Managing Bring-Your-Own Android Devices

Managing Bring-Your-Own Android Devices


This exercise focuses on Android Work Profile configurations which are ideal for BYOD scenarios. Work Profile mode separates the personal space and the corporate space in a device. This allows organizations to manage business data and applications without accessing the user's personal data and apps. To help distinguish personal and corporate apps, a red briefcase displays with corporate apps.


Before you can perform the procedures in this exercise, you must complete the following tutorials:

This exercise requires a user to enroll their device into Workspace ONE UEM. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information

User name
Password VMware1!

You must also satisfy the following requirements:

  • Android device running version 5.0 or later

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username. This is the name provided in the activation email.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password. This is the password provided in the activation email.
  2. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Enrolling an Android BYOD Device

In this section, enroll your device in Workspace ONE UEM and set it up in Work Profile mode.

Note: Screenshots may differ due to differences in device models and operating system versions.

1. Download the Workspace ONE Intelligent Hub

Navigate to to download the latest version of Workspace ONE Intelligent Hub (formerly the AirWatch Agent).

2. Launch the Workspace ONE Intelligent Hub

Launching the AirWatch MDM Agent

Launch the Hub app on the device.  

3. Enter the Server URL

  1. Enter the Server URL for your Workspace ONE UEM environment.
  2. Click Next.

Click the Server Details button.

4. Enter the Group ID for Workspace ONE Intelligent Hub

Return to the Workspace ONE Intelligent Hub application on your Android device,

  1. Enter your Group ID for your Organization Group for the Group ID text box. See Retrieving the Group ID from Workspace ONE UEM Console.
  2. Tap the Next button.

5. Enter User Credentials

Authenticate the AirWatch MDM Agent

You now provide user credentials to authenticate to Workspace ONE UEM.

  1. Enter testuser in the Username field.
  2. Enter VMware1! in the Password field.
  3. Tap the Next button.

6. Accept the Terms and Conditions


Tap Agree.

7. Set Up the Work Profile

Set Up Android for work


Note: This may take some time, be patient while the setup process completes.

8. Device Encryption

Device Encryption

Tap Encrypt.

Important: Encrypting your devices can take some time depending on the amount of data on your device.

9. Administrator Rights

Administrator Rights

Tap OK to confirm the Privacy Policy.

Note: Enrollment time may vary depending on your network connectivity. Typically, it takes around 1 minute to complete. Be patient while this process completes.

Important: During the enrollment process, you will see several processing screens. Note that you do not need to interact with the device further until you see the Hub app confirming your enrollment.

10. Wait for Device Connectivity (IF NEEDED)

Device Connectivity

If you see a Connectivity Issue notification, the device may be taking several minutes to establish a connection to Google Cloud Messaging. Wait until you see the Connectivity Issue notification change to Connectivity Normal before continuing.

Note: If you do not see any Connectivity Issue notifications, continue to the next step.

11. Confirm Device Enrollment

Confirm Device Enrollment

You have now completed the Hub configuration wizard.  After the enrollment process completes, the Agent  displays the notification Congratulations! You have successfully enrolled your device.

You can now Exit the agent.

12. Badged Apps

Badged Apps

On your Android device, you should now see the new Work applications. Android for Work apps are differentiated by an orange briefcase icon also referred to as Badged Apps.

In the Applications view, your Work apps and Personal apps are shown in a unified launcher.  For example, your device will show both a personal icon for Google Chrome and a separate icon for Work Chrome denoted by the badge. The Workspace ONE Intelligent Hub is badged and exists only within the Work Profile data space.

Important: There is no control over personal apps nor will the Workspace ONE Intelligent Hub have access to personal information. There are a handful of system apps that come with the Work Profile by default such as Work Chrome, Google Play, Google settings, Contacts, and Camera.

13. Work Container

Work Container

On some devices, you may also notice the Work container on your device depending on the OS version.  This Work container can be used for quick access to your Work (Badged) Apps.

Configuring Profiles for Android

In this exercise, configure restrictions to explore how enterprise profile settings apply on a BYOD Android device.

1. Create a New Profile

Create a New Profile

In the Workspace ONE UEM Console:

  1. Click Add.
  2. Click Profile.

2. Select the Android Platform

Android Platform

Select Android.

3. Select the Configuration Type

Android for Work

Select Android for Work to modify the enrolled device's enterprise functionality. Selecting Device would modify the device's unbadged apps and base functionality.

