a separate space for personal use.

Prerequisites

Before you can perform this exercise, you must meet the following requirements.

  • Workspace ONE UEM version 1810 or later

This exercise requires specific account information. Gather the required account information, and record it in the following table. The account information provided in the table is based on a test environment. Your account details will differ.

Workspace ONE UEM Account Information
Server URL  https://<WorkspaceONEUEMHostname>  
User name administrator  
Password VMware1!  
Google Admin Account Information
Email  WorkspaceONEadmin@gmail.com  

Understanding Android Device Modes

To address a variety of device-ownership use cases, Workspace ONE UEM supports multiple management modes for Android. The easiest way to determine which device mode is the most appropriate for your organization is to evaluate your device-ownership use case.

The following table pairs each device-ownership use case with its coordinating device mode. Review this table, and double-check that the tutorial you are reading will best address your use case.

Use Case Device Mode
BYOD Work Profile
Corporate-Owned Work Managed
Hybrid COPE

Each device mode offers a unique device-side user experience. After you have determined which device mode best addresses your use case, it is important to understand the user experience that mode offers. To help you understand their key similarities and differences, the following table outlines some of the primary device-side capabilities of each mode.

  Work Profile Work Managed COPE
Entire Device Management No Yes Yes
Badged Enterprise Apps Yes No Yes
Dedicated Personal Apps Yes No Yes

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username, for example, administrator.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password, for example, VMware1!
  2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

Registering for Android EMM

After logging into the Workspace ONE UEM console, you register your enterprise with Google. This creates an admin account that connects Google with Workspace ONE UEM.

2. Begin Google Registration

  1. Select Devices & Users.
  2. Expand Android.
  3. Select Android EMM Registration.
  4. Click Register with Google.

3. Provide a Google Admin Account

Provide Google Admin Account
  1. Confirm you are logged into your Google Admin Account that you want to associate with your Android for Work configuration. For example, enter WorkspaceONEadmin@gmail.com. Note: After you register a Google Admin Account to Android for Work, you cannot disassociate your Google Admin Account from that Organization. Ensure the Google Admin Account shown is the account you want to associate with your Organization.
  2. Click Get Started.

4. Provide Organization Details

Provide your Organization Details
  1. Enter your Organization Name.
  2. Select the Google Play Agreement.
  3. Click Confirm.

5. Complete Registration

Complete Registration

Click Complete Registration to return to the Workspace ONE UEM Android Enterprise configuration.

6. Confirm Integration in the Workspace ONE UEM Console

Return to the Android EMM Registration page in the Workspace ONE UEM Console:

  1. On the Configuration tab, scroll down to the Google Admin Console Settings section. Note that the account information you provided to Google displays here.
  2. Confirm the Android Enterprise Registration Status is shown as Successful.
  3. Note how the Client ID and Google Service Account Email Address have been automatically created and configured.  

Enabling Corporate Owned Personally-Enabled Mode

After registering Android for enterprise mobility management with Workspace ONE UEM, you are ready to enable Corporate Owned Personally-Enabled devices.

2. Configure Enrollment Settings

  1. On the Android EMM Registration page, click Enrollment Settings.
  2. Next to Fully-Managed Device Enrollments, select Corporate Owned Personally Enabled.
  3. Click Save.

Enrolling Android COPE Devices

Introduction

Device enrollment establishes communication with the Workspace ONE UEM console and allows devices to access internal resources. In this exercise, generate a QR code in the Workspace ONE UEM console, and use it to enroll your Android COPE device.

Although this exercise walks through QR code enrollment, there are several additional enrollment options for Android COPE devices:

  • AirWatch Relay
  • Unique Identifier
  • Zero Touch

Prerequisites

Before you can perform the activities in this exercise, you must meet the following requirements:

Warning: Do not factory reset your personal device to complete these exercises. 

This exercise requires a user to enroll their device into Workspace ONE UEM. A staging account is also required to setup enrollment. Gather the required account information, and record it in the following table. The account information used in this exercise is based on a test environment. Your account details will differ.

