Achieving DISA STIG Compliance for Samsung Android 10: Workspace ONE Operational Tutorial

Overview

Introduction

VMware provides this Operational Tutorial to assist you with your VMware Workspace ONE® environment. In this tutorial, you will use VMware Workspace ONE® Unified Endpoint Management (UEM) to configure a Samsung mobile device running the Android operating system (OS) version 10 to comply with security controls set forth in the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG). You will also learn how to deploy these hardened devices in a closed network environment, where Internet services such as Google Play Store are not available.

Audience

This Operational Tutorial is intended for IT professionals and Workspace ONE administrators of production environments. Familiarity with fundamental device management concepts, as well as knowledge specific to the Android platform, is helpful.

Understanding Your Security Requirements

Security Best Practices and Federal Government Compliance

Although every organization creates and enforces unique technical security requirements and guidance, many Federal Government agencies, customers, and stakeholders rely on standardized compliance policies and practices. This tutorial focuses on the first example listed; however, a few related security frameworks are summarized here as well:

  • Secure Technical Implementation Guide (STIG) - published by the Defense Information Systems Agency (DISA), these guides serve as the core security standard for system configuration across the Department of Defense (DOD) and its stakeholders.
  • Common Criteria Evaluation and Validation Scheme (CCEVS) - Internationally agreed-upon criteria for developing secure software and hardware solutions, of which the National Information Assurance Partnership (NIAP) is the governing body in the United States.
  • Commercial Solutions for Classified (CSfC) - a series of published configuration and security packages maintained by the National Security Agency (NSA), to create more secure and sustainable classified solutions by leveraging the latest products from the commercial industry.

Security Technical Implementation Guide (STIG)

To meet the needs of customers deploying Samsung mobile devices into highly secure environments, Samsung and DISA have collaborated to produce a STIG specific to this platform. This tutorial will provide step-by-step configuration mapping between the Samsung Android 10 STIG, and implementing those controls using the Workspace ONE UEM console. Note that this STIG guidance for Samsung devices is based on the DISA high-level Mobile Policy STIG, which provides more generic security requirements for any mobile device operating system.

Note: DISA also provides a high-level STIG for the Enterprise Mobility Management (EMM) solution in-use as well (Workspace ONE UEM in this case). Although it is outside the scope of this tutorial, VMware has collaborated with DISA to produce a Workspace ONE STIG document that covers all the necessary controls from a back end (server-side) service perspective that must be implemented when designing and configuring Workspace ONE. That STIG is separate from the Samsung device-specific STIG discussed in this document, and it is assumed that Workspace ONE UEM is operating in an EMM STIG-compliant manner as part of the prerequisites for this tutorial if deemed necessary by an organization’s security policies.

Deployment Options

Introduction

Each organization that deploys STIG-compliant solutions must determine their desired deployment methodology as part of either a new Workspace ONE installation or migration from Device Admin to Android Enterprise for an existing installation. The four major use cases are covered in this section. This document will focus on Use Cases 1 and 3, with collateral covering Use Case 2 and 4 to be published in the future.

Use Case 1: Corporate Owned Business Only Device Management / Work Managed

Also referred to as COBO, this device mode provides complete management by an organization, with no separation of personal data or applications. Although this method does not offer robust privacy options, it is required in many scenarios where high security is the main priority.

Use Case 2: Corporate Owned Personally Enabled Device Management

Also referred to as COPE, this device mode allows the separation of corporate and personal data, while still being managed by the organization for corporate access and apps.

Note: With the release of Android 11, Google has modified COPE mode to be more privacy centric. Organizations still have ownership of the device, however, there are a limited set of policies and controls that can be applied to the personal side of the device to protect end users’ personal data. Before upgrading to Android 11, there are certain considerations and prerequisites you must be aware of, detailed in this Knowledge Base article: Changes to Corporate Owned Personally Enabled (COPE) in Android 11.

Use Case 3: Corporate Owned Business Only Device Management – Closed Networks

A lesser-used, but critical, child use case of the COBO methodology involves environments where communication with external (Internet-facing) resources is not possible. This may be due to security classification or concerns, or environmental limitations. In any case, this negates the ability to connect to Managed Google Play which is traditionally required for managing public apps in Android Enterprise.