4. Configure the General Settings

General Settings
  1. Select General.
  2. Enter Android Restriction in the Name field.
  3. Click Assigned Groups to display the list of available assignments.
  4. Select All Devices.

5. Open the Restrictions Payload

Restrictions Configure
  1. Select the Restrictions payload.
  2. Click Configure.

6. Configure Screen Capture Restrictions

Configure Screen Capture Restrictions

Deselect the Allow Screen Capture check box.

7. Configure Camera Restrictions

Configure Camera Restrictions
  1. Scroll down to find the Applications section.
  2. Deselect the Allow Camera check box.
  3. Click Save & Publish.

8. Publish the Profile

Publish the Profile

Click Publish.

9. Verify Camera Restrictions

After the restrictions profile pushes to the device, verify the settings applied correctly, and observe the unique way profiles behave on Android BYOD devices.

Notice how the badged camera application disappeared, but the unbadged personal camera remains available.

10. Test Screenshot Restrictions

Verify the Android for Work Screen Shot Restriction
Verify the Android for Work Screen Shot Restriction
  1. Open your non-badged Contacts app, and try to take a screenshot within the app. Notice that the screen shot was successful.
  2. Open the badged Contacts app, and try to take a screenshot within the app. Notice that the screenshot was unsuccessful. In certain device models and OS versions, a message may also appear.

Approving Applications

In this section, walk through approving applications for Workspace ONE UEM and Android Enterprise integration. Integrated applications have the same functionality as their Google Play Store counterparts, plus the additional security features that come with Workspace ONE UEM.

  • To add convenience of use, configure the Send Application Configuration option. Application configurations allow you to pre-configure supported key-value pairs and to push them down to devices along with the application. Examples of supported values may include usernames, passwords, and VPN settings. Support values depends upon the application.
  • To add secure features, use Workspace ONE UEM profiles for Android Enterprise. Profiles allow you to set passcodes, apply restrictions, and use certificates for authentication.

1. Add Public Application

Add Public Application

In the Workspace ONE UEM Console:

  1. Select Add.
  2. Select Public Application.

2. Search for Public Application

  1. Select Android from the Platform drop-down menu.
  2. Select Search App Store for the Source.
  3. Enter VMware Browser in the Name text box.
  4. Click Next.

3. Select the App

Click the VMware Browser app.

4. Approve the App

Click Approve if not approved already.

5. Confirm Approval for VMware Browser (IF NEEDED)

Click Approve.

6. Determine Future Approval Settings

  1. Select Keep approved when app requests new permission.
  2. Click Save.

7. Save and Assign

Click Save & Assign.

8. Add Assignment

Click Add Assignment.

9. Configure Assignment

  1. Click in the Selected Assignment Groups search box. This will pop-up the list of created Assignment Groups. Enter All Devices and select the All Devices group.
  2. Select Auto for the App Delivery Method.
  3. Click Add.

10. Save and Publish

Click Save & Publish.

11. Publish

Click Publish.

Verifying Work Apps

In the previous exercise, we learned how to approve and push an Android application from the Workspace ONE UEM Console. This exercise helps you to verify that Work apps installed correctly on the enrolled Android device.

Note: Screenshots may differ depending on device model and OS.

1. Confirm the Published VMware Browser Application Downloaded

Confirm the Published VMware Browser Application Downloaded

Return to your testing Android device and confirm that the VMware Browser application has downloaded and displays as a Work app.

Using this process, you can rapidly approve new applications and deploy them to your users.

2. Open the Badged Android for Work Play Store App

Open the Badged Android for Work Play Store App

Open your Work Play Store application on your Android device.

3. Accept Google Play Terms of Service (IF NEEDED)

If you are prompted with the Google Play Terms of Service, tap Accept. Otherwise, continue to the next step.

4. Open Play Store Menu

Open Play Store Menu

Tap the Menu button in the upper-left corner.

5. View Play Store Work Apps

View Play Store Work Apps

Tap My Work Apps from the menu.

6. Verify VMware Browser Is Available As A Work App

Verify VMware Browser Is Available As A Work App
  2. Confirm that the VMware Browser application is in your list of Work applications.  You may need to scroll down to find the application.

The VMware Browser app is listed as a Work app because it was approved as a Work app through the Workspace ONE UEM Console while adding and assigning the application to your users.  This streamlines and rapidly improves the process of approving and deploying Work apps to your Android devices.