Staging User Account Information  
User name staging
Password VMware1!
User Account Information  
User name admin
Password VMware1!

Configuring the Enrollment QR Code

Before you can enroll your device, you must generate the enrollment QR Code in the Workspace ONE UEM console.

2. Open the Enrollment Configuration Wizard

On the Enrollment Configuration Wizard page that appears:

  1. Under Platform, click Android.
  2. Under Enrollment, select QR Code.
  3. Click Configure.

3. Configure Wi-Fi Settings

In the enrollment wizard, configure Wi-Fi settings for enrollment:

  1. Set Connect device to Wi-Fi prior to enrollment to Enabled.
  2. Enter your Wi-Fi network name or SSID. For example, VMware Guest.
  3. Enter your Wi-Fi Password.
  4. Click Next.

4. Configure Hub Settings

Click Next
  1. From the Workspace ONE Intelligent Hub drop-down menu, select Use latest Workspace One intelligent Hub.
  2. Click Next.

5. Configure Enrollment Details

Click Next
  1. Set Configure Organization Group to Enabled.
  2. Select your Organization Group.
  3. Set Login Credentials to Enabled.
  4. Enter a User Name. For example, staging.
  5. Enter your Password.
  6. Click Next.

6. Download the QR Code

On the Summary tab:

  1. Click Download File and save your QR code to a secure, accessible location.
  2. Click Close.

Enrolling Using the QR Code (Video)

The QR code you generated in the Workspace ONE UEM console contains a payload of key-value pairs with all the information the device needs to enroll. In this section, follow-along with the steps in the video to enroll your Android COPE device using the QR code you generated.

Configuring Android COPE Profiles

Introduction

In this exercise, set up and configure a restrictions profile in Workspace ONE UEM to explore how enterprise profile settings apply on an Android COPE device.

Prerequisites

Before you can complete this exercise, you must successfully enroll an Android device in COPE mode.

Understanding Configuration Options for Android Profiles

Profiles are the mechanism by which Workspace ONE UEM manages settings on a device. All profiles are broken down into two basic sections; the General section and the Payload section.

  • The General section defines the profile's name and assignment settings.
  • The Payload sections define actions to be taken on the device.

Every profile must have all required fields in the General section properly filled out and at least one payload configured.

To address multiple device ownership use cases, you can enable Android profile payload settings in Workspace ONE UEM at the Work Profile level and at the Work Managed device level.

  • Work Profile-level configurations only apply restrictions and settings to the device's badged enterprise apps, and do not affect the users personal apps or settings.
  • Work Managed device-level configurations apply restrictions and settings to the entire device.
  • Corporate Owned Personally-Enabled devices use Work Profile-level and Work Managed device-level configurations

Configuring Restriction Profiles

In this exercise, control camera settings by configuring a restrictions profile in the Workspace ONE UEM console.  

1. Create a New Profile

In the Workspace ONE UEM Console:

  1. Click Add.
  2. Click Profile.

2. Select the Android Platform

Select Android.

3. Configure the General Settings

  1. Select General.
  2. Enter a name for the Android Profile. For example, Android Restriction.
  3. Click Assigned Groups to display the list of available assignments.
  4. Select All Devices.

4. Open the Restrictions Payload

  1. Select the Restrictions payload.
  2. Click Configure.

5. Configure Screen Capture Restrictions

Under Device Functionality:

  1. In the Work Managed Device column, select the Allow Screen Capture check box.
  2. In the Work Profile column, deselect the Allow Screen Capture check box.

6. Configure Camera Restrictions

  1. Scroll down to the Application section.
  2. In the Work Managed Device column, select the Allow Camera check box.
  3. In the Work Profile column, deselect the Allow Camera check box.
  4. Click Save & Publish.

7. Publish the Profile

Click Publish.

Testing Android Restriction Settings

For Android, the various device modes change the way profile settings apply to devices. After configuring a restriction profile, test the profile settings to see how they applied on the Android device.

1. Verify Camera Restrictions

After the restrictions profile pushes to the device:

  1. Notice that a badged enterprise version of the camera application is not available.
  2. Notice that the unbadged personal camera remains available.