Workspace ONE has developed the capability to support these scenarios leveraging the Android Open-Source Project (AOSP). STIG compliance is still possible by leveraging the Knox Service Plug-in (KSP) as an internal app and using Workspace ONE UEM Custom Attribute payloads to implement the required XML. This configuration will be detailed later in the document.

Use Case 4: Bring Your Own Device / Work Profile

This scenario entails partial management of devices owned by the end user, rather than the organization. Android devices allow for a separate, containerized “Work Profile” that provides management capabilities while not granting control or insight into the user’s personal apps and data. Any actions taken by a Workspace ONE administrator in this scenario affect only Work Profile data.

Getting Started with Samsung Android 10 STIG Compliant Deployments

Drivers for Migrating from Device Admin to Android Enterprise for Android 10

There are several reasons that VMware and Samsung are urging our joint customers to move away from legacy Device Admin deployments as quickly as possible. The key motivation for this can be summarized by the following points. See the Additional Resources section for more detailed information about this transition.

  • Google Is Moving Away from Device Admin – Google has made it very clear that they will focus their development efforts going forward on Android Enterprise. As a prime example, Android 10 does not include several key management APIs for devices deployed in Device Admin mode. Google required all app developers to target level 29 of the Android API by November 2020. When VMware Workspace ONE® Intelligent Hub conforms to this requirement, configurability of the previously mentioned APIs will cease:
  • Workspace ONE Device Admin Deprecations Forthcoming To align with Google’s strategy, and to focus on providing the most robust feature set in support of Android Enterprise, Workspace ONE will begin blocking new Android 10 enrollments on Device Admin in November 2020. Furthermore, support for all Device Admin deployments will fully end in March 2022.
  • Impacts to Functionality and Security Android 10 Device Admin deployments will face several changes in behavior, including apps no longer having the ability to bring themselves to the foreground which would negatively impact some user enrollment workflows. Furthermore, these devices would no longer be able to sample IMEI or serial numbers.
  • Samsung Android 10 Delivered on New Hardware Most Samsung devices, since the Galaxy S9, have begun to ship with Android 10 installed on day 1. Also, hardware-level support (Knox Container) for Device Admin has been removed for all new devices starting with the release of the Note 10.

Prerequisites

Before you can perform STIG compliant configuration of your Samsung Android devices, your environment should meet the following requirements:

  • Workspace ONE UEM environment configured for Android Enterprise device enrollment
  • Samsung device running Android 10 or later
  • Workspace ONE Intelligent Hub – latest version
  • Samsung Knox Service Plug-in – latest version
  • Administrator accounts for both Workspace ONE and Google
  • Network Requirements – in addition to standard Workspace ONE network and protocol requirements, Samsung license servers must be able to communicate with your environment, as described in the following documents:

Note: Use Case 3, which covers configuration in closed network environments, does not require any communications to external, public-facing services, including Google Play. In these scenarios, Samsung offers an on-premises Knox License Server.

Workspace ONE STIG Compliant Architecture

Introduction

Although the intent of this document is not to cover general Workspace ONE architecture (see the Summary and Additional Resources section), it is important to understand the core components at the foundation of most deployments.

Example Architecture 1 – On-Premises with Access to Managed Google Play

The following diagram is a high-level depiction of the required components in a base installation of Workspace ONE. In this example, the Workspace ONE application servers can communicate over the Internet with the Managed Google Play Store. This allows the Workspace ONE UEM Console to retrieve the latest OEMConfig policies from Google Play, made available by the Knox Service Plugin. Devices can also communicate with Samsung Knox License Servers.

Workspace ONE compliant architecture for DISA STIG showing required components for a base Workspace ONE installation.

Example Architecture 2 – On-premises Closed Network (No Managed Google Play)

This example architecture illustrates a deployment where no external connectivity is required, and all communications are contained within an organization’s managed network environment. Samsung offers an on-premises version of their Knox License server that must be used, and no Google Play integration is available.

Workspace ONE architecture for on-premises closed network to achieve DISA STIG compliance.

 

Workspace ONE STIG Configurations

Introduction

The successful configuration of STIG-compliant Android 10 Enterprise Samsung devices within Workspace ONE is accomplished using a combination of three key components:

  1. Enterprise Mobility Management (EMM) functionality configured by using the native interface controls available within the Workspace ONE UEM console.
  2. The Knox Service Plug-in (KSP) application managed as either a public (Google Play) or internal (closed network) app within UEM.
  3. Knox Platform for Enterprise – as an additional layer of security controls implemented for Samsung devices on top of the core Android Enterprise framework.

Knox Service Plug-in STIG Requirement

The KSP application is provided by Samsung to provide vendor-specific configurations on top of any existing controls provided by the Android Enterprise APIs. KSP uses the OEMConfig standard and allows Workspace ONE administrators to meet additional security requirements (including several in the DISA STIG) not fulfilled by Android Enterprise alone for Samsung devices being managed.

The following diagram from Samsung illustrates the high-level flow of KSP-based configurations pushed to managed devices. Note that the generic “UEM Server” is indicative of Workspace ONE application servers in this case.

High-level flow of KSP-based configurations pushed to managed Samsung Android 10 devices for DISA STIG compliance.

STIG Configuration Scenario 1 – Samsung Device | Android 10 | COBO

This section of the tutorial will provide detailed Workspace ONE UEM configuration guidance that must be followed to ensure your Samsung Android Enterprise devices are in compliance with the latest DISA STIG.

Obtain KSP and Configure as a Managed Public App

To comply with DISA STIGs, you must obtain the Samsung KSP application and configure it using Workspace ONE. The high-level steps required to acquire the application are as follows:

  1. Download Samsung’s OEMConfig application, the Knox Service Plug-in, from the Google Play Store.
  2. Approve the application for management within Workspace ONE UEM.

Detailed steps for preparing KSP in the Workspace ONE UEM Console can be found in Configure OEM Settings for Android Devices.

Configure STIG Compliance Within Workspace ONE UEM

Using Workspace ONE UEM, follow the configuration as listed in Table 1: Android Enterprise STIG Configuration (Workspace ONE UEM Profiles). The Workspace ONE UEM Configuration column provides the exact steps for the Workspace ONE administrator to follow within the console to arrive at the necessary control. The STIG Reference column indicates which value the corresponding control should be set to. Note that many of the configurations simply require the selection / deselection of payload configurations found within a Workspace ONE Android Profile. As mentioned earlier, a combination of Android Enterprise and KSP configuration will be required to achieve compliance – thus, each has been separated into its own table.

Table 1: Android Enterprise STIG Configuration (Workspace ONE UEM Profiles)

Policy Group

Policy Name

Minimum Setting

STIG Reference

Category (Severity)

Workspace ONE UEM Configuration

Password Requirements

Minimum
password length

6 characters

KNOX-10-000100

II

Passcode Profile > Enable Device Passcode Policy (checkbox) > Minimum Passcode Length (drop down selection)

Password Requirements

Minimum password quality

Numeric
(Complex)

KNOX-10-000200, KNOX-10-000300

II

Passcode Profile > Enable Device Passcode Policy (checkbox) > Passcode Content (drop down selection)

Password Requirements

Max time to screen lock

15 minutes

KNOX-10-000400

II

Passcode Profile > Enable Device Passcode Policy (checkbox) > Work Profile Lock Timeout Range (select value in Minutes)

Password Requirements

Max password failures for local wipe

10

KNOX-10-000500

II

Passcode Profile > Enable Device Passcode Policy (checkbox) > Maximum Number of Failed Attempts (drop down selection)

Restrictions

Installs from unknown sources

Disallow

KNOX-10-000800

II

Restrictions Profile > Allow Non-Market App Installation (uncheck)

Restrictions

Trust Agents

Disable

KNOX-10-002100

II

Restrictions Profile > Allow Keyguard Trust Agent State (uncheck)

Restrictions

Keyguard Unredacted Notifications

Disable

KNOX-10-001500

II

Restrictions Profile > Allow Keyguard Unredacted Notifications

Restrictions

Face

Disable

KNOX-10-002200

II

Fully Managed Device:
Passcode Profile > Enable Device Passcode Policy (checkbox) > Allow Face Scanning

Work Profile: Passcode Profile > Enable Work Passcode Policy (checkbox) > Allow Face Scanning

Restrictions

Debugging features

Disallow

KNOX-10-002700

II

Restrictions Profile > Allow USB Debugging (uncheck)

Restrictions

USB file transfer

Disallow

KNOX-10-003400, KNOX-10-003600

II

Restrictions Profile > Allow USB File Transfer

Restrictions

Backup Service

Disable

KNOX-10-003800

II

Restrictions Profile > Allow Backup Service

Restrictions

Auto Fill

Disable

KNOX-10-010600

II

Custom XML:

<characteristic uuid="bb5642fe-ad4b-456e-b2b6-0937556ba444" type="com.airwatch.android.androidwork.restrictions">

<parm name="allowAutofill" value="True" />

</characteristic>

Restrictions

Cross Profile Copy Paste

Disable

KNOX-10-004700

II

Restrictions Profile > Allow Pasting clipboard between work and personal apps

Application Control

Core app allow list
 

Enable

KNOX-10-009200

II

Application Control Profile > Enable System apps
Resources > App Groups > Add Group (Type=Whitelist, Platform=Android, Name=Enter a name for App Group as appropriate)

Then: Add Application > enter the app name, enter Application ID)

Application Control

System app
deny list

Disable

KNOX-10-009200

II

Application Control Profile > Disable Access to Deny listed apps

Date/Time

Configure Date Time

Disallow

KNOX-10-011000

II

Custom XML Profile:

<characteristic uuid="bb5642fe-ad4b-456e-b2b6-0937556ba444" type="com.airwatch.android.androidwork.datetime" target="2">

<parm name="AutomaticTime" value="True/False" />

<parm name="DateTime" value="SNTP/HTTP/Auto" />

<parm name="URL" value="timeurl.com" />

<parm name="SetTimeZone" value="True/False" />

<parm name="Region" value="Americas" />

<parm name="TimeZone" value="America/Adak" />

<parm name="AllowDateTimeChange" value = "True/False"/>

<parm name="EnablePeriodicSync" value="True/False" />

<parm name="SyncIntervalDays" value="7" />

</characteristic>

Date/Time

Set auto (network) time required

Require

KNOX-10-011000

II

 

Date/Time

Allow User to Change Date Time

Disable

KNOX-10-011000

II

 

Logging

Network Logging

N/A

KNOX-10-009500

II

Device Details > Request Device Log > Network > Configure Network Logging Request

Log files available in Device Details > More > Attachments > Documents

Logging

Security Logging

N/A

KNOX-10-009500

II

Coming Soon

Enrollment Configuration

Device Management mode

#1: Fully managed [AE DO]

#2: Corporate owned with work profile [AE COPE]

 

KNOX-10-009600

II

Settings > Devices & Users > Android > Android EMM Registration > Enrollment Settings

Validate that enrollment is configured and limited to only approved organizational enrollment use cases

 
Table 2: Knox Service Plugin Configuration (KSP App Config)

Policy Group

Policy Name

Minimum Setting

STIG Reference

Category (Severity)

Knox Service Plugin Configuration (Workspace ONE UEM)

Application Control

App Signature Allow List

N/A

KNOX-10-001000

II

Device Wide Policies > Application Management Policies > Application Allowlist by Signature used

Application Control

App Signature Block List

N/A

KNOX-10-001000

II

Device Wide Policies > Application Management Policies > Application Blocklist by Signature used

Restrictions

Allow Bluetooth

 

KNOX-10-001300

III

Device Wide Policies > Device Restrictions > Allow Bluetooth

Restrictions

Allowed Bluetooth Profiles

 

KNOX-10-001300

III

Device Wide Policies > Device Controls > Bluetooth Policy > Enable Bluetooth Profiles

Restrictions

Enable Bluetooth Policy Controls

Enable

KNOX-10-001300

III

Device Wide Policies > Device Controls > Bluetooth Policy > Enable Bluetooth Policy Controls

Restrictions

RCP Data Sync Policy

NOTIFICATIONS, SANITIZE_DATA, CALENDAR, EXPORT, FALSE

KNOX-10-001500

II

RCP Data Sync Profile Configurations

Work Profile Policies > RCP Policy

Restrictions

Allow SD Card Access

Disable

KNOX-10-001900

I

Device Wide Policies > Device Restrictions > Allow SD Card Access

Restrictions

Enforce External Storage Encryption

Enable

KNOX-10-001900

I

Device Wide Policies > Device Restrictions > Enforce External Storage Encryption

Password Policy

Enable Face Recognition

 

KNOX-10-002200

II

Device Wide Policies > Password Policy > Biometric Authentication > Enable Face Recognition

Restrictions

Enable banner on device reboot

Enable

KNOX-10-003300

III

Device Wide Policies > Device Controls > Boot Banner > Enable banner on device reboot

Restrictions

Allow USB Media Player

Disable

KNOX-10-003400

KNOX-10-003600

II

Device Wide Policies > Device Restrictions > Allow USB Media Player

Restrictions

Allow backup on Google server

Disable

KNOX-10-003800

II

Device Wide Policies > Device Restrictions > Allow backup on Google server

Restrictions

Allow Open Wi-Fi Connection

Disable

KNOX-10-004200

II

Device Wide Policies > Device Controls > Wi-Fi Policy > Allow open Wi-Fi connection

Restrictions

Account addition blocklist

 

KNOX-10-009000

II

Device Account Policy Configurations

Device Wide Policies > Device Account Policy

Application Control

Disable Applications

 

KNOX-10-009300

II

Device Wide Policies > Application management policies > Disable Application without user interaction

Device Monitoring

Enable Audit Log

Enable

KNOX-10-009500

II

Coming Soon

Security

Set Common Criteria Mode

Enable

KNOX-10-010800

III

Device Wide Policies > Advanced Restriction Policies > Enable Common Criteria Mode

Restrictions

Allow USB Host Storage

 

KNOX-10-011200

II

Device Wide Policies > Device Restrictions > Allow USB Host Storage

Restrictions

Set USB Exception List

 

KNOX-10-011200

II

Device Wide Policies > Device Restrictions > Setup USB exception list

Restrictions

Allow Share Via Option

Disable

KNOX-10-011400

II

Device Wide Policies > Device Restrictions > Allow Share Via Option

Certificate Management

Enable Revocation Check

Enable for All Apps

KNOX-10-012000

II

Device Wide Policies > Certificate management policies > Certificate Revocation > Enable revocation check

Certificate Management

Enable OCSP Check

Enable

KNOX-10-012000

II

Device Wide Policies > Certificate management policies > Certificate Revocation > Enable OCSP check before CRL

Certificate Management

Block User from Removing Certificates

Enable

KNOX-10-012400

II

Device Wide Policies > Certificate management policies > Block User from removing certificate

Security

Allow Moving Files from Work Profile to Personal Space

Disable

KNOX-10-004600

KNOX-11-008900

II

Work Profile Policies > RCP Policy > Allow moving files from work profile to personal space

Password Policy

Set Maximum Numeric Sequence Length

2

KNOX-10-000200

II

Device Wide Policies > Password Policy > Password Restriction > Maximum Numeric Sequence Length

Restrictions

Allow Android Beam

Disable

KNOX-10-011600

II

Device Wide Policies > Device Restrictions > Allow Android Beam on Device

Note: Table 2 is configured using app config values on the Workspace ONE UEM interface during assignment. The following screenshot shows what this looks like in the Workspace ONE UEM console:

Assign STIG Configuration to a Work Managed Device

Now that both Android Enterprise profiles and the KSP app have been configured, you must assign them to your Android 10 devices using Smart Groups. For KSP, this is done in the same screen as shown in Configure STIG Compliance Within Workspace ONE UEM. For profiles, ensure that the STIG profiles are assigned as you would any other profile payloads, as shown in the following screenshot.

STIG Configuration Scenario 2 – Samsung Device | Android 10 | COBO Closed Network

This section of the tutorial will provide configuration guidance that must be followed to ensure your Samsung Android Enterprise devices are compliant with the latest DISA STIG when you are operating in a closed network environment, with no ability to connect to Google Play services. Note that in some cases, you may also need to configure and host a proxy file to avoid certain behavior on devices that ship with Google services (detailed in Configure and Host a PAC File).

Configure UEM for Closed Network Android Enrollments

First, you must consider whether the entire device fleet will operate within a closed environment, or whether some devices are closed network while others may have access to Google Play:

  • Scenario 1: All devices operating in closed network - Navigate to Groups & Settings > All Settings > Devices & Users > Android > Android EMM Registration at the customer-type Organization Group. Enable "Deploy without Google registration if you are operating on a closed network or are unable to communicate with Google Play" setting.
  • Scenario 2: Some devices operating in closed network - Configure Workspace ONE to enroll Work Managed devices without a Google account in a specific Organization Group. The following instructions assume that you already setup Android Enterprise by registering with Google.
  1. Navigate to the organization group under which devices for closed network will be configured.
  1. Navigate to Groups & Settings > All Settings > Devices & Users > Android > Android EMM Registration.
  1. Under the Enrollment Settings tab, set the Work Managed Enrollment Type to AOSP/ Closed Network.

Add KSP to Workspace ONE UEM as an Internal App (Not Managed Google Play)

In closed network scenarios, the KSP app must be manually uploaded into the Workspace ONE UEM console. This mean that you must have access to the actual APK file from either Samsung or another trusted source. You then upload the file into the console by navigating to Apps & Books > Internal > Add > Application File and selecting the locally available APK file.

Configure STIG Compliance Within Workspace ONE UEM Android Enterprise Profiles

Profiles natively available in the Workspace ONE console should still be configured per Table 1 in accordance with the DISA STIG. No changes are required for closed networks as the application servers should still be able to communicate directly with the endpoint devices.

Configure KSP as an Internal App Manually Using Custom Attributes

In this scenario, KSP must be configured using a custom XML payload within the Custom Attributes Android profile. This is due to Workspace ONE UEM natively supporting JSON, rather than XML which is required by the KSP application.

There is an excellent blog available that walks through the process of extracting the required XML file from KSP and creating a custom settings profile with the results: Deploying the Knox Service Plugin (KSP) as an Internally-Managed Application. The steps you will be required to perform are summarized:

  1. Using a few open-source tools, extract the app_restrictions.XML file from within the APK file onto a local workstation.
  2. Use the XML file to create a “new” XML file consisting of the parameters and corresponding key-value pairs (KVP) required for STIG configuration, setting the KVP to the appropriate value for each. In some cases, it might be challenging to determine the actual setting represented by these parameters based solely on their names. There are a series separate files embedded in the KSP APK that can assist with this, located in the Values folder that provide descriptions of each of the parameters based on type (i.e., String).
  3. Create Custom Settings profiles within Workspace ONE UEM for each of the requisite parameters above by pasting XML into the Custom Settings payload within the console.

Note: Native support for XML to meet requirements such as these will be included in a future release of Workspace ONE.

Push the STIG Configuration to a Work Managed Device

Finally, ensure that you are assigning the profiles you created to the intended endpoints using Workspace ONE Smart Groups.

Configure and Host a PAC File (Required only for certain GMS devices)

Devices that ship with Google services pre-installed (also known as GMS devices) test their connectivity to certain Google endpoints when connecting to Wi-Fi networks. If these connectivity checks fail, out-of-box enrollment and provisioning of Internal Applications uploaded to the [Apps & Books > Applications] pages fail.

If the network being used to enroll the device is also closed and has no access to Google endpoints, it is possible to skip the connectivity checks by using a Proxy Auto-Configuration (PAC) file that instructs the device to make connections directly, without the use of proxies.

The contents of the PAC file:

function FindProxyForURL(url, host) {

return "DIRECT";

}

Note that an actual proxy server is not required. A PAC file with the contents above should be hosted on an http/https endpoint within the closed network. When this file is available, proceed with enrolling devices into the closed network via the QR code method with the following additional steps and caveats:

  1. Ensure that the Wi-Fi details are omitted from the QR code.
  1. Select Add Network to manually configure a network after scanning the QR code.
  1. Enter the SSID and password of the closed network.
  1. Under Advanced options, set Proxy as Proxy Auto-Config and enter the http/https URL of the PAC file location.
  1. Connect to Wi-Fi.
  1. The device should connect to the Wi-Fi network and skip any connectivity checks to Google.

Summary and Additional Resources

This Operational Tutorial was written to assist Workspace ONE administrators with configuring security compliance on Android 10 devices per the Samsung DISA STIG. This included corporate-owned device deployments for both open and closed network scenarios.

Additional Resources

The following resources may help provide further insight into Android Enterprise deployments, STIG compliance, and Samsung technologies relevant to this tutorial:

For more information about Android Enterprise, explore the Android Enterprise Activity Path. The activity path provides step-by-step guidance to help you level-up in your Android Enterprise knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

Changelog

The following updates were made to this guide.

Date

Description of Changes

2021‑04‑19

  • Initial publication

About the Author and Contributors

This tutorial was written by:

  • Jake Reibert, Senior Systems Engineer, End-User-Computing Federal, VMware
  • Eric Stillman, Senior Product Manager, Android & Chrome OS, Enterprise Mobility Management, VMware
  • Karim Chelouati, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

With significant contributions from:

  • Nishant Gandhi, Senior Consultant, End-User Computing, VMware.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

 

 

 

Filter Tags

Workspace ONE Workspace ONE UEM Document Operational Tutorial Advanced Android Manage