2. Test Screenshot Restrictions in Personal Contacts

Verify the Android for Work Screen Shot Restriction

Open your non-badged Contacts app, and try to take a screenshot within the app. Notice that the screen shot was successful.

3. Test Screenshot Restriction in Enterprise Contacts

Verify the Android for Work Screen Shot Restriction

Open the badged Contacts app, and try to take a screenshot within the app. Notice that the screenshot was unsuccessful. In certain device models and OS versions, a message may also appear.

Deploying Applications to Android COPE Devices

Introduction

In this exercise, you deploy VMware Workspace ONE Web, a public application, to your Android device. Public applications pushed from the Workspace ONE UEM console have the same functionality as their Google Play Store counterparts. However, pushing apps from the Workspace ONE UEM console allows you to enable additional functionality and security features for these applications.

Prerequisites

Before you can complete this exercise, you must successfully enroll an Android device in COPE mode.

Deploying VMware Workspace ONE Web to an Android Device

The following steps walk through deploying VMware Workspace ONE Web, a public application, to an Android device.

1. Add Public Application

Add Public Application

In the Workspace ONE UEM Console:

  1. Select Add.
  2. Select Public Application.

2. Search for Workspace ONE Web

  1. Select Android from the Platform drop-down menu.
  2. Select Search App Store for the Source.
  3. Enter Web in the Name text box.
  4. Click Next.

3. Select the Web - Workspace ONE App

Click the Boxer app.

4. Approve Web - Workspace ONE

If prompted, click Approve.

5. Confirm Approval for Boxer - Workspace ONE

Click Approve again in the Application pop-up window.

Note: Scroll down if you do not see the pop-up window.

6. Save Approval Settings

You may need to scroll down to view the Approval Settings button.

  1. Select Keep approved when app requests new permission.
  2. Click Save.

7. Publish the App

Click Save & Assign.

8. Add Assignment

Click Add Assignment.

9. Configure Assignment

  1. Click in the Selected Assignment Groups search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All Devices (your@email.shown.here).
  2. Select Auto for the App Delivery Method.
  3. Click Add.

10. Save and Publish Web - Workspace ONE App

Click Save & Publish.

11. Preview Assigned Devices and Publish

Click Publish.

Verifying Workspace ONE Web on an Android Device

After using the Workspace ONE UEM console to push Workspace ONE Web to your Android device, verify the Work app installed correctly on your device.

Note: Screenshots may differ depending on device model and OS.

1. Confirm the Published Workspace ONE Web Application Downloaded

Return to your testing Android device and confirm that the Workspace ONE Web application has downloaded and displays as a Work app.

Using this process, you can rapidly approve new applications and deploy them to your users.

2. Open the Badged Android for Work Play Store App

Open the Badged Android for Work Play Store App

Open your Work Play Store application on your Android device.

3. Accept Google Play Terms of Service (IF NEEDED)

If you are prompted with the Google Play Terms of Service, tap Accept. Otherwise, continue to the next step.

4. Open Play Store Menu

Open Play Store Menu

Tap the Menu button in the upper-left corner.

5. View Play Store Work Apps

View Play Store Work Apps

Tap My Work Apps from the menu.

6. Verify Workspace ONE Web Is Available As A Work App

  1. Tap Installed.
  2. Confirm that the Workspace ONE Web application is in your list of Work applications. You may need to scroll down to find the application.

The Workspace ONE Web app is listed as a Work app because it was approved as a Work app through the Workspace ONE UEM Console while adding and assigning the application to your users. This streamlines and rapidly improves the process of approving and deploying Work apps to your Android devices.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to deploy corporate owned personally-enabled Android devices. 

Procedures included: 

  • Registering Android EMM
  • Configuring Corporate Owned Personally-Enabled Devices
  • Configuring the Enrollment QR Code
  • Enrolling Using the QR Code
  • Configuring Camera Restrictions

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

About the Authors

This exercise was written by:

  • Karim Chelouati, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
  • Hannah Jernigan, Